On Fri, Mar 23, 2018 at 7:41 PM, Kaushik Srinivasan <[email protected]> wrote:
> Hi Everyone, > > I'm currently working on a NSF funded project and using Guacamole as part > of the university infrastructure. > > I have few design oriented questions. > > Currently our Guacamole setup uses the CAS auth module for authentication. > But we would like to support SAML too. There is a SAML extension under development: https://issues.apache.org/jira/browse/GUACAMOLE-103 Have you take a look at whether that would fit your needs? We believe that the best way to do this is by implementing both the > authentication modules in the reverse proxy. But there are two issues with > this. > > 1. Once our reverse proxy authenticates, we are planning to use No-Auth > module in Guacamole to allow the user to pass through. This would not be > possible in future as the recent version 0.9.14 states that "The "NoAuth" > extension is **DEPRECATED**" and will be removed in future releases. *How > can we allow users to 'pass-through' once they authenticate with our > reverse proxy?* > > The old "NoAuth" extension would not pass through anything; it would give everyone the same access to everything. Even if that extension were not deprecated, it would not be a good solution for the case you describe. 2. Currently the guacamole maintains an authorized list in the database, > which the CAS module uses to verify for authorization. But in the case of > reverse proxy this would not be possible. *Is there any way a reverse proxy > can pass the authenticated user to the database module in the CAS for > authorization to a connection?* > > Configure your reverse proxy to set an HTTP header of your choice for authenticated users, and ensure that header is removed from the external HTTP request before adding it via the auth process (ensure that ONLY your auth mechanisms can provide this header, not a malicious user that manually sets the header). You can then use Guacamole's header authentication extension: http://guacamole.apache.org/doc/gug/header-auth.html - Mike
