Resending - as email didn't appear in archive so I don't know if it sent. Peter T d +44 (0) 141 533 4043 m +44 (0) 778 927 3030
From: Tweed, Peter Sent: 18 October 2021 16:54 To: [email protected] Subject: SAML Groups not recognised Hi I have connected SAML to Guacamole (1.3.0, docker version), with: saml-group-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups I've created groups in Guacamole (Postgres DB) to match the GUIDs that come back from active directory: aaa-aaa-aaa-aaa-aaa bbb-bbb-bbb-bbb-bbb ccc-ccc-ccc-ccc-ccc Our admins have all three AD groups. Our users have the first two groups., so I've created two nicely named groups: Consultants, Admins. Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb Member of Admins: ccc-ccc-ccc-ccc-ccc Excerpt from guacamole log: Admins: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc], Consultants: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ], I've attached some connections to the consultants group, some to the admins group. When an admin logs in, they can see everything (including connections only assigned to the consultant group). When a consultant logs in, they can see nothing. They should be able to see the connections assigned to the consultants. I've manually assigned group aaa-aaa-aaa-aaa-aaa to a consultant, and they can then see the required connections. I feel like I'm missing something obvious! Why does having 3 groups work, but two groups doesn't! (AD Group IDs replaced above for security) Peter T d +44 (0) 141 533 4043 m +44 (0) 778 927 3030 This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.
