I finally made it past the initial redirection to the IdP. The IdP admin properly allowed my Guacamole SP, and now I can see that the client browsers are being redirected to the IdP authentication portal as expected. When the user authenticates correctly, he/she is redirected back to Guacamole.
However, this is where it fails because the browser goes into a redirection loop. It is sent back to the IdP portal, but since the user is already authenticated there, it is immediately redirected to Guacamole, and so on and so forth. So I guess mu "callback" setting is wrong (or something else in my config). Here is my guac configt: guacd-hostname: 127.0.0.1 guacd-port: 4822 api-session-timeout: 1 ldap-hostname: 10.0.1.35 ldap-port: 636 ldap-encryption-method: ssl ldap-user-base-dn: cn=Users,dc=domain,dc=org ldap-config-base-dn: cn=Users,dc=domain,dc=org ldap-group-base-dn: cn=Users,dc=domain,dc=org ldap-username-attribute: cn ldap-user-search-filter: ##whatever## extension-priority: saml saml-idp-metadata-url: https://idp.domain.org/shibboleth saml-entity-id: https://guacamole.domain.org saml-callback-url: https://guacamole.domain.org saml-debug: true #saml-strict: false I'm not sure if saml-callback-url is correct here. Without the SAML extension enabled, a web client can connect to https://guacamole.domain.org and see the Guacamole login page. The user can login with the LDAP credentials just fine. What should I look for? This is what shows up in the Tomcat log file over and over (loops until client/user closes the web page/window/tab): DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_775858fa-4352-4b54-bba8-d45edb28a31f" Version="2.0" IssueInstant="2022-03-16T20:50:07Z" Destination="https://idp.domain.org/SSO" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://guacamole.domain.org/api/ext/saml/callback"><saml:Issuer>https://guacamole.domain.org</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest> DEBUG o.a.g.a.l.AuthenticationProviderService - Anonymous bind is not currently allowed by the LDAP authentication provider. DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read. DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from x.x.x.x failed. DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting to SAML IdP. Should the saml-callback-url value be "https://guacamole.domain.org/api/ext/saml/callback" instead? It's not mentioned in the Apache Guacamole documentation found here: https://guacamole.apache.org/doc/gug/saml-auth.html Regards, Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org