OK, so even if I remove my LDAP authentication extension and keep ONLY the SAML SSO extension (to keep things simple) I still get a redirection loop:
<infinite loop> DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting to SAML IdP. DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_d1e9ae45-290b-4b52-802b-484299100ac2" Version="2.0" IssueInstant="2022-03-18T07:48:25Z" Destination="https://idp.domain.org/idp/profile/SAML2/Redirect/SSO"; ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://guacamole.domain.org/api/ext/saml/callback";><saml:Issuer>https://guacamole.domain.org</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest> </infinite loop> So this means that Guacamole is properly redirecting to the IdP web portal. On initial connection a user can authenticate with the IdP just fine,and the callback to Guacamole seems to be fine too. The problem is that Guacamole says: "Client request rejected: Redirecting to SAML IdP." Because of that the user loads the IdP portal for a second, and is almost immediately redirected back to Guacamole (because the user has already authed there before). Guacamole rejects the client once again and redirects to the SAML IdP -- hence the infinite loop. Now, I wish Guacamole could tell me why it's rejecting the client if the user properly authenticated already with the IdP. There's nothing in catalina.out about this. This is what I have in guacamole.properties: guacd-hostname: 127.0.0.1 guacd-port: 4822 api-session-timeout: 1 saml-idp-metadata-url: https://idp.domain.org/idp/shibboleth saml-entity-id: https://guacamole.domain.org saml-callback-url: https://guacamole.domain.org/ saml-debug: true saml-strict: false and this is what I have in the extensions dir: # ls extensions/ branding.jar customurls.jar guacamole-auth-sso-saml-1.4.0.jar How can I debug this further? How can I know why Guacamole is actually rejecting a client already properly authenticated with the IdP? Regards, Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
