Hi Nick,

Thanks for the speedy reply.

I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole through 
CAS, so I thought SAML was the best solution.  To my knowledge, F5 doesn’t 
support CAS natively (and I’ve done some searching, so I’m pretty confident 
this is true).

CAS has come in to the solution as middleware of sorts – converting the 
authentication from SAML into something Guacamole can understand (native CAS 
authentication through the CAS protocol.). My company isn’t using CAS at the 
moment – we’d be deploying it for this project only, which uses usernames and 
passwords to authenticate that are stored in the internal F5 database.  Hence 
the guy in my team recommending SAML2.0 between F5 and CAS and then Native CAS 
authentication for Guacamole, if that’s possible.

But you’re saying it’s not?


Daniel Storey

From: Nick Couchman <vn...@apache.org>
Reply-To: "user@guacamole.apache.org" <user@guacamole.apache.org>
Date: Saturday, 11 August 2018 at 11:50 pm
To: "user@guacamole.apache.org" <user@guacamole.apache.org>
Subject: Re: SAML 2.0 support for Apache Guacamole through CAS

On Sat, Aug 11, 2018 at 9:19 AM stoda06 
<daniel.sto...@rededucation.com<mailto:daniel.sto...@rededucation.com>> wrote:
Hi Guacamole Gurus!

I'm trying to figure out if I should attempt to get Guacamole working with
CAS as a SAML 2.0 SP allowing SSO into Guacamole?

Because I've read here (https://issues.apache.org/jira/browse/GUACAMOLE-103)
that SAML 2.0 isn't currently supported for Guacamole, but I wouldn't have
thought this would mean that SAML 2.0 isn't supported through CAS?

Support for authentication via the SAML protocol is a work in progress, but 
currently not available in Guacamole.  If you must use the SAML 2.0 
authentication protocol with CAS, then you will not be able to authenticate 
Guacamole with CAS as the SAML protocol is not supported.

That said, Guacamole has a CAS authentication module which supports the native 
CAS SSO protocol.  If you're already running a CAS server, you should be able 
to use the guacamole-auth-cas extension and authenticate against your CAS 

Is there some reason you're required to use SAML 2.0 instead of the native CAS 

Would someone who's gotten Guacamole working with SAML 2.0 please let me
know the components they used in their architecture?  Because I've been
through the last 4000 messages emailed to this list and there's a thread
with the title: "Handling a SAML POST response" which talks about SAML
(version unknown) and getting it working with Mike Jumper's extension and
used it to authenticate via OpenID.  From which I gather it's possible to
get it working with SAML of an unknown version.

OpenID and SAML are not identical.  There is an OpenID authentication extension 
that you can use, but you must use it against any OpenID-compatible SSO server. 
 CAS can also do this, but, again, why are you trying to do this instead of 
just using the CAS protocol?

Basically, I'm trying to authenticate from an F5 BIG-IP APM to Guacamole
using SSO and one of the guys who's in my team suggested that SAML would be
the easiest way to get this working.

Sorry to sound like a broken record, but if your SSO server is CAS, just use 
the CAS protocol - it's the most straight-forward to get configured, and it's 
already supported.


Reply via email to