Yes, you want to use "https://<guacamole_host>/api/ext/saml/callback" as the callback URL to finish out the process.
On Thu, Mar 17, 2022 at 4:16 AM Vieri <[email protected]> wrote: > I finally made it past the initial redirection to the IdP. > The IdP admin properly allowed my Guacamole SP, and now I can see that the > client browsers are being redirected to the IdP authentication portal as > expected. > When the user authenticates correctly, he/she is redirected back to > Guacamole. > > However, this is where it fails because the browser goes into a > redirection loop. It is sent back to the IdP portal, but since the user is > already authenticated there, it is immediately redirected to Guacamole, and > so on and so forth. > > So I guess mu "callback" setting is wrong (or something else in my > config). Here is my guac configt: > > guacd-hostname: 127.0.0.1 > guacd-port: 4822 > api-session-timeout: 1 > > ldap-hostname: 10.0.1.35 > ldap-port: 636 > ldap-encryption-method: ssl > ldap-user-base-dn: cn=Users,dc=domain,dc=org > ldap-config-base-dn: cn=Users,dc=domain,dc=org > ldap-group-base-dn: cn=Users,dc=domain,dc=org > ldap-username-attribute: cn > ldap-user-search-filter: ##whatever## > > extension-priority: saml > saml-idp-metadata-url: https://idp.domain.org/shibboleth > saml-entity-id: https://guacamole.domain.org > saml-callback-url: https://guacamole.domain.org > saml-debug: true > #saml-strict: false > > I'm not sure if saml-callback-url is correct here. > Without the SAML extension enabled, a web client can connect to > https://guacamole.domain.org and see the Guacamole login page. The user > can login with the LDAP credentials just fine. > > What should I look for? > > This is what shows up in the Tomcat log file over and over (loops until > client/user closes the web page/window/tab): > > DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> > <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > ID="ONELOGIN_775858fa-4352-4b54-bba8-d45edb28a31f" Version="2.0" > IssueInstant="2022-03-16T20:50:07Z" Destination=" > https://idp.domain.org/SSO"; > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > AssertionConsumerServiceURL=" > https://guacamole.domain.org/api/ext/saml/callback";><saml:Issuer> > https://guacamole.domain.org</saml:Issuer><samlp:NameIDPolicy > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > AllowCreate="true" /></samlp:AuthnRequest> > DEBUG o.a.g.a.l.AuthenticationProviderService - Anonymous bind is not > currently allowed by the LDAP authentication provider. > DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file > "/etc/guacamole/user-mapping.xml" does not exist and will not be read. > DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication > attempt from x.x.x.x failed. > DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: > Redirecting to SAML IdP. > > Should the saml-callback-url value be " > https://guacamole.domain.org/api/ext/saml/callback"; instead? > > It's not mentioned in the Apache Guacamole documentation found here: > https://guacamole.apache.org/doc/gug/saml-auth.html > > Regards, > > Vieri > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
