Hi there, I've successfully enabled SAML auth against our Azure AD infrastructure. One thing that I'm trying to figure out though is how to use the 'saml-group-attribute' value. From reading the description in the docs, it looks like I should be able to assign group membership based off a SAML response.
Assuming that's correct, I'm trying to look into the SAML response from the server, but I don't see the SAML Debug logs in the syslog directory or the catalina.out file. Is there additional debug I need to enable so I can see what the idp is providing back to guacamole? Here's an example of my properties: guacd-hostname: localhost guacd-port: 4822 #user-mapping: /etc/guacamole/user-mapping.xml #auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider mysql-hostname: mydb.mylocaldomain.com mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user@mysecretdb mysql-password: <obscured> mysql-auto-create-accounts: true skip-if-unavailable: saml saml-idp-url: https://login.microsoftonline.com/<obscured>/saml2 saml-callback-url: https://guacamole.mylocaldomain.com saml-debug: True saml-strict: False saml-entity-id: https://guacamole.mylocaldomain.com Example log files: Nov 13 18:26:38 localhost tomcat9[7760]: 18:26:38.513 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". Nov 13 18:26:38 localhost tomcat9[7760]: 18:26:38.596 [main] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity. Nov 13 18:26:38 localhost tomcat9[7760]: 18:26:38.748 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". Nov 13 18:26:39 localhost tomcat9[7760]: 18:26:39.980 [main] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded. Nov 13 18:26:39 localhost tomcat9[7760]: 18:26:39.984 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". Nov 13 18:26:40 localhost tomcat9[7760]: 18:26:40.124 [main] INFO o.a.g.extension.ExtensionModule - Extension "SAML Authentication Extension" loaded. Nov 13 18:26:40 localhost tomcat9[7760]: 18:26:40.137 [main] INFO o.a.g.extension.ExtensionModule - Extension "Customization Ext" loaded. Nov 13 18:26:40 localhost tomcat9[7760]: 18:26:40.139 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". Nov 13 18:26:40 localhost tomcat9[7760]: 18:26:40.239 [main] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support... Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider class Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a root resource class Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.apache.guacamole.rest.language.LanguageRESTService as a root resource class Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.apache.guacamole.rest.patch.PatchRESTService as a root resource class Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.apache.guacamole.rest.auth.TokenRESTService as a root resource class Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.apache.guacamole.rest.session.SessionRESTService as a root resource class Nov 13 18:26:40 localhost tomcat9[7760]: Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider class Nov 13 18:26:40 localhost tomcat9[7760]: Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM' Nov 13 18:26:40 localhost tomcat9[7760]: Binding org.apache.guacamole.rest.RESTExceptionMapper to GuiceManagedComponentProvider with the scope "Singleton" Nov 13 18:26:40 localhost tomcat9[7760]: Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to GuiceManagedComponentProvider with the scope "Singleton" Nov 13 18:26:41 localhost tomcat9[7760]: Binding org.apache.guacamole.rest.extension.ExtensionRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Nov 13 18:26:41 localhost tomcat9[7760]: Binding org.apache.guacamole.rest.language.LanguageRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Nov 13 18:26:41 localhost tomcat9[7760]: Binding org.apache.guacamole.rest.patch.PatchRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Nov 13 18:26:41 localhost tomcat9[7760]: Binding org.apache.guacamole.rest.auth.TokenRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Nov 13 18:26:41 localhost tomcat9[7760]: Binding org.apache.guacamole.rest.session.SessionRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Nov 13 18:26:41 localhost tomcat9[7760]: WebjarsServlet initialization completed Nov 13 18:26:41 localhost tomcat9[7760]: Deployment of web application archive [/var/lib/tomcat9/webapps/ROOT.war] has finished in [3,946] ms Nov 13 18:26:41 localhost tomcat9[7760]: Starting ProtocolHandler ["http-nio-8080"] Nov 13 18:26:41 localhost tomcat9[7760]: Server startup in [5,641] milliseconds Nov 13 18:26:50 localhost tomcat9[7760]: Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary. Nov 13 18:26:54 localhost tomcat9[7760]: 18:26:54.873 [http-nio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "<obscured>" successfully authenticated from <obscuredip>. Nov 13 18:26:55 localhost tomcat9[7760]: WARNING: An illegal reflective access operation has occurred Nov 13 18:26:55 localhost tomcat9[7760]: WARNING: Illegal reflective access by org.apache.ibatis.ognl.OgnlRuntime (file:/etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.2.0.jar) to method java.util.Collections$EmptySet.isEmpty() Nov 13 18:26:55 localhost tomcat9[7760]: WARNING: Please consider reporting this to the maintainers of org.apache.ibatis.ognl.OgnlRuntime Nov 13 18:26:55 localhost tomcat9[7760]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations Nov 13 18:26:55 localhost tomcat9[7760]: WARNING: All illegal access operations will be denied in a future release Nov 13 18:26:55 localhost tomcat9[7760]: 18:26:55.730 [http-nio-8080-exec-7] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". Nov 13 18:26:56 localhost guacd[7753]: Creating new client for protocol "rdp" Nov 13 18:26:56 localhost guacd[7753]: Connection ID is "$70cd20df-c379-4f9d-a215-6f50ac2164e0" Nov 13 18:26:56 localhost guacd[7807]: Security mode: NLA Nov 13 18:26:56 localhost guacd[7807]: Resize method: display-update Nov 13 18:26:56 localhost guacd[7807]: User "@1e357702-7709-4500-bff4-0849c83a16a5" joined connection "$70cd20df-c379-4f9d-a215-6f50ac2164e0" (1 users now present) Nov 13 18:26:56 localhost guacd[7807]: Loading keymap "base" Nov 13 18:26:56 localhost guacd[7807]: Loading keymap "en-us-qwerty" Nov 13 18:26:56 localhost tomcat9[7760]: 18:26:56.083 [http-nio-8080-exec-4] INFO o.a.g.tunnel.TunnelRequestService - User "<obscured>" connected to connection "3". Nov 13 18:26:58 localhost guacd[7807]: Connected to RDPDR 1.13 as client 0x000b Nov 13 18:27:00 localhost guacd[7807]: RDPDR user logged on Thanks, Tyler
