Thanks for pointing me in the right direction. This makes sense. I think the issue was that without knowing ahead of time that I needed to use database authentication to do this, I didn't think to read the database authentication section. I should be set now.
Dave ________________________________ From: Michael Jumper <[email protected]> Sent: Wednesday, October 26, 2022 1:55 PM To: [email protected] <[email protected]> Subject: Re: Managing connections with SAML authentication You don't often get email from [email protected]. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> On Wed, Oct 26, 2022 at 10:41 AM Guertin, David S. <[email protected]<mailto:[email protected]>> wrote: I've got a new Guacamole installation set up and configured with SAML authentication, so that all users can log in with their Azure Active Directory credentials. The authentication is working, and all allowed users can log in, but there are no connections showing because none have been configured yet. Earlier, I had played around with basic auth and gotten connections set up in the user-mapping.xml file, but when I tried to read how to configure connections with SAML auth, all I can find is: "This module does not provide any capability for storing or retrieving connections, and must be layered with other authentication extensions that provide connection management." At this point I'm lost. I can't find documentation describing how I would layer SAML auth with another authentication extension. Is there a documented procedure for doing this? Yes - you need to set up one of the supported databases. See: https://guacamole.apache.org/doc/gug/jdbc-auth.html<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fguacamole.apache.org%2Fdoc%2Fgug%2Fjdbc-auth.html&data=05%7C01%7Cguertin%40middlebury.edu%7C40d231ed1ed04ae56a8708dab77b62ed%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C638024037848230939%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4hCTyC0oQt6GiyTBLXap62301jhRsL2gcMSO%2FI6Eh4E%3D&reserved=0> >From above: "... While most authentication extensions function independently, the database authentication can act in a subordinate role, allowing users and user groups from other authentication extensions to be associated with connections within the database. Users and groups are considered identical to those within the database if they have the same names, and the authentication result of another extension will be trusted if it succeeds. ..." You can have users authenticated by SAML, group memberships defined by SAML or the database, and connection configurations and authorizations defined by the database. After the database support is installed, the database-backed aspects of this are managed through the web UI. - Mike
