Is the current implementation of guacamole-auth-sso-saml-1.4.0 capable of decrypting SAML responses with the SP's private key? If it is, according to the Tomcat log there seems to be a problem specifying or accessing the SP's private key.
[https-openssl-apr-8543-exec-1] DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_ae784bc7-28a7-4b08-a064-628d530e0137" Version="2.0" IssueInstant="2022-03-25T10:38:43Z" Destination="https://idp.domain.org/idp/profile/SAML2/Redirect/SSO"; ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://guacamole.domain.org:8543/HMNsg/api/ext/saml/callback";><saml:Issuer>https://guacamole.domain.org:8543/HMNsg</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest> [https-openssl-apr-8543-exec-1] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read. [https-openssl-apr-8543-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 10.215.111.210 failed. [https-openssl-apr-8543-exec-1] DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting to SAML IdP. [https-openssl-apr-8543-exec-6] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app/ext/HMANbranding/images/guac-tricolor.png" [https-openssl-apr-8543-exec-9] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: Current SAML settings are insufficient to decrypt/parse the received SAML response. [https-openssl-apr-8543-exec-9] DEBUG o.a.g.a.s.a.AssertionConsumerServiceResource - Received SAML response failed validation. org.apache.guacamole.GuacamoleServerException: Current SAML settings are insufficient to decrypt/parse the received SAML response. at org.apache.guacamole.auth.saml.acs.SAMLService.processResponse(SAMLService.java:173) at org.apache.guacamole.auth.saml.acs.AssertionConsumerServiceResource.processSamlResponse(AssertionConsumerServiceResource.java:110) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:290) at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:280) at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184) at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source) at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source) at org.apache.catalina.core.StandardContextValve.invoke(Unknown Source) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source) at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source) at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source) at org.apache.catalina.valves.RemoteIpValve.invoke(Unknown Source) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Unknown Source) at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source) at org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source) at org.apache.coyote.http2.StreamProcessor.service(Unknown Source) at org.apache.coyote.AbstractProcessorLight.process(Unknown Source) at org.apache.coyote.http2.StreamProcessor.process(Unknown Source) at org.apache.coyote.http2.StreamRunnable.run(Unknown Source) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(Unknown Source) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(Unknown Source) at java.lang.Thread.run(Thread.java:748) Caused by: com.onelogin.saml2.exception.SettingsException: No private key available for decrypt, check settings at com.onelogin.saml2.authn.SamlResponse.decryptAssertion(SamlResponse.java:1204) at com.onelogin.saml2.authn.SamlResponse.loadXmlFromBase64(SamlResponse.java:168) at com.onelogin.saml2.authn.SamlResponse.<init>(SamlResponse.java:118) at org.apache.guacamole.auth.saml.acs.SAMLService.processResponse(SAMLService.java:152) ... 53 common frames omitted If I use a SAML Firefox add-on to inspect the SAML messages, I can see that the IdP replies with a SAML string containing an encrypted message which apparently Guacamole-saml is not capable of decrypting. It finally ends with a call to https://infranet.hospitalmanacor.org:8543/HMANsg/api/tokens and a "HTTP/2.0 403 Forbidden" message which then redirects the client browser back to the IdP (redirection loop). So, please let me know if anyone is already using encrypted messages in Guacamole-SAML or not. If it's not implemented yet, any plans to do so or ideas on how to do it? Any alternative ideas such as maybe installing and configuring Shibboleth from https://shibboleth.net/downloads/service-provider/ and then Shibbolize the Guacamaole Tomcat web service (https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072357/NativeSPEnableApplication)? Regards, Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
