Hey folks,
Hope this is the right place and that this email finds you well. I've been
struggling for a fair bit with getting a POC up for Guacamole behind a
reverse proxy in our environment, to be integrated with Okta SSO. We are
leveraging SAML through Okta's offerings, and the authentication part is
working just fine - but when a user successfully logs in, none of the
connections are made available and no permissions are granted.
I worked with Okta and took a SAML trace to confirm that Okta is sending
the groups correctly, but it appears Guacamole isn't receiving them.
Furthermore, when looking at the console and initiating a network
connection, I do get a 404 error for the path
"api/session/data/saml/users/<username>" with the following:
{"message":"Permission
Denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission
Denied."}},"statusCode":null,"expected":null,"type":"PERMISSION_DENIED"}
We're using version 1.5.0 for both Guacamole and the SAML plugin,
using the pre-packaged Bitnami appliance from VMware. I get the
feeling that I'm not passing a header or cookie or something correctly
between Guacamole and Okta, but I'm lost. Hoping y'all can help point
me in the right direction - let me know what other information you
need from me and I'll gladly supply it.
Warm regards,
Nick Ragsdale
