I recently started trying to get SSO working with my dockerized setup. I placed the saml extension in my home directory, set the 3 required variables in guacamole.properties. When I go to guac, it redirects me to my provider, then redirects back to guacamole, but instead of signing me in, it just redirects back to Keycloak, then back forever.
Looking at the guacamole container logs, I see this error > 21:50:33.340 [http-nio-8080-exec-2] ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at http://rdpb.example.com/api/ext/saml/callback instead of https://rdpb.example.com/api/ext/saml/callback > 21:50:33.341 [http-nio-8080-exec-2] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://rdpb.example.com/api/ext/saml/callback instead of https://rdpb.example.com/api/ext/saml/callback Which makes it seem like the callback is being fired at http instead of https. But I have the redirect URI set to https, so why is it using http? Here is a bunch of relevant config files: ========================================== guacamole.properties: ----------------------------------------------------------- saml-idp-metadata-url: https://keycloak.example.com/auth/realms/master/protocol/saml/descriptor saml-callback-url: https://rdpb.example.com/ saml-entity-id: guac extension-priority: saml skip-if-unavailable: postgresql ========================================== Kubernetes manifests ----------------------------------------------------------- --- apiVersion: apps/v1 kind: Deployment metadata: name: guacamolebackup namespace: wfs labels: app: guacamolebackup spec: replicas: 1 selector: matchLabels: app: guacamolebackup template: metadata: labels: app: guacamolebackup spec: containers: - name: guacamole image: guacamole/guacamole:1.4.0 imagePullPolicy: IfNotPresent ports: - containerPort: 8080 name: http env: - name: POSTGRES_HOSTNAME value: db-postgres-postgresql - name: POSTGRES_DATABASE value: guacamolebackup - name: POSTGRES_USER value: guacamolebackup - name: POSTGRES_PASSWORD value: redacted - name: GUACD_HOSTNAME value: guacd - name: GUACD_PORT value: '4822' - name: GUACAMOLE_HOME value: '/data' - name: WEBAPP_CONTEXT value: 'ROOT' volumeMounts: - name: data mountPath: /data --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: guacamolebackup namespace: wfs labels: app: guacamolebackup annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: 'letsencrypt-prod' nginx.ingress.kubernetes.io/enable-cors: 'true' nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' nginx.ingress.kubernetes.io/proxy-body-size: 256M nginx.ingress.kubernetes.io/proxy-connect-timeout: '30' nginx.ingress.kubernetes.io/proxy-send-timeout: '3600' nginx.ingress.kubernetes.io/proxy-read-timeout: '3600' spec: tls: - hosts: - rdpb.example.com secretName: guacamole-tls rules: - host: rdpb.example.com http: paths: - path: / pathType: Prefix backend: service: name: guacamolebackup port: name: http
