Is there anything else that can be tried to troubleshoot that anyone can think of?
Thanks From: MARTINEZ, ARIEL Sent: Monday, October 5, 2020 11:37 AM To: [email protected] Subject: Re: [EXTERNAL] Re: SAML Authentication Extension Group Membership I reviewed the settings in guacamole.properties and everything seems to be in order (I left the sections for LDAP in place). Debug logging shows the line: SAMLResponse has attributes: {http://schemas.xmlsoap.org/claims/Group=[CN=......OU=......DC=........] In the extensions folder, I have the following in this order: guacamole-auth-jdbc-mysql-1.2.0.jar guacamole-auth-ldap-1.2.0.jar guacamole-auth-saml-1.2.0.jar I'm out of ideas of what or how to troubleshoot any further. Thanks ________________________________ From: MARTINEZ, ARIEL Sent: Sunday, October 4, 2020 4:13 PM To: [email protected]<mailto:[email protected]> Subject: RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership Ok thanks. I wanted to make sure to avoid troubleshooting something that was expected behavior. I have debug logging enabled and am able to see the group names coming from my identity provider. The line says "Group" so I set saml-group-attribute: Group in guacamole.properties (documentation says Groups is default) But when I log in, the group membership is not recognized and connections and permissions are not being applied. Is there any other way to troubleshoot why the group membership is not being recognized? Thanks From: Nick Couchman <[email protected]<mailto:[email protected]>> Sent: Sunday, October 4, 2020 4:02 PM To: [email protected]<mailto:[email protected]> Subject: [EXTERNAL] Re: SAML Authentication Extension Group Membership WARNING: This email originated outside the Hostos campus. Do not click links or open attachments unless you recognize the sender and know the content is safe. Never provide login credentials, financial or sensitive details in response to an email or by clicking on a link. Report suspicious emails to: [email protected]<mailto:[email protected]> On Sun, Oct 4, 2020 at 4:01 PM Mike Jumper <[email protected]<mailto:[email protected]>> wrote: On Sun, Oct 4, 2020, 12:49 Nick Couchman <[email protected]<mailto:[email protected]>> wrote: On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[email protected]<mailto:[email protected]>> wrote: Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name? This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one. The SAML extension does not currently implement Group membership. Doesn't it? The "saml-group-attribute" property defines the SAML attribute used to retrieve groups. Ah, yes, you're correct - I think I'm so used to answering that way for the other SSO modules that it was an automatic response... -Nick
