On Fri, Mar 24, 2023 at 3:02 PM Michael Hess <[email protected]>
wrote:
> First, can I pass a saml attribute like we can with ldap_{attribute} in
> some way? I need to pass the Azure onpremisessamaccountname attribute as
> the username, so LDAP groups work with SAML accounts vs having the full
> email as the username. I do see it in the SAML token coming back when
> authenticating.
>
You should be able to configure Azure to provide the username in a
different format. In SAML, the username is referred to as the "NameID", and
might be in Azure's configuration as such.
Can you clarify how the availability of a SAML attribute ties together with
LDAP group membership in your case?
When using SAML, group membership would be asserted by the SAML IdP. This
is dictated by an attribute that includes a list of the group names that
apply to a user, not by the user's username. It is true that a user's
username will be matched up with corresponding user accounts and groups
within Guacamole's database, but this has no impact on Guacamole's
integration with LDAP which would affect only users that log in directly
with Guacamole using LDAP credentials.
Second, I don't know what I messed up, running in docker, but now the
> guacamole container won't start, I just get this over and over. I've
> disabled the extension for recordings, as well as removed the containers
> and image and rebuilt:
>
> cp: cannot access '/etc/guacamole/./recordings': Permission denied
> guacamole exited with code 1
>
Do you have a volume mount pointing at that path?
- Mike
