On Tue, Oct 19, 2021 at 11:49 AM Tweed, Peter <[email protected]> wrote:
> Resending – as email didn’t appear in archive so I don’t know if it sent. > > > > Peter T > > *d* +44 (0) 141 533 4043 *m* +44 (0) 778 927 3030 > > > > *From:* Tweed, Peter > *Sent:* 18 October 2021 16:54 > *To:* [email protected] > *Subject:* SAML Groups not recognised > > > > Hi > > I have connected SAML to Guacamole (1.3.0, docker version), with: > saml-group-attribute: > http://schemas.microsoft.com/ws/2008/06/identity/claims/groups > > > > I’ve created groups in Guacamole (Postgres DB) to match the GUIDs that > come back from active directory: > aaa-aaa-aaa-aaa-aaa > > bbb-bbb-bbb-bbb-bbb > > ccc-ccc-ccc-ccc-ccc > > > > Our admins have all three AD groups. Our users have the first two > groups., so I’ve created two nicely named groups: Consultants, Admins. > > Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb > > Member of Admins: ccc-ccc-ccc-ccc-ccc > > > Excerpt from guacamole log: > > Admins: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[ > aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc], > > Consultants: > http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[ > aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ], > > > I'm a bit confused, here, as to what you've done with GUIDs vs. "nicely named groups"? It sounds like your SAML IdP is returning the groups as GUIDs, and you've possibly created some of the groups with those names, or not? I'm not clear on this point. Guacamole won't be able to do any additional lookup to translate those Group GUIDs to their actual names, so if you're wanting to assign permissions via group, no matter what the groups are named or how many there are, the names of the groups need to match what the SAML IdP is returning for claims. Is it possible for one or more of the admin accounts you're using that you've manually added that account to a JDBC group, or assigned permissions directly to the account? That would explain why it appears to work for some users and not for others. -NIck >
