Hi everyone
I'm in the process of connecting our Guacamole instance to the company's IDP using SAML.
IDP team provided the following dummy example for the ServiceProvider's Metadata XML:
#######################################################################################################
<?xml version="1.0" encoding="UTF-8"?>
-<md:EntityDescriptor entityID="https://PointOfContactServer/sps/DummySP/saml20" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
-<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-<md:KeyDescriptor use="signing">
-<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
-<X509Data>
<X509Certificate>MIIH...</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
-<md:KeyDescriptor use="encryption">
-<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
-<X509Data>
<X509Certificate>MIIH...</X509Certificate>
</X509Data>
</KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService isDefault="true" index="0" Location="https://PointOfContactServer/sps/DummySP/saml20/login" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
#######################################################################################################
My questions:
- As you can see, they expect the SAML requests to be signed and encrypted using client certificates specified in the KeyDescriptor blocks. Is this supported by Guacamole's SAML module? I could not find anything related in the documentation.
- What subpath does Guacamole expect as "AssertionConsumerService Location". My Guacamole-instance is reachable via https://portal.company.org/guacamole. Can I use this here or is anything else like .../login/... necessary.
Thanks and best wishes
Michael
