Hi, Has anyone had any luck of integrating AWS SSO with Guacamole?
I have used 1.3 versions of Guacamole, JDBC and SAML from the project website. Without SAML, JDBC authentication is working, however, once SSO is enabled, login fails. I have configured a Custom SAML2.0 app in AWS SSO, I have configured the ACS to; https://guacamole.<lab-fqdn>/guacamole/api/ext/saml/callback and my audience to https://guacamole.<lab-fqdn>/guacamole/ I have setup an attribute mapping to map name = ${user:name}. On Guacamole I have setup the following properties. The idp metadata is a local file as AWS SSO doesn't allow pulling this via a URL saml-idp-url: https://portal.sso.eu-west-2.amazonaws.com/saml/assertion/<assertion guid> #(also the login URL) saml-callback-url: https://guacamole.<lab-fqdn>/guacamole saml-strict: False saml-debug: True saml-entity-id: https://guacamole.<lab-fqdn>/guacamole saml-idp-metadata-url: file:///etc/guacamole/idp_metadata.xml When attempting to authenticate (either idp initiated or SP initiated), I get the following in the logs. I am redirected to the Idp and login as attempted, but AWS SSO raises a 403 error before completing authentication. Is there any way to get more verbose logs of the authentication exchange? Sep 20 14:43:57 <aws Ip>.eu-west-2.compute.internal server[15245]: 14:43:57.922 [http-nio-8080-exec-6] DEBUG org.apache.xml.security.Init - Registering default algorithms Sep 20 14:43:58 <aws Ip>.eu-west-2.compute.internal server[15245]: 14:43:58.086 [http-nio-8080-exec-6] DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_1228671b-15f0-4a15-95a2-40ed1ab8a02f" Version="2.0" IssueInstant="2021-09-20T14:43:58Z" Destination=" https://portal.sso.eu-west-2.amazonaws.com/saml/assertion/<assertion id>" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://guacamole .<lab-fqdn>/guacamole/api/ext/saml/callback/api/ext/saml/callback"><saml:Issuer> https://guacamole.<lab-fqdn>/guacamole</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest> Sep 20 14:43:58 <aws Ip>.eu-west-2.compute.internal server[15245]: 14:43:58.460 [http-nio-8080-exec-6] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read. Sep 20 14:43:58 <aws Ip>.eu-west-2.compute.internal server[15245]: 14:43:58.462 [http-nio-8080-exec-6] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 86.13.95.8 failed. Sep 20 14:43:58 <aws Ip>.eu-west-2.compute.internal server[15245]: 14:43:58.463 [http-nio-8080-exec-6] DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting to SAML IdP. Cheers, Tom
