On Wed, Jan 5, 2022, 04:55 Nick Couchman <[email protected]> wrote:
> On Wed, Jan 5, 2022 at 6:41 AM Tobias Heim <[email protected]> wrote:
>
>> Hey team,
>>
>> we upgraded guacamole from 1.3 to 1.4 – in the old version, using SAML
>> with Duo authenticator was fine.
>>
>> But now it seems some information is not considered anymore as using
>> SSO-SAML means landing in a login loop – it always forwards from
>> https://ourguacamoleserver/api/ext/saml/login to the external address of
>> DUO and back and again and again..
>>
>> Did the callback address change from /api/ext/saml/callback to something
>> else maybe?
>>
>> Do you know what may cause this issue? The only chance for me to get out
>> of this loop was to enable the manual login window..
>>
>>
>>
>
> No, the callback address did not change. You'll probably need to look at
> logs for both Guacamole Client (Tomcat or whatever app server you're using)
> and see if there's any reason being returned by the system for the login
> failure. You may even need to enable some debugging - either for the web
> app in general or using the saml-debug property in guacamole.properties (or
> both) to see additional messages.
>
>
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
>
Tobias, are you using Nginx for SSL termination perchance? If so, try
adding the following to what you already have in your Nginx config:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
I encountered something similar recently, and I think that some of the
dependency updates affected the headers required with respect to
determining the true URL applicable to things like the SAML ACS.
With the above, you will likely also need a RemoteIpValve entry in Tomcat's
server.xml, if you don't already have it:
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve
- Mike
