On Wed, Mar 31, 2021 at 5:25 AM michael böhm <[email protected]> wrote: > Hi everyone > > we are planning to connect our Guacamole instances to a central SAML IDP. > Currently we are using LDAP. > > Is it possible to activate both LDAP and SAML as authentication methods in > Guacamole at the same time or does one cancel out the other? How can the > users choose which way the want to use to authenticate? > >
Using the SSO modules, including SAML, means that the user will be automatically redirected to the SAML IdP page when they access Guacamole. So, yes, in essence the SAML module does "cancel out" the LDAP module. > The mapping of the connections to the LDAP users is currently done in > mysql with a matching user name as the criteria. Is this the same for SAML? > > Yes, the modules all "stack" on each other (with some caveats), but using the JDBC module for connection storage and permission mapping along with a SSO module for user authentication is a very common use-case. Also, the SAML module supports retrieving group membership and passing that on to Guacamole, so you can also map through those groups and use group-based permissions. -Nick
