Hi Sean, We implemented something similar but its connected to an OpenID Idp and that is where the problem occurs. All users are provisioned in lower case from our side but we have no control over the Idp side where users can use varying cases in their username or even autocomplete systems that capitalize the first letter by default. Most user/public facing auth providers are for this reason case insensitive.
From: Sean Hulbert<mailto:[email protected]> Sent: dinsdag 18 juli 2023 23:34 To: [email protected]<mailto:[email protected]> Subject: Re: The case of case sensitive usernames We do this all day long, easy solution is to implement the SQL database connection, write directly to the database the user accounts and passwords, use the REST API for connections; inject connection information to database assigned to user and upon destroying the connections delete username passwords and connection token. Basically we wrote our own Provisioning server using an xAPI format to control Guacamole for on the fly provisioning. Hope this helps. Sean On 7/18/2023 1:44 PM, Najib . wrote: Hi Nick, Sadly this wont work for our use case. We pre create the user and link it to a just-in-time created server connection. Afterwards the connection is destroyed. If we would use groups instead then we need to create a group for every single user just to circumvent this issue. Since we use the email claim we discovered that the IdPs, which we don’t have control over, can have various permutations of capitals in the email address. So it gets hard to predict the correct username to pre create, hence the need for capital insensitive usernames. Users can be hard to predict when given control over entering their username. On 2023/07/18 19:09:56 Nick Couchman wrote: > On Tue, Jul 18, 2023 at 12:49 PM Najib . > <[email protected]><mailto:[email protected]> wrote: > > > > We are having some grief with Guac being case sensitive for usernames. I > > saw that this has been mentioned multiple times in the past: > > > > > > > > https://issues.apache.org/jira/browse/GUACAMOLE-1239 > > > > > > > > We are facing the same problem using the OpenID extension. > > > > > > > > Anyone willing to implement an option to normalize all usernames to end the > > grief? The poor ticket guy offered some sponsorship I am willing to add to > > it. > > This can certainly be done, and the code is reasonably easy to > change...however, if you have your SSO system (OpenID in your case) > pass through the group names, and assign permissions that way, then > you don't have to worry about it. > > -Nick > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [email protected]<mailto:[email protected]> > For additional commands, e-mail: > [email protected]<mailto:[email protected]> > >
