Hi Nick,

I am also getting this WARNING message in logs :

"AssertionConsumerServiceResource - Authentication attempted with an
invalid SAML response: "RelayState" value included with SAML response is
not valid."

Searched for its resolution and got this :

The RelayState parameter is used to maintain the state of a single sign-on
(SSO) transaction. It is typically used to redirect the user to the correct
application URL or resource within the Service Provider (SP) after they
have been authenticated by the Identity Provider (IdP).

If you're setting a default RelayState in Okta, you would typically set it
to the URL where you want users to be redirected after they've successfully
authenticated. The specific URL would depend on your application's
structure and the specific resources you want the user to access after
logging in. For example, if you want users to land on a specific dashboard
page in your application after they log in, the RelayState could be set to
that URL, such as "https://www.yourapp.com/dashboard";.

However, in the context of the Guacamole SAMLService code you provided, the
RelayState is generated dynamically for each SAML request, and it's
expected to match the one returned in the SAML response from the IdP (Okta
in this case). It appears to be used as a key to retrieve the associated
SAMLAuthenticationSession from the sessionManager1
<https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java>.
Therefore, setting a static default RelayState in Okta might not work
correctly with this particular implementation, as it expects the RelayState
to be the dynamically generated value that corresponds to a valid session.

It's important to understand how your application uses the RelayState and
to configure it appropriately. If you're unsure, it might be best to
consult with a developer familiar with your specific application and its
SAML SSO implementation.

On Wed, Jun 7, 2023 at 10:49 AM Shantanu Panda <[email protected]>
wrote:

> Yes, I have created a group in Guacamole as 'Admin' and have the same
> group as 'Admin' on OKTA.
>
> On Wed, Jun 7, 2023 at 6:57 AM Nick Couchman <[email protected]> wrote:
>
>>
>>
>> On Tue, Jun 6, 2023 at 2:39 AM Shantanu Panda
>> <[email protected]> wrote:
>>
>>> Hi Team,
>>>
>>> I am trying to integrate OKTA with Guacamole for SAML based sso : SAML
>>> <https://guacamole.apache.org/doc/gug/guacamole-docker.html#saml-authentication>
>>>
>>> I have a docker based setup for guacamole and using the below setup :
>>>
>>>                 docker run --name sso-guacamole \
>>>                 --link some-guacd:guacd \
>>>                 --link some-postgres:postgres \
>>>                 -e GUACD_HOSTNAME=guacd \
>>>                 -e POSTGRES_HOSTNAME=postgres \
>>>                 -e POSTGRES_PORT=5432 \
>>>                 -e POSTGRES_USER=guacamole \
>>>                 -e POSTGRES_PASSWORD=mysecretpassword \
>>>                 -e POSTGRES_DATABASE=guacamole_db \
>>>                 -e POSTGRESQL_AUTO_CREATE_ACCOUNTS=true \
>>>        -e 
>>> SAML_IDP_METADATA_URL=https://<okta_url>/app/<id>/sso/saml/metadata
>>> \
>>>                 -e SAML_ENTITY_ID=https://<entity_id> \
>>>        -e SAML_CALLBACK_URL=https://<entity_id>/guacamole/ -e
>>> SAML_DEBUG=true -e REMOTE_IP_VALVE_ENABLED=true -p 8080:8080 \
>>>                 -e SAML_STRICT=false -e EXTENSION_PRIORITY="saml" -e
>>> SAML_GROUP_ATTRIBUTE="groups" \
>>>                 -d guacamole/guacamole
>>>
>>> The OKTA SAML Application is configured with basic configuration.
>>> The Authentication works but the permissions of OKTA groups are not
>>> being mapped to guacamole and thus the user logged in has no access to the
>>> administration settings.
>>>
>>
>> Can you confirm how the groups are being delivered from SAML, and they
>> match _exactly_ (including case sensitivity) the ones you/ve created in
>> JDBC?
>>
>> -Nick
>>
>>>
>
> --
> SHANTANU PANDA
> Sr. Security Devops Engineer
>
> MOBILE  +91 7387087672
> EMAIL  [email protected]
>
>
> Snowflake Inc.
> Pune, India
>


-- 
SHANTANU PANDA
Sr. Security Devops Engineer

MOBILE  +91 7387087672
EMAIL  [email protected]


Snowflake Inc.
Pune, India

Reply via email to