Hi Mike, Thanks a lot. HTTP header authentication would better suit our needs.
We are trying to move away from Guacamole authentication modules as we want to get SAML working asap and apache can be "easily" configured for that instead of waiting for the module development by your team. Thanks again. Regards, Kaushik Srinivasan On Fri, Mar 23, 2018 at 11:13 PM, Mike Jumper <[email protected]> wrote: > On Fri, Mar 23, 2018 at 7:41 PM, Kaushik Srinivasan <[email protected]> > wrote: > > > Hi Everyone, > > > > I'm currently working on a NSF funded project and using Guacamole as part > > of the university infrastructure. > > > > I have few design oriented questions. > > > > Currently our Guacamole setup uses the CAS auth module for > authentication. > > But we would like to support SAML too. > > > There is a SAML extension under development: > > https://issues.apache.org/jira/browse/GUACAMOLE-103 > > Have you take a look at whether that would fit your needs? > > We believe that the best way to do this is by implementing both the > > authentication modules in the reverse proxy. But there are two issues > with > > this. > > > > 1. Once our reverse proxy authenticates, we are planning to use No-Auth > > module in Guacamole to allow the user to pass through. This would not be > > possible in future as the recent version 0.9.14 states that "The "NoAuth" > > extension is **DEPRECATED**" and will be removed in future releases. *How > > can we allow users to 'pass-through' once they authenticate with our > > reverse proxy?* > > > > > The old "NoAuth" extension would not pass through anything; it would give > everyone the same access to everything. Even if that extension were not > deprecated, it would not be a good solution for the case you describe. > > 2. Currently the guacamole maintains an authorized list in the database, > > which the CAS module uses to verify for authorization. But in the case of > > reverse proxy this would not be possible. *Is there any way a reverse > proxy > > can pass the authenticated user to the database module in the CAS for > > authorization to a connection?* > > > > > Configure your reverse proxy to set an HTTP header of your choice for > authenticated users, and ensure that header is removed from the external > HTTP request before adding it via the auth process (ensure that ONLY your > auth mechanisms can provide this header, not a malicious user that manually > sets the header). You can then use Guacamole's header authentication > extension: > > http://guacamole.apache.org/doc/gug/header-auth.html > > - Mike > -- Regards, Kaushik Srinivasan
