Remote Access Control (RAC) Provider
The RAC provider allows users to access remote Windows, macOS, and Linux machines via RDP/SSH/VNC. Just like other providers in authentik, the RAC provider is associated with an application that appears on a user's My applications page.
For instructions on creating a RAC provider, refer to the Create a Remote Access Control (RAC) provider documentation. Alternatively, watch our "Remote Access Control (RAC) in authentik" video on YouTube.
RAC components
A RAC provider uses several components:
When a user starts the RAC application, it communicates with the authentik server, which then connects to the RAC outpost and sends instructions (based on the endpoint data you defined) on how to connect to the remote machine.
After connecting to the remote machine, the outpost sends a message back to the authentik server (via WebSockets), and the web browser opens the WebSocket connection to the remote machine.
Endpoints
Unlike other providers, where an application-provider pair is created for each resource you wish to access, RAC works differently. RAC uses a single application connected to one RAC provider. The RAC provider then has an Endpoint object for each remote machine (computer/server) you want to connect to.
The Endpoint object specifies:
- Hostname, IP address, and port of the remote machine
- Protocol to use: SSH, RDP, or VNC
- RDP connection settings
- RAC Property mappings to apply
- Connection settings to apply
Additionally, it is possible to bind policies to Endpoint objects to restrict user access. To connect to a remote machine, users must have access to both the application that the RAC provider is using and the corresponding endpoint.
Connection management
A new connection is created every time an RAC application/endpoint is selected in the User Interface. After the user's authentik session expires, the connection is terminated. Additionally, you can configure connection expiry in the RAC provider, which applies even if the user is still authenticated. The connection can also be terminated manually from the Connections tab of the RAC provider.
RAC Property Mappings
You can create RAC property mappings via Customization > Property Mappings.
RAC property mappings allow you to configure the following settings:
- Username: the username for the remote machine
- Password: the password for the remote machine
- Ignore Server certificate: set whether the validity of the returned RDP server certificate will be ignored
- Enable wallpaper: enable/disable the desktop wallpaper of the RDP server
- Enable font-smoothing: enable/disable font-smoothing (anti-aliasing) on the RDP server
- Enable full window dragging: enable/disable whether the full content of a window is visible while moving it on the RDP server
- Advanced settings: set connection settings via a Python expression
Connection settings
The RAC provider utilizes Apache Guacamole for establishing SSH, RDP and VNC connections. RAC supports the use of Apache Guacamole connection configurations.
Connection settings can include username, password, domain, private-key, security, enable-audio, and more.
For a full list of possible connection settings, see the Apache Guacamole connection configuration documentation.
RAC connection settings can be set via several methods and are all merged together when connecting:
- Default settings
- RAC Provider settings
- RAC Endpoint settings
- RAC Provider property mapping settings
- RAC Endpoint property mapping settings
- The
connection_settingsobject in the flow plan
For examples of how to configure connection settings, see the RAC SSH public key authentication and RAC Credentials Prompt documentation.
Capabilities
The following features are currently supported:
- Bi-directional clipboard
- Audio redirection (from remote machine to browser)
- Resizing