[jira] [Closed] (GUACAMOLE-1364) Allow login with standard username/password when SSO is enabled

Sun, 12 Dec 2021 04:37:31 -0800 


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mike Jumper closed GUACAMOLE-1364.
----------------------------------
    Resolution: Done

All done:

* To redirect all users (no Guacamole login screen), ensure the relevant SSO 
extension has higher priority than the others.
* To show a Guacamole login screen, redirecting only users that click a "Sign 
in with ..." link, ensure the relevant SSO extension has lower priority than 
the others.

For example, to give the SAML extension _highest_ priority (redirect all users):

{code:none}
extension-priority: saml
{code}

Or, to give the SAML extension _lowest_ priority (login screen):

{code:none}
extension-priority: *, saml
{code}

The same goes for CAS and OpenID.

> Allow login with standard username/password when SSO is enabled
> ---------------------------------------------------------------
>
>                 Key: GUACAMOLE-1364
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1364
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-cas, guacamole-auth-openid, 
> guacamole-auth-saml
>            Reporter: Mike Jumper
>            Assignee: Mike Jumper
>            Priority: Minor
>             Fix For: 1.4.0
>
>
> When SSO is in use, Guacamole automatically redirects all users to the IdP 
> for sign-in. This works well if all necessary user accounts are available 
> through that IdP, but effectively prevents logging in using any account 
> unknown to the IdP and prevents using multiple SSO implementations.
> For example:
> * If SAML is enabled, but the common "guacadmin" administrative account has 
> no counterpart in the SAML IdP, it will not be possible to sign in as 
> "guacadmin" until a SAML user that maps to the "guacadmin" identity exists.
> * If multiple SSO solutions are enabled, only the solution that sorts first 
> by filename will be usable, with others not getting their chance to redirect 
> to their IdPs.
> This can be solved by:
> # Defining explicit behavior for the SSO implementations when they are not 
> sorted first (automatically adding a "Sign in with _____" button to the login 
> prompt produced extension that sort before the SSO implementation).
> # Providing an easier mechanism for adjusting extension order (rather than 
> requiring renaming of files).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to