Nick Azure active directory is returning the group ids only via SAML. Apparently this is the default<https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims?WT.mc_id=AZ-MVP-5003833#configure-the-azure-ad-application-registration-for-group-attributes> (I don’t have control over this) and perhaps something to do with a migration from an on-premise version. Anyway – it shouldn’t matter, they should be just treated as text.
I’ve got two nicely named groups in guacamole (Admins, consultants) I’ve created groups in guacamole with the same names as the IDs which come back via SAML (aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ,ccc-ccc-ccc-ccc-ccc) I’ve made aaa and bbb groups, members of group “consultants” I’ve made ccc group member of group “admins”. Test 1: When I manually assign a user group aaa within guacamole, then user gets the connections linked to “consultants” (working as expected) Test 2: When a user logs in with groups aaa, bbb and ccc from SAML they get access to connections attached to consultants and admins (working as expected). Test 3: When a user logs in with groups aaa & bbb from SAML they get access to no connections (they should get access to the connections attached to “consultants”). There is no manual assignment of connections to users. Test 1 shows that the “member groups” hierarchy works between aaa and consultants. If SAML group name to guacamole group name mapping didn’t work, or groups weren’t then following the “member groups” hierarchy configured, I would expect Test 2 to return no connections. Which is why I’m confused that test 3 doesn’t work. Does that make sense? Peter T d +44 (0) 141 533 4043 m +44 (0) 778 927 3030 From: Nick Couchman <[email protected]> Sent: 19 October 2021 18:27 To: [email protected] Subject: Re: SAML Groups not recognised On Tue, Oct 19, 2021 at 11:49 AM Tweed, Peter <[email protected]<mailto:[email protected]>> wrote: Resending – as email didn’t appear in archive so I don’t know if it sent. Peter T d +44 (0) 141 533 4043 m +44 (0) 778 927 3030 From: Tweed, Peter Sent: 18 October 2021 16:54 To: [email protected]<mailto:[email protected]> Subject: SAML Groups not recognised Hi I have connected SAML to Guacamole (1.3.0, docker version), with: saml-group-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups I’ve created groups in Guacamole (Postgres DB) to match the GUIDs that come back from active directory: aaa-aaa-aaa-aaa-aaa bbb-bbb-bbb-bbb-bbb ccc-ccc-ccc-ccc-ccc Our admins have all three AD groups. Our users have the first two groups., so I’ve created two nicely named groups: Consultants, Admins. Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb Member of Admins: ccc-ccc-ccc-ccc-ccc Excerpt from guacamole log: Admins: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc], Consultants: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ], I'm a bit confused, here, as to what you've done with GUIDs vs. "nicely named groups"? It sounds like your SAML IdP is returning the groups as GUIDs, and you've possibly created some of the groups with those names, or not? I'm not clear on this point. Guacamole won't be able to do any additional lookup to translate those Group GUIDs to their actual names, so if you're wanting to assign permissions via group, no matter what the groups are named or how many there are, the names of the groups need to match what the SAML IdP is returning for claims. Is it possible for one or more of the admin accounts you're using that you've manually added that account to a JDBC group, or assigned permissions directly to the account? That would explain why it appears to work for some users and not for others. -NIck This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.
