On Tue, Feb 28, 2023 at 8:11 AM Tyler Hale <[email protected]> wrote: > > Hi Lorenzo, > > I have experienced this situation in both versions 1.4.0 and 1.5.0. For my > case, the TOTP doesn't appear to be fully activating when it uses the SSO > authentication method. After trying a new session, it still prompts to setup > the TOTP code and the user account does not have the flag set for "TOTP key > confirmed". I can manually set a password for a SSO account and login using > the traditional login menu. That allows the TOTP code to be confirmed and > works through the non-SSO login. However, when attempting the SSO login with > the same account and confirmed OTP code, it still has the error when logging > in. >
Tyler, I've never attempted to configure things in the way you're trying to do it, but I'm wondering if either changing the order of the modules might help - or if you've hit a bug or something that needs to be updated within the Guacamole code in order to accomplish what you're trying to do. You might start by changing the load or evaluation order of the extensions - I would make sure the order is SAML -> JDBC -> TOTP. The reason for this is that TOTP needs to store its configuration data in another extension - it has no storage mechanism of its own - and the only extension to currently support this is the JDBC extension. Thus, if the order is incorrect, it could be trying to store TOTP configuration data in the SAML module and just silently failing to do that. Again, this is just something to try and see if that helps - I'm not sure that it will. You also might want to put your Guacamole Client instance into debug mode and look at the Tomcat logs during a login and TOTP registration/confirmation process to see if anything gets logged that might be useful to helping figure out why data isn't getting saved/stored/updated. -Nick > Thanks! > > -Tyler > > On Tue, Feb 28, 2023 at 12:34 AM MAURIZI Lorenzo > <[email protected]> wrote: >> >> Tyler, >> >> I noticed a similar behaviour in guacamole 1.4.0: after setting for the >> first time the TOTP with the QR Code, the subsequent login attempt fails. >> >> In my case I just need to close the browser and make login again: you will >> be asked for an OTP code (the TOTP was correctly activated in the previous >> login attempt) and the login succeeds. >> >> >> >> Regards. >> >> Lorenzo >> >> >> >> >> >> Da: Tyler Hale <[email protected]> >> Inviato: lunedì 27 febbraio 2023 18:27 >> A: [email protected] >> Oggetto: Issue with SSO (SAML) Login with TOTP Extension >> >> >> >> Hello, I am having an issue configuring Apache Guacamole when SAML and TOTP >> are both enabled. The backend for the server is using MariaDB with the MySQL >> connector. I am using SAML SSO to Azure AD which signs in successfully when >> the TOTP module is not enabled. The TOTP module works with a local user that >> is not using SSO. >> >> >> >> When the TOTP module is enabled, the SAML login completes and redirects to >> the screen for setting up a TOTP code. When you enter the TOTP code, it >> returns a 403 invalid login response. I have the 403 response below along >> with the debug logs that happen during the TOTP authentication attempt. >> >> >> >> 403 POST https://remote.redacted.com/api/tokens >> >> Response: {"message":"Invalid >> login","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Invalid >> >> login"}},"statusCode":null,"expected":[{"name":"username","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"INVALID_CREDENTIALS"} >> >> >> >> Debug logs: https://pastebin.com/GPCwP5Fk >> >> guacamole.properties: https://pastebin.com/DDtB1F8e >> >> >> >> Any help would be much appreciated. Thanks! >> >> >> >> >> >> -Tyler Hale --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
