On Friday, March 18, 2022, 09:52:11 AM GMT+1, Vieri <[email protected]> wrote:
> OK, so even if I remove my LDAP authentication extension and keep ONLY the > SAML SSO extension (to keep things simple) I still get a redirection loop: > > <infinite loop> > DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting > to SAML IdP. > DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> > <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > ID="ONELOGIN_d1e9ae45-290b-4b52-802b-484299100ac2" Version="2.0" > IssueInstant="2022-03-18T07:48:25Z" > Destination="https://idp.domain.org/idp/profile/SAML2/Redirect/SSO"; > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > AssertionConsumerServiceURL="https://guacamole.domain.org/api/ext/saml/callback";><saml:Issuer>https://guacamole.domain.org</saml:Issuer><samlp:NameIDPolicy > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > AllowCreate="true" /></samlp:AuthnRequest> > </infinite loop> The infinite loop between SP and IdP might be because Guacamole is not extracting the user ID in the IdP's SAML reply for some reason. The IdP admin informed me that they are using the following attribute: <saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string" >USERNAME</saml2:AttributeValue> </saml2:Attribute> Is Guacamole expecting the user ID in this attribute? Is it using another format? Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
