On Wed, Jul 29, 2020 at 10:09 AM Idhren <[email protected]> wrote:
> Hi, > > I'm trying to configure SAML with guacamole v1.2 and LemonLDAP. > > In order to configure the IdP with Guacamole as a SP and according to > LemonLDAP documentation I should register SP metadata by uploading the file > (or get it from SP metadata URL). > It seems that the saml extension does not provide this metadata. Right ? > > No, in my (limited) experience with SAML, the metadata is provided by the IdP - basically, the IdP usually has a place where you go - a management tool or URL - that it used to generate the metadata for the service provider (in this case, Guacamole). I think there are a couple of websites that help you generate this metadata if your IdP doesn't have a straight-forward way to do it, but that's a little risky, as generally the IdP inserts some certificates/keys that make sure that only the IdP and SP trust each other and that someone cannot insert themselves into that chain. > My Guacamole url : https://<my_guacamole_server> > On the IdP, my guacamole server is configured as a SP, but without any > metadata. > > With saml-idp-metadata-url: file:// or url. It just don't work and I get > this error: > > /13:44:49.594 [http-nio-8080-exec-4] DEBUG org.apache.xml.security.Init - > Registering default algorithms > 13:44:49.694 [http-nio-8080-exec-4] WARN > o.a.g.e.AuthenticationProviderFacade - The "saml" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this > is expected and you wish to ignore such failures in the future, please set > "skip-if-unavailable: saml" within your guacamole.properties. > 13:44:49.694 [http-nio-8080-exec-4] DEBUG > o.a.g.r.auth.AuthenticationService > - Anonymous authentication attempt from <client-IP> failed./ > > You may need to enable debugging within the web application to get more details on the failure: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging > So I tried to ignore metadata files/url and the best I could do was to > reach > my IdP, logged in, but the IdP didn't forward me to guacamole... I land on > the IdP home page. > > This is my configuration: > > *saml-debug: true > saml-callback-url: https://<my_guacamole_server> > saml-idp-url: https://<IdP_server>/saml/ > saml-entity-id: https://<my_guacamole_server>* > > And the logs I'm getting from tomcat: > > /13:51:04.257 [http-nio-8080-exec-5] DEBUG > c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > ID="ONELOGIN_740ca17a-661f-4c66-81f3-2e8528f5b87c" > Version="2.0" IssueInstant="2020-07-29T13:51:04Z" > Destination="https://<IdP_server>/saml/" > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > AssertionConsumerServiceURL="https:// > <my_guacamole_server>/api/ext/saml/callback"><saml:Issuer>https:// > <my_guacamole_server></saml:Issuer><samlp:NameIDPolicy > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > AllowCreate="true" /></samlp:AuthnRequest> > 13:51:04.258 [http-nio-8080-exec-5] DEBUG > o.a.g.a.f.FileAuthenticationProvider - User mapping file > "/root/.guacamole/user-mapping.xml" does not exist and will not be read. > 13:51:04.258 [http-nio-8080-exec-5] DEBUG > o.a.g.r.auth.AuthenticationService > - Anonymous authentication attempt from <client-IP> failed. > / > It seems to me that my call back URL is wrong, but I'm not sure ... I tried > https://<my_guacamole_server>/app/ext/saml/callback but It didn't work > either. > > The callback URL just needs to be the base path to your guacamole install. -Nick
