I'm afraid it still doesn't work even though this time I'm not getting an infinite loop.
I set guac SAML like this: extension-priority: saml saml-idp-metadata-url: https://idp.domain.org/idp/shibboleth saml-entity-id: https://guacamole.domain.org saml-callback-url: https://guacamole.domain.org/api/ext/saml/callback saml-debug: true saml-strict: false However, I'm getting this (and only this) in the Tomcat log: DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_80dc091f-9763-41c8-ba10-8c8d221b3034" Version="2.0" IssueInstant="2022-03-17T20:59:11Z" Destination="https://idp.domain.org/idp/profile/SAML2/Redirect/SSO"; ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://guacamole.domain.org/api/ext/saml/callback/api/ext/saml/callback";><saml:Issuer>https://guacamole.domain.org</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest> DEBUG o.a.g.a.l.AuthenticationProviderService - Anonymous bind is not currently allowed by the LDAP authentication provider. DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read. DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from x.x.x.x failed. DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting to SAML IdP. The IdP web page shows a message like this to the client browser: "The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner." Note how AssertionConsumerServiceURL was wrongly expanded. So I guess saml-callback-url should really just be https://guacamole.domain.org and nothing more. However, as stated in my previous post, that leads me to a redirection loop between SP and IdP. Why am I seeing this? Is it because I have both the LDAP and the SAML extensions enabled? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
