[
https://issues.apache.org/jira/browse/GUACAMOLE-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515760#comment-17515760
]
Oto commented on GUACAMOLE-1528:
--------------------------------
Stu B: Thanks for the Azure AD related hint to specify the
saml-idp-metadata-url.
Regarding the issue, what Bap reported. Setting the saml-strict to false will
not work with Azure AD for sure. Keep the saml-strict at true (the default) and
the mismatch between the received response URL and the specified callback URL
(saml-callback-url) has something to do with Tomcat connector setting.
Here is my config what works with the new 1.4.0 SAML extension. Please note,
i'm using nginx as a reverse proxy as described here
https://guacamole.apache.org/doc/gug/reverse-proxy.html
# In /etc/guacamole/guacamole.properties the App Federation Metadata XML file
is specified instead of URL
saml-idp-url:
https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/saml2
saml-entity-id: https://pguac1.domain.com
saml-callback-url: https://pguac1.domain.com
saml-idp-metadata-url: file:///etc/guacamole/federationmetadata.xml # XML file
downloaded from Azure AD
extension-priority: saml
skip-if-unavailable: saml
# In /etc/tomcat/server.xml, the connector configuration for port 8080 was
changed to use scheme="https"
=========================================
Proxying Guacamole via Nginx over HTTPS
See the following for more information:
https://confluence.atlassian.com/x/DAFmGQ
=========================================
-->
<Connector port="8080" connectionTimeout="20000" enableLookups="false"
protocol="HTTP/1.1" useBodyEncodingForURI="true" secure="true"
scheme="https"
proxyName="pguac1.domain.com" proxyPort="443"/>
# /etc/nginx/conf.d/guacamole.conf
server {
listen 80;
server_name pguac1.domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name pguac1.domain.com;
ssl_certificate /etc/nginx/ssl/pguac1.domain.com.crt;
ssl_certificate_key /etc/nginx/ssl/pguac1.domain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log off;
location / {
proxy_pass http://localhost:8080/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
client_max_body_size 4096M;
access_log /var/log/nginx/guacamole_access.log main;
}
}
BTW, According to 1.4.0 release notes, any extension written for older 1.x
releases can be used by 1.4.0. So one can update "guacamole-client" to 1.4.0
and use the older guacamole-auth-saml-1.3.0 extension.
https://guacamole.apache.org/releases/1.4.0/
> [Docker Version] SAML extension validating
> -------------------------------------------
>
> Key: GUACAMOLE-1528
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1528
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-saml
> Affects Versions: 1.4.0
> Environment: Docker
> Reporter: Bryce Prutsos
> Priority: Minor
> Labels: SAML
>
> I am trying to configure SAML but the error it gives doesn't really help.
> Specifically error [https-openssl-nio-8080-exec-7] WARN
> o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with
> an invalid SAML response: SAML response did not pass validation: Signature
> validation failed. SAML Response rejected.
>
> I am guessing it has to do with the x509 cert between the idp and guacamole
> but there is nowhere to specify settings.
> for the I have the following
>
> extension-priority: *, saml
> saml-debug: true
> saml-strict: false
> saml-idp-url: https://login.localhost.com/sso/go.ashx
> saml-entity-id: https://guac.localhost.com:8080/
> saml-callback-url: https://guac.localhost.com:8080
> mysql-auto-create-accounts: true
>
> LOGS BELOW
>
> 05:31:21.596 [main] INFO o.a.g.extension.ExtensionModule - Extension "SAML
> Authentication Extension" (saml) loaded.
>
> 05:31:21.694 [main] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356
> WebSocket support...
>
> 05:31:22.103 [main] WARN o.g.jersey.server.wadl.WadlFeature - JAXBContext
> implementation could not be found. WADL feature is disabled.
>
> 03-Feb-2022 05:31:22.308 INFO [main]
> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
> application archive [/usr/local/tomcat/webapps/ROOT.war] has finished in
> [3,099] ms
>
> 03-Feb-2022 05:31:22.312 INFO [main] org.apache.coyote.AbstractProtocol.start
> Starting ProtocolHandler ["https-openssl-nio-8080"]
>
> 03-Feb-2022 05:31:22.342 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in [3171]
> milliseconds
>
> 05:31:43.515 [https-openssl-nio-8080-exec-5] INFO
> com.onelogin.saml2.util.Util - Found a deprecated algorithm
> http://www.w3.org/2000/09/xmldsig#rsa-sha1 related to the Signature element,
> consider requesting a more robust algorithm
>
> 05:31:43.518 [https-openssl-nio-8080-exec-5] ERROR
> c.onelogin.saml2.authn.SamlResponse - Signature validation failed. SAML
> Response rejected
>
> 05:31:43.518 [https-openssl-nio-8080-exec-5] WARN
> o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with
> an invalid SAML response: SAML response did not pass validation: Signature
> validation failed. SAML Response rejected
>
> 05:31:53.360 [https-openssl-nio-8080-exec-7] INFO
> com.onelogin.saml2.util.Util - Found a deprecated algorithm
> http://www.w3.org/2000/09/xmldsig#rsa-sha1 related to the Signature element,
> consider requesting a more robust algorithm
>
> 05:31:53.360 [https-openssl-nio-8080-exec-7] ERROR
> c.onelogin.saml2.authn.SamlResponse - Signature validation failed. SAML
> Response rejected
>
> 05:31:53.360 [https-openssl-nio-8080-exec-7] WARN
> o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with
> an invalid SAML response: SAML response did not pass validation: Signature
> validation failed. SAML Response rejected
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
