Hi All, I know I said called out Nick on this one, but I did also say (et all).
As Mike, Stefan, or anyone else... feel free to jump in :) Cheers, -Kerman From: Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <[email protected]> Sent: Monday, June 17, 2019 3:49 PM To: [email protected] Cc: Neff, Jasaun J. (GSFC-606.2)[InuTeq, LLC] <[email protected]> Subject: [EXTERNAL] Guac SAML auth Hi Nick (et all), It has been some time. We currently run a guacamole server (0.9.9) in our environment that uses LDAP for authentication. For several reasons, we would like to build a new guac server using SSO, SAML to be specific. We have a guac server (0.9.14, which was the latest in the yum repo at the time) built with an HTTP header authentication, layered on MYSQL database, and proxy'd via NGINX. In trying to make this all work with a colleague, here are a few things we ran into. "The plan has been to force an authentication (via Launchpad and sending a header that we derive from Mellon) if the GUAC_AUTH cookie is missing from a user request but testing that out has shown me a few problems. One, the GUAC_AUTH cookie effectively never expires (it has no expiration date, but the Session flag is set, which is supposed to expire the cookie when the session is done, but if you never close your browser or use the session restore feature, you will never not send a GUAC_AUTH cookie with Guac requests once you've authenticated once. Two, the auth token gets passed in GET requests, which means it leaks in logs, and that's less than ideal. Two and a half, I tested replaying with tokens, and I was able to get potentially sensitive data but have not been able to figure out how to hijack a session. Kerman, if you can look into cookie/session options in Guac, I would appreciate it. I will keep trying to figure out if we can (in the proxy) reliably tell if a session is invalid. I think, as a fallback plan, we can test sending the auth header from the proxy with every request as long as we make sure it's not being spoofed from the client" Any help you could share to sort out cookies/session would be much appreciated. I know SAML support for guac is still in the works. I have noted you commenting in a few forums about the matter as well. After some research it would seem to me that using the CAS extension may be the better way to go about configuring guacamole.properties to work with SAML? Sharing anything you've gleamed thus far will be greatly enlightening. P.S. The underlining guac server/client are 1.0.0. However, the war&jar files are 0.9.14 and it still works. The vm these are built in eventually has to be migrated/re-provisioned into openstack. I may need to start the build anew with the matching war/jar files. That said, getting to a working state regarding authentication would be great. Cheers, -Kerman
