Re: reverse proxy and SAML SSO

Thu, 30 Jun 2022 05:11:20 -0700 

It contains "guacamole" in the path because that's what Tomcat does... it
infers paths by the name of the file, as you see.

If it's easier, you can also achieve this by setting WEBAPP_CONTEXT in the
environment:

https://github.com/apache/guacamole-client/blob/1.4.0/guacamole-docker/bin/start.sh#L728

On Thu, Jun 30, 2022 at 7:20 AM Vieri <rentor...@yahoo.com.invalid> wrote:

> The problem seems to be with the onelogin library:
>
> java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
>
> contains:
>
>         protected void validateDestination(final Element element) throws
> ValidationError {
>                 if (element.hasAttribute("Destination")) {
>                         final String destinationUrl =
> element.getAttribute("Destination");
>                         if (destinationUrl != null) {
>                                 if (destinationUrl.isEmpty()) {
>                                         throw new ValidationError("The
> response has an empty Destination value",
> ValidationError.EMPTY_DESTINATION);
>                                 } else if
> (!destinationUrl.equals(currentUrl)) {
>                                         throw new ValidationError("The
> response was received at " + currentUrl + " instead of " + destinationUrl,
> ValidationError.WRONG_DESTINATION);
>                                 }
>                         }
>                 }
>         }
>
> Now, considering my Apache reverse proxy config and the "Destination"
> field in the SAML response here below:
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>                  Destination="
> https://guac.mydomain.org/api/ext/saml/callback";
>                  ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
>
> InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
>                  IssueInstant="2022-06-30T06:44:57.465Z"
>                  Version="2.0"
>                  >
>
> I guess that's why it's "failing" because currentUrl != destinationUrl.
>
> Now, how come currentUrl is
> https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
> Who is requesting that URL and why does it contain "guacamole" in the path?
> Neither the IdP nor the guacamole SP ever mention that the callback should
> be https://guac.mydomain.org/guacamole/api/ext/saml/callback.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Reply via email to