If I edit the source code and change this file: extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java
so it contains these hard-coded values within getSamlSettings() (just for testing -- I used my public and private keys in PEM format): samlMap.put(SettingsBuilder.SP_X509CERT_PROPERTY_KEY, "SP_PEM_public_key_string"); samlMap.put(SettingsBuilder.SP_PRIVATEKEY_PROPERTY_KEY, "SP_PEM_private_key_string"); then Guacamole can successfully decode encrypted SAML responses. The user can finally log into Guacamole without being constantly redirected to the IdP as described in my previous posts. However, it seems that Guacamole barfs on the decoded replies as it aborts with an internal error. The full log (too big to send to the list) is here: https://drive.google.com/file/d/1J1XVhqaXerZahcIni5SaRr-tr-CcCbLY/view?usp=sharing I'm supposed to get the username in NameID as in the following line, but it is encoded: 536 [https-openssl-apr-8543-exec-1] DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has NameID --> AAdzZWNyZXQxvHS57wt8MVHgMnEIP1HFJYlci4R7gdXOwCya816aStAc7KWFAV4LPQviY4b+gqBmGBmFb/exUCRWFenjKvAjwPgAn6Iec73JpEbLRkXmG+xaow2bK2Kom/IIaa7CyyXsQWDmaJ/1P4EDUs7RZEskehMsta1C+g== So my first question is: how can guacamole decode it as it is already doing with the rest of the messages? In any case, the log line right after that actually *does* contain the username in clear text: 538 [https-openssl-apr-8543-exec-1] DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has attributes: {urn:oid:2.5.4.3=[MYUSERNAME], IDP=[INTERNAL]} Can this be used somehow as NameID (ie. NameID = MYUSERNAME)? Everything after that in the log is "ruined" because of the encrypted username which is also too long of a string (so postgresql fails in my case). 740 [https-openssl-apr-8543-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "aadzzwnyzxqxvhs57wt8mvhgmneip1hfjylci4r7gdxowcya816astac7kwfav4lpqviy4b+gqbmgbmfb/exucrwfenjkvajwpgan6iec73jpeblrkxmg+xaow2bk2kom/iiaa7cyyxsqwdmaj/1p4edus7rzeskehmsta1c+g==" successfully authenticated from 10.1.1.30. 819 [https-openssl-apr-8543-exec-6] ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error: ### Error updating database. Cause: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(128) Regards, Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
