Thanks, Sebastian. You’re right – it should have been http://<servername>.rededucation.com:8080/guacamole/<http://%3cservername%3e.rededucation.com:8080/guacamole/>. I’ve updated it as well as a few other errors and it’s still not working. I’m seeing a page that says:
Please wait, redirecting to identity provider As soon as it hits the <servername>.rededucation.com page and then it redirects to http://guacamole.rededucation.com:8080/guacamole/#/?responseHash=9D10496AD38722D9C88016835D595715C3F29F074C521103D7908E1051992770 and displays the following message: ERROR: “An error has occurred and this action cannot be completed. If the problem persists, please notify your system administrator or check your system logs.” My guacamole.properties file is now: # GuacD properties guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: pWAR53fht786!@# # SAML Properties saml-idp-url: https://red-education-dev.onelogin.com/ saml-entity-id: https://app.onelogin.com/saml/metadata/7c0aafc5-cb37-478b-b1d0-9efee78ac59c saml-callback-url: http://guacamole.rededucation.com:8080/guacamole/ saml-idp-metadata-url: file:///home/dan/guacamole.xml saml-debug: True saml-strict: False And there’s new logging material as well: Aug 9 12:37:16 guacamole tomcat9[1278]: 12:37:16.001 [http-nio-8080-exec-1] DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_85608ff0-3593-4b14-a036-feb8caa7e8f3" Version="2.0" IssueInstant="2020-08-09T12:37:15Z" Destination="https://red-education-dev.onelogin.com/trust/saml2/http-redirect/sso/7c0aafc5-cb37-478b-b1d0-9efee78ac59c"; ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://guacamole.rededucation.com:8080/guacamole/api/ext/saml/callback#/";><saml:Issuer>https://app.onelogin.com/saml/metadata/7c0aafc5-cb37-478b-b1d0-9efee78ac59c</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" /></samlp:AuthnRequest> Aug 9 12:37:16 guacamole tomcat9[1278]: 12:37:16.006 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 172.31.0.5 failed. Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.586 [http-nio-8080-exec-4] DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has NameID --> [email protected] Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.590 [http-nio-8080-exec-4] DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has attributes: {User.FirstName=[Daniel], User.LastName=[Storey], User.email=[[email protected]], memberOf=[], PersonImmutableID=[[email protected]]} Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.594 [http-nio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "[email protected]" successfully authenticated from 172.31.0.5. Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.641 [http-nio-8080-exec-4] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 8.0.21. Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.652 [http-nio-8080-exec-4] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 8.0.21. Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.659 [http-nio-8080-exec-4] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 8.0.21. Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.679 [http-nio-8080-exec-4] ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error: Aug 9 12:37:18 guacamole tomcat9[1278]: ### Error updating database. Cause: java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot be null Aug 9 12:37:18 guacamole tomcat9[1278]: ### The error may involve org.apache.guacamole.auth.jdbc.user.UserMapper.insertAttributes-Inline Aug 9 12:37:18 guacamole tomcat9[1278]: ### The error occurred while setting parameters Aug 9 12:37:18 guacamole tomcat9[1278]: ### SQL: INSERT INTO guacamole_user_attribute ( user_id, attribute_name, attribute_value ) VALUES (?, ?, ?) , (?, ?, ? Aug 9 12:37:18 guacamole tomcat9[1278]: ### Cause: java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot be null Aug 9 12:37:18 guacamole tomcat9[1278]: 12:37:18.684 [http-nio-8080-exec-4] DEBUG o.a.g.rest.RESTExceptionMapper - Unexpected error in REST endpoint. Aug 9 12:37:18 guacamole tomcat9[1278]: org.apache.ibatis.exceptions.PersistenceException: Aug 9 12:37:18 guacamole tomcat9[1278]: ### Error updating database. Cause: java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot be null Aug 9 12:37:18 guacamole tomcat9[1278]: ### The error may involve org.apache.guacamole.auth.jdbc.user.UserMapper.insertAttributes-Inline Aug 9 12:37:18 guacamole tomcat9[1278]: ### The error occurred while setting parameters Aug 9 12:37:18 guacamole tomcat9[1278]: ### SQL: INSERT INTO guacamole_user_attribute ( user_id, attribute_name, attribute_value ) VALUES (?, ?, ?) , (?, ?, ?) Aug 9 12:37:18 guacamole tomcat9[1278]: ### Cause: java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot be null Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:30) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.session.defaults.DefaultSqlSession.update(DefaultSqlSession.java:200) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.session.defaults.DefaultSqlSession.insert(DefaultSqlSession.java:185) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/java.lang.reflect.Method.invoke(Method.java:566) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.session.SqlSessionManager$SqlSessionInterceptor.invoke(SqlSessionManager.java:350) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.proxy.$Proxy35.insert(Unknown Source) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.session.SqlSessionManager.insert(SqlSessionManager.java:236) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:58) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:59) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.proxy.$Proxy37.insertAttributes(Unknown Source) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService.updateObject(ModeledDirectoryObjectService.java:510) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.jdbc.user.UserDirectory.update(UserDirectory.java:74) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.jdbc.user.UserDirectory.update(UserDirectory.java:37) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.totp.user.UserVerificationService.setKey(UserVerificationService.java:184) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.totp.user.UserVerificationService.getKey(UserVerificationService.java:116) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.totp.user.UserVerificationService.verifyIdentity(UserVerificationService.java:234) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.auth.totp.TOTPAuthenticationProvider.decorate(TOTPAuthenticationProvider.java:76) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.extension.AuthenticationProviderFacade.decorate(AuthenticationProviderFacade.java:355) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.rest.auth.DecoratedUserContext.decorate(DecoratedUserContext.java:92) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.rest.auth.DecoratedUserContext.<init>(DecoratedUserContext.java:233) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.rest.auth.DecorationService.decorate(DecorationService.java:88) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.rest.auth.AuthenticationService.getUserContexts(AuthenticationService.java:409) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.rest.auth.AuthenticationService.authenticate(AuthenticationService.java:454) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.guacamole.rest.auth.TokenRESTService.createToken(TokenRESTService.java:174) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/java.lang.reflect.Method.invoke(Method.java:566) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at java.base/java.lang.Thread.run(Thread.java:834) Aug 9 12:37:18 guacamole tomcat9[1278]: Caused by: java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot be null Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:117) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:97) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:953) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at com.mysql.cj.jdbc.ClientPreparedStatement.execute(ClientPreparedStatement.java:370) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.executor.statement.PreparedStatementHandler.update(PreparedStatementHandler.java:46) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.executor.statement.RoutingStatementHandler.update(RoutingStatementHandler.java:74) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.executor.SimpleExecutor.doUpdate(SimpleExecutor.java:50) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.executor.BaseExecutor.update(BaseExecutor.java:117) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.executor.CachingExecutor.update(CachingExecutor.java:76) Aug 9 12:37:18 guacamole tomcat9[1278]: #011at org.apache.ibatis.session.defaults.DefaultSqlSession.update(DefaultSqlSession.java:198) Aug 9 12:37:18 guacamole tomcat9[1278]: #011... 71 common frames omitted Aug 9 12:37:25 guacamole tomcat9[1278]: 12:37:25.668 [pool-4-thread-1] DEBUG o.a.g.a.t.u.CodeUsageTrackingService - TOTP tracking cleanup check completed in 0 ms. Aug 9 12:37:46 guacamole tomcat9[1278]: 12:37:46.293 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Checking for expired sessions... Aug 9 12:37:46 guacamole tomcat9[1278]: 12:37:46.294 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Session check completed in 0 ms. It looks as though it’s trying to create an entry in the mysql Database that’s all null values: (user_id, attribute_name, attribute_value) VALUES (?, ?, ?), (?, ?, ?) Cheers, Daniel Storey Red Education From: Sebastian Männling <[email protected]> Reply to: "[email protected]" <[email protected]> Date: Sunday, 9 August 2020 at 3:45 pm To: "[email protected]" <[email protected]> Subject: Re: SAML on Guacamole 1.2 Hi, I never set up saml on guacamole, but what looks “suspicious” to me is your callback url... port 8080 is usually not https (unless you explicitly set it up like that.) On 9. Aug 2020, at 04:47, Daniel Storey <[email protected]> wrote: Hi Everyone, I’m struggling to get SAML authentication working for Guacamole 1.2 with onelogin.com. I’ve created the following guacamole.properties file: # GuacD properties guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: pWAR53fht786!@# # SAML Properties saml-idp-url: https://<domain>.onelogin.com/ saml-entity-id: https://app.onelogin.com/saml/metadata/7c0aafc5-cb37-478b-b1d0-9efee78ac59c saml-callback-url: https://<servername>.rededucation.com:8080/guacamole/ saml-idp-metadata-url: /home/dan/guacamole.xml saml-debug: True saml-strict: False http://guacamole.rededucation.com:8080/guacamole/#/ I’m following the blog at https://cloudfish.hatenablog.com/entry/2020/07/15/212107 which has been translated by Chrome into English, but I’ve modified the suggestions of the values to insert into guacamole.properties into lowercase and using hyphens rather than underscores. I’m trying to get trace logging working in Guacamole to be able to determine what’s happening, but I can’t seem to get any traces in /var/log/tomcat9/catalina.out or /var/log/syslog. What I’m currently seeing in the log is: [2020-08-09 01:23:49] [info] 01:23:49.848 [http-nio-8080-exec-5] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from <IP ADDRESS OF CONNECTING MACHINE> failed. I’m not sure what to do to fix this. Any suggestions are welcome. Cheers, Daniel Storey Red Education
