Hi. I can integrate Guacamole and Onelogin with SAML. I wrote about how to set up on my blog. https://cloudfish.hatenablog.com/entry/2020/07/15/212107
It might be helpful to you. You can check to it if you like. but this is written in Japanese. On Wed, Jul 29, 2020 at 11:57 PM Nick Couchman <[email protected]> wrote: > On Wed, Jul 29, 2020 at 10:09 AM Idhren <[email protected]> wrote: > >> Hi, >> >> I'm trying to configure SAML with guacamole v1.2 and LemonLDAP. >> >> In order to configure the IdP with Guacamole as a SP and according to >> LemonLDAP documentation I should register SP metadata by uploading the >> file >> (or get it from SP metadata URL). >> It seems that the saml extension does not provide this metadata. Right ? >> >> > No, in my (limited) experience with SAML, the metadata is provided by the > IdP - basically, the IdP usually has a place where you go - a management > tool or URL - that it used to generate the metadata for the service > provider (in this case, Guacamole). I think there are a couple of websites > that help you generate this metadata if your IdP doesn't have a > straight-forward way to do it, but that's a little risky, as generally the > IdP inserts some certificates/keys that make sure that only the IdP and SP > trust each other and that someone cannot insert themselves into that chain. > > >> My Guacamole url : https://<my_guacamole_server> >> On the IdP, my guacamole server is configured as a SP, but without any >> metadata. >> >> With saml-idp-metadata-url: file:// or url. It just don't work and I get >> this error: >> >> /13:44:49.594 [http-nio-8080-exec-4] DEBUG org.apache.xml.security.Init - >> Registering default algorithms >> 13:44:49.694 [http-nio-8080-exec-4] WARN >> o.a.g.e.AuthenticationProviderFacade - The "saml" authentication provider >> has encountered an internal error which will halt the authentication >> process. If this is unexpected or you are the developer of this >> authentication provider, you may wish to enable debug-level logging. If >> this >> is expected and you wish to ignore such failures in the future, please set >> "skip-if-unavailable: saml" within your guacamole.properties. >> 13:44:49.694 [http-nio-8080-exec-4] DEBUG >> o.a.g.r.auth.AuthenticationService >> - Anonymous authentication attempt from <client-IP> failed./ >> >> > You may need to enable debugging within the web application to get more > details on the failure: > > > http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging > > >> So I tried to ignore metadata files/url and the best I could do was to >> reach >> my IdP, logged in, but the IdP didn't forward me to guacamole... I land on >> the IdP home page. >> >> This is my configuration: >> >> *saml-debug: true >> saml-callback-url: https://<my_guacamole_server> >> saml-idp-url: https://<IdP_server>/saml/ >> saml-entity-id: https://<my_guacamole_server>* >> >> And the logs I'm getting from tomcat: >> >> /13:51:04.257 [http-nio-8080-exec-5] DEBUG >> c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" >> ID="ONELOGIN_740ca17a-661f-4c66-81f3-2e8528f5b87c" >> Version="2.0" IssueInstant="2020-07-29T13:51:04Z" >> Destination="https://<IdP_server>/saml/" >> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> AssertionConsumerServiceURL="https:// >> <my_guacamole_server>/api/ext/saml/callback"><saml:Issuer>https:// >> <my_guacamole_server></saml:Issuer><samlp:NameIDPolicy >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" >> AllowCreate="true" /></samlp:AuthnRequest> >> 13:51:04.258 [http-nio-8080-exec-5] DEBUG >> o.a.g.a.f.FileAuthenticationProvider - User mapping file >> "/root/.guacamole/user-mapping.xml" does not exist and will not be read. >> 13:51:04.258 [http-nio-8080-exec-5] DEBUG >> o.a.g.r.auth.AuthenticationService >> - Anonymous authentication attempt from <client-IP> failed. >> / >> It seems to me that my call back URL is wrong, but I'm not sure ... I >> tried >> https://<my_guacamole_server>/app/ext/saml/callback but It didn't work >> either. >> >> > The callback URL just needs to be the base path to your guacamole install. > > -Nick >
