On Thursday, June 30, 2022, 01:22:13 AM GMT+2, Vieri <rentor...@yahoo.com.invalid> wrote:
> Apparently, the IdP had a misconfiguration for the guacamole SP. My original > error is now solved, and I can now log into the IdP. > However, when I am redirected back to guacamole I enter an infinite > redirection loop between SP and IdP. > That is because Tomcat/Guacamole complains about: > > ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at > https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of > https://guac.mydomain.org/api/ext/saml/callback I can see the SAML response in the client browser, and it seems that the callback URL is correct (https://guac.mydomain.org/api/ext/saml/callback). <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://guac.mydomain.org/api/ext/saml/callback" ID="_f53e5bfaf4fae92d0cc4c602f59b8a98" InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95" IssueInstant="2022-06-30T06:44:57.465Z" Version="2.0" > If Guacamole complains (onelogin used by the SAML extension) it must be because of the Apache reverse proxy, right? I didn't change anything in the Apache and guacamole.properties files, but here's a reminder. Apache config contains: <Location /> Require all granted ProxyPass https://localhost:8543/guacamole/ flushpackets=on ProxyPassReverse https://localhost:8543/guacamole/ ProxyPassReverseCookiePath /guacamole/ / </Location> <Location /websocket-tunnel> Require all granted ProxyPass wss://localhost:8543/guacamole/websocket-tunnel ProxyPassReverse wss://localhost:8543/guacamole/websocket-tunnel </Location> guacamole.properties contains: saml-callback-url: https://guac.mydomain.org/ So, I'm pretty sure if I were to *not* use a "new-path" in the reverse proxy everything would work fine as long as I'd specify the callback URL as https://guac.mydomain.org/guacamole/. However, I'm guessing it's failing here with the "new-path" configuration because: 1) the SAML response is properly being directed to the "new-path" 2) the Apache reverse proxy is passing the callback POST request for https://guac.mydomain.org/api/ext/saml/callback to https://guac.mydomain.org/guacamole/api/ext/saml/callback because it mathes the '/' Location 3) the Tomcat Guacamole application complains that it's receiving the callback request at https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback Maybe I'm missing a rewriterule in my Apache config? Any ideas? Vieri --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org