I reviewed the settings in guacamole.properties and everything seems to be in
order (I left the sections for LDAP in place). Debug logging shows the line:
SAMLResponse has attributes:
{http://schemas.xmlsoap.org/claims/Group=[CN=......OU=......DC=........]
In the extensions folder, I have the following in this order:
guacamole-auth-jdbc-mysql-1.2.0.jar
guacamole-auth-ldap-1.2.0.jar
guacamole-auth-saml-1.2.0.jar
I'm out of ideas of what or how to troubleshoot any further.
Thanks
________________________________
From: MARTINEZ, ARIEL
Sent: Sunday, October 4, 2020 4:13 PM
To: [email protected]
Subject: RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership
Ok thanks. I wanted to make sure to avoid troubleshooting something that was
expected behavior.
I have debug logging enabled and am able to see the group names coming from my
identity provider. The line says "Group" so I set saml-group-attribute: Group
in guacamole.properties (documentation says Groups is default) But when I log
in, the group membership is not recognized and connections and permissions are
not being applied.
Is there any other way to troubleshoot why the group membership is not being
recognized?
Thanks
From: Nick Couchman <[email protected]>
Sent: Sunday, October 4, 2020 4:02 PM
To: [email protected]
Subject: [EXTERNAL] Re: SAML Authentication Extension Group Membership
WARNING: This email originated outside the Hostos campus. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
Never provide login credentials, financial or sensitive details in response to
an email or by clicking on a link. Report suspicious emails to:
[email protected]<mailto:[email protected]>
On Sun, Oct 4, 2020 at 4:01 PM Mike Jumper
<[email protected]<mailto:[email protected]>> wrote:
On Sun, Oct 4, 2020, 12:49 Nick Couchman
<[email protected]<mailto:[email protected]>> wrote:
On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL
<[email protected]<mailto:[email protected]>> wrote:
Does anyone know if the SAML extension is supposed to take the group membership
of a user and associate it automatically to a group defined in Guacamole that
has the same name? This is what happens with the LDAP authentication
extension, not sure if something similar applies to the SAML one.
The SAML extension does not currently implement Group membership.
Doesn't it? The "saml-group-attribute" property defines the SAML attribute used
to retrieve groups.
Ah, yes, you're correct - I think I'm so used to answering that way for the
other SSO modules that it was an automatic response...
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
