The SAML support does handle groups as a multi-valued attribute, however it expects each value to be a simple name, not a full LDAP-style DN. If your SAML IdP is returning a full DN for each group, that will be interpreted as if the entire DN is the name of the group.
If you can configure your IdP to return group names rather than DNs, that should allow things to map as expected to Guacamole groups with identical names. Otherwise, it sounds like something similar to the group format attributes provided for CAS will need to be added for SAML. For CAS, support for LDAP-formatted group names was added via: https://github.com/apache/guacamole-client/pull/579 Michael Jumper CEO, Lead Developer Glyptodon Inc <https://glyp.to/>. On Thu, May 27, 2021 at 6:13 PM turbul3nt <[email protected]> wrote: > The group names are returned directly from an Active Directory backend, so > they’re in an RDN format (cn=Groupname,ou=Blah,dc=domain,dc=local) > > I can name the attribute anything I would like in the assertion, and I see > the values sent back to guacamole in said assertions. It just doesn’t seem > like it’s doing anything with it. > > Note = AD returns them as a list of groups that the user has memberships > for, so unless guac doesn’t like / handle multi-valued attribute value > returns like many other SP’s I’m running can work with… > > > > -- > Sent from: > http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
