website/docs/add-secure-apps/providers/rac/index.md
The RAC provider allows users to access remote Windows, macOS, and Linux machines via RDP/SSH/VNC. Just like other providers in authentik, the RAC provider is associated with an application that appears on a user's My applications page.
For instructions on creating a RAC provider, refer to the Create a Remote Access Control (RAC) provider documentation. Alternatively, watch our "Remote Access Control (RAC) in authentik" video on YouTube.
A RAC provider uses several components:
architecture-beta
service application(mdi:application-outline)[Application]
service provider(mdi:application-cog-outline)[Provider]
service endpoint(mdi:network-pos)[Endpoint Settings]
service server(mdi:server)[authentik Server]
service outpost(mdi:server-plus)[RAC Outpost]
service machine(mdi:desktop-classic)[Remote Machine]
application:R --> L:provider
provider:B -- T:endpoint
provider:R --> L:server
server:R <--> L:outpost
outpost:B <--> T:machine
When a user starts the RAC application, it communicates with the authentik server, which then connects to the RAC outpost and sends instructions (based on the endpoint data you defined) on how to connect to the remote machine.
After connecting to the remote machine, the outpost sends a message back to the authentik server (via WebSockets), and the web browser opens the WebSocket connection to the remote machine.
Unlike other providers, where an application-provider pair is created for each resource you wish to access, RAC works differently. RAC uses a single application connected to one RAC provider. The RAC provider then has an Endpoint object for each remote machine (computer/server) you want to connect to.
The Endpoint object specifies:
Additionally, it is possible to bind policies to Endpoint objects to restrict user access. To connect to a remote machine, users must have access to both the application that the RAC provider is using and the corresponding endpoint.
A new connection is created every time an RAC application/endpoint is selected in the User Interface. After the user's authentik session expires, the connection is terminated. Additionally, you can configure connection expiry in the RAC provider, which applies even if the user is still authenticated. The connection can also be terminated manually from the Connections tab of the RAC provider.
You can create RAC property mappings via Customization > Property Mappings.
RAC property mappings allow you to configure the following settings:
The RAC provider utilizes Apache Guacamole for establishing SSH, RDP and VNC connections. RAC supports the use of Apache Guacamole connection configurations.
Connection settings can include username, password, domain, private-key, security, enable-audio, and more.
For a full list of possible connection settings, see the Apache Guacamole connection configuration documentation.
RAC connection settings can be set via several methods and are all merged together when connecting:
connection_settings object in the flow planFor examples of how to configure connection settings, see the RAC SSH public key authentication and RAC Credentials Prompt documentation.
The following features are currently supported: