Hi Nick, Thanks for your very speedy response. You're are correct.
I’ve changed some of the claims around in MS ADFS and now successfully using “http://schemas.xmlsoap.org/claims/Role” as the saml-group-attribute to map my groups. Thanks again! Cheers Michael Michael Taylor | Senior Cyber Security Professional t +44 1522 502086 [email protected] From: Nick Couchman <[email protected]> Sent: 08 January 2021 19:03 To: [email protected] Subject: Re: saml-group-attribute ________________________________________ This e-mail message originated from outside this system. For guidance on how to deal with suspicious e-mail click https://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGdCVfHN8-w&u=https%3a%2f%2fintranet%2emass%2eco%2euk%2fsites%2fIntranet%2fIT%2fDocuments%2fHow%2520to%2520Handle%2520Suspicious%2520Emails%2epdf. If you believe this e-mail to be SPAM / Phishing / Suspicious please forward the message to mailto:[email protected] ________________________________________ On Fri, Jan 8, 2021 at 4:37 AM Michael Taylor <mailto:[email protected]> wrote: The Guacamole SAML extension appears to support group mapping but I cant get this to work. SAML authentication itself is working. I have set the saml-group-attribute to: Group in http://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGdrPdSAt8Q&u=http%3a%2f%2fguacamole%2eproperties Within the SAMLResponse I see that groups are being correctly passed; <snip> <AttributeStatement> <Attribute Name="http://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYLIK3Ap8A&u=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fws%2f2005%2f05%2fidentity%2fclaims%2femailaddress";> <AttributeValue>mtaylor</AttributeValue> </Attribute> <Attribute Name="http://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYaVfyMsoA&u=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fclaims%2fGroup";> <AttributeValue>Domain Users</AttributeValue> <AttributeValue>IT</AttributeValue> </snip> My initial thought is that "saml-group-attribute: Group" is not matching to "http://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYaVfyMsoA&u=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fclaims%2fGroup"; - that is, you should either specify: saml-group-attribute: http://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYaVfyMsoA&u=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fclaims%2fGroup in http://scanmail.trustwave.com/?c=7851&d=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGdrPdSAt8Q&u=http%3a%2f%2fguacamole%2eproperties or the attribute should be returned as: <Attribute Name="Group"> ... </Attribute> from SAML. I don't think those items are matching up. -Nick ------------------------------------------------------------------ This E-mail is the property of Mass Consultants Ltd. It is confidential and intended only for the use of the addressee or with its permission. Use by anyone else for any purpose is prohibited. If you are not the addressee, you should not use, disclose, copy or distribute this e-mail and should notify us of receipt immediately by return e-mail to the address where the e-mail originated. This E-mail may not have been sent through a secure system and accordingly (i) its contents should not be relied upon by any person without independent verification from Mass Consultants Ltd and (ii) it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by Mass Consultants Ltd in this regard. Any e-mails that are sent to Mass Consultants Ltd's e-mail addresses may be monitored by systems or persons other than the addressee, for the purposes of ascertaining whether the communication complies with the law and Mass Consultants Ltd's policies. Mass Consultants Ltd is registered in England No. 1705804, Enterprise House, Great North Road, Little Paxton, Cambs., PE19 6BN, United Kingdom. Tel: +44 (0) 1480 222600. ------------------------------------------------------------------
