On Sat, Oct 2, 2021 at 4:38 AM Tom Werner <[email protected]> wrote:
> Thanks Nick! > > I have finally managed to partially get this working, removing the link to > the metadata url, I guess one of the values being injected was throwing > things off. The final caveat being that authentication only works when > initiated from the iDP (AWS SSO), authentication initiated from the > guacamole app fails with a 403 on the AWS SSO side. > > I'm at a loss whether this is a limitation of Guacamole or AWS SSO, being > this the first time I've used SAML authentication :-). > > It is almost certainly an issue within the Guacamole SAML authentication module - I, being the one who wrote the module, was learning SAML on-the-fly, myself, so the probability that I missed or improperly implemented something is relatively high :-). It sounds like it may have something to do with request signing or something like that, but hard to say. If I have some time to look at it I will try to do that, though my time for all things Guacamole-related has been short these days. Otherwise, if you're able to dig up anything that indicates an issue on the Guacamole SAML side we can try to fix that up, as well. -Nick >
