I finally have SAML working with my Guacamole installation. The problem was on the IdP side as they were not using the right callback URL and they were setting the user name/ID in a custom attribute instead of using nameID.
Now that I can log into Guacamole with the IdP via SAML, I'm unable to provision connections. This is my current guacamole.properties: guacd-hostname: 127.0.0.1 guacd-port: 4822 api-session-timeout: 1 ldap-hostname: 10.x.x.x ldap-port: 636 ldap-encryption-method: ssl ldap-user-base-dn: cn=Users,dc=domain,dc=org ldap-config-base-dn: cn=Users,dc=domain,dc=org ldap-group-base-dn: cn=Users,dc=domain,dc=org ldap-username-attribute: cn ldap-user-search-filter: (|(objectClass=guac*)(cn=hmsg*)) ldap-max-search-results: 9959000 ldap-search-bind-dn: cn=binduser,cn=Users,dc=domain,dc=org ldap-search-bind-password: secret extension-priority: saml saml-idp-metadata-url: https://idp.domain.org/idp/shibboleth saml-entity-id: https://guacamole.domain.org:8543/HMsg saml-callback-url: https://guacamole.domain.org:8543/HMsg saml-debug: true saml-strict: false This is my extensions dir: # ls extensions/ branding.jar customurls.jar guacamole-auth-ldap-1.1.0.jar guacamole-auth-sso-saml-1.4.0.jar Yes, I need to use the 1.1.0 version of the LDAP module. Without SAML (just LDAP), this setup works fine even if I remove ldap-search-bind-dn. Users can authenticate via LDAP and the connections are provisioned from Active Directory. If I activate SAML, authentication works but no connections are provisioned. I understand that ldap-config-base-dn is used for retrieving connection data, but catalina.out does not show that guacamole is even trying to retrieve that data. Correct me if I'm wrong, but SAML only "tells" Guacamole that the client can login with nameID -- there is no knowledge of the password. So how can Guacamole retrieve connection data for the logged-in user with ldap-config-base-dn? This is why I added the ldap-search-bind-* parameters. Nonetheless, there is no "ldap activity" recorded in catalina.out, so the user logs in via SAML and sees no conection details at all as none have been provided via LDAP. I even replaced the 1.1.0 LDAP module with the 1.4.0, but I'm getting the same behavior (LDAP module is properly loaded). Tee only thing I see in the Tomcat log is: INFO o.a.g.r.auth.AuthenticationService - User "myuser" successfully authenticated from 10.x.x.x. DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read. DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "myuser". DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Session not associated with authentication provider "saml". What does this last error message mean? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
