Figured it out. I was able to switch Tomcat over to SSL, which fixed the SAML issue. ________________________________ From: Timothy A. Dilbert | BMT Sent: 16 June 2022 08:10 To: [email protected] <[email protected]> Subject: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy
I've deployed an Apache Guacamole server and trying to configure SSO using SAML with a Cloud IdaaS. HAproxy is in front of the Guacamole server, providing SSL offloading. [World Wide Web] -- HTTPS:443 --> [HAProxy] -- HTTP:8080 --> [Tomcat/Guacamole] Apache Guacamole was configured following the tutorial on the Guacamole website. When I attempt to authenticate using SAML, I am finding myself in a redirect loop. The following message is showing up in the Tomcat logs: ``` 03:45:29.364 [http-nio-8080-exec-9] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://my.personal.domain/guacamole/api/ext/saml/callback instead of https://my.personal.domain/guacamole/api/ext/saml/callback ``` I've checked the setting in the IdP and confirmed that everything is indeed configured for HTTPS. I am now wondering if the issue has something to do with traffic between HAProxy and Guacamole being HTTP, but I don't know how or what to do to change that. I'm happy to use a self-signed certificate between HAProxy and Guacamole since they are both on a protected network. Any ideas you could share would be much appreciated. Timothy
