Hi Nick, I am also getting this WARNING message in logs :
"AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: "RelayState" value included with SAML response is not valid." Searched for its resolution and got this : The RelayState parameter is used to maintain the state of a single sign-on (SSO) transaction. It is typically used to redirect the user to the correct application URL or resource within the Service Provider (SP) after they have been authenticated by the Identity Provider (IdP). If you're setting a default RelayState in Okta, you would typically set it to the URL where you want users to be redirected after they've successfully authenticated. The specific URL would depend on your application's structure and the specific resources you want the user to access after logging in. For example, if you want users to land on a specific dashboard page in your application after they log in, the RelayState could be set to that URL, such as "https://www.yourapp.com/dashboard";. However, in the context of the Guacamole SAMLService code you provided, the RelayState is generated dynamically for each SAML request, and it's expected to match the one returned in the SAML response from the IdP (Okta in this case). It appears to be used as a key to retrieve the associated SAMLAuthenticationSession from the sessionManager1 <https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java>. Therefore, setting a static default RelayState in Okta might not work correctly with this particular implementation, as it expects the RelayState to be the dynamically generated value that corresponds to a valid session. It's important to understand how your application uses the RelayState and to configure it appropriately. If you're unsure, it might be best to consult with a developer familiar with your specific application and its SAML SSO implementation. On Wed, Jun 7, 2023 at 10:49 AM Shantanu Panda <[email protected]> wrote: > Yes, I have created a group in Guacamole as 'Admin' and have the same > group as 'Admin' on OKTA. > > On Wed, Jun 7, 2023 at 6:57 AM Nick Couchman <[email protected]> wrote: > >> >> >> On Tue, Jun 6, 2023 at 2:39 AM Shantanu Panda >> <[email protected]> wrote: >> >>> Hi Team, >>> >>> I am trying to integrate OKTA with Guacamole for SAML based sso : SAML >>> <https://guacamole.apache.org/doc/gug/guacamole-docker.html#saml-authentication> >>> >>> I have a docker based setup for guacamole and using the below setup : >>> >>> docker run --name sso-guacamole \ >>> --link some-guacd:guacd \ >>> --link some-postgres:postgres \ >>> -e GUACD_HOSTNAME=guacd \ >>> -e POSTGRES_HOSTNAME=postgres \ >>> -e POSTGRES_PORT=5432 \ >>> -e POSTGRES_USER=guacamole \ >>> -e POSTGRES_PASSWORD=mysecretpassword \ >>> -e POSTGRES_DATABASE=guacamole_db \ >>> -e POSTGRESQL_AUTO_CREATE_ACCOUNTS=true \ >>> -e >>> SAML_IDP_METADATA_URL=https://<okta_url>/app/<id>/sso/saml/metadata >>> \ >>> -e SAML_ENTITY_ID=https://<entity_id> \ >>> -e SAML_CALLBACK_URL=https://<entity_id>/guacamole/ -e >>> SAML_DEBUG=true -e REMOTE_IP_VALVE_ENABLED=true -p 8080:8080 \ >>> -e SAML_STRICT=false -e EXTENSION_PRIORITY="saml" -e >>> SAML_GROUP_ATTRIBUTE="groups" \ >>> -d guacamole/guacamole >>> >>> The OKTA SAML Application is configured with basic configuration. >>> The Authentication works but the permissions of OKTA groups are not >>> being mapped to guacamole and thus the user logged in has no access to the >>> administration settings. >>> >> >> Can you confirm how the groups are being delivered from SAML, and they >> match _exactly_ (including case sensitivity) the ones you/ve created in >> JDBC? >> >> -Nick >> >>> > > -- > SHANTANU PANDA > Sr. Security Devops Engineer > > MOBILE +91 7387087672 > EMAIL [email protected] > > > Snowflake Inc. > Pune, India > -- SHANTANU PANDA Sr. Security Devops Engineer MOBILE +91 7387087672 EMAIL [email protected] Snowflake Inc. Pune, India
