Hi, Got some more debugging done. The ” usage was a copying typo. I was actually using regular quotations ". But actually, the quotes have something to do with it.
This is the log I was getting when using: CATALINA_OPTS="-Dhttp.proxyHost=my-proxy-server.com -Dhttp.proxyPort=123 -Dhttps.proxyHost=my-proxy-server.com -Dhttps.proxyPort=123" 27-Oct-2023 18:32:27.745 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/8.5.95 27-Oct-2023 18:32:27.751 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Oct 12 2023 00:55:53 UTC 27-Oct-2023 18:32:27.751 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 8.5.95.0 27-Oct-2023 18:32:27.751 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 27-Oct-2023 18:32:27.751 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 5.15.0-87-generic ... 27-Oct-2023 18:32:27.752 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dhttp.proxyHost=my-proxy-server.com -Dhttp.proxyPort=123 -Dhttps.proxyHost=my-proxy-server.com -Dhttps.proxyPort=123 ... 18:32:29.519 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - - [postgresql] "PostgreSQL Authentication" (/home/guacamole/.guacamole/extensions/guacamole-auth-jdbc-postgresql-1.5.3.jar) 18:32:29.519 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - - [saml] "SAML Authentication Extension" (/home/guacamole/.guacamole/extensions/1-guacamole-auth-sso-saml-1.5.3.jar) 18:32:29.519 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - To change this order, set the "extension-priority" property or rename the extension files. The default priority of extensions is dictated by the sort order of their file names. 18:32:30.228 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "PostgreSQL Authentication" (postgresql) loaded. 18:32:30.359 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "SAML Authentication Extension" (saml) loaded. 18:32:30.486 [localhost-startStop-1] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support... 27-Oct-2023 18:32:31.232 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/home/guacamole/tomcat/webapps/guacamole.war] has finished in [3,300] ms 27-Oct-2023 18:32:31.234 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 27-Oct-2023 18:32:31.249 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 3362 ms 18:51:45.785 [http-nio-8080-exec-7] WARN o.a.g.e.AuthenticationProviderFacade - The "saml" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: saml" within your guacamole.properties.18:51:45.791 [http-nio-8080-exec-7] ERROR o.a.g.rest.RESTExceptionMapper - Request could not be processed: Could not parse SAML IdP Metadata file. Then I tried without quotes: CATALINA_OPTS=-Dhttp.proxyHost=my-proxy-server.com -Dhttp.proxyPort=123 -Dhttps.proxyHost=my-proxy-server.com -Dhttps.proxyPort=123. and now it works. I also tried to set system proxy vars, and use JAVA_OPTS=-Djava.net.useSystemProxies=true, but that doesn't make it work. Looks like JAVA_OPTS have no effect in the saml authentication (proxy-setting wise.) So, I have to use CATALINA_OPTS, and the value needs to be unquoted. Thank you so much! ________________________________ From: Michael Jumper <[email protected]> Sent: Friday, October 13, 2023 2:22 PM To: [email protected] <[email protected]> Subject: Re: Using SAML Authentication behind proxy On 10/13/2023 12:10 PM, Oliver, Dario N wrote: > Hi, > > I am using Guacamole with Docker and enabled the SAML extension for > authentication. > > When I am in a proxied network, I can’t make the SAML extension to fetch > the SAML_IDP_METADATA file that is externally hosted. > > I tried setting JAVA_OPTS and CATALINA_OPTS with the proxy configuration > but looks like they have no effect in the extension. > > I made it work by downloading the metadata file and providing that to > the guacamole container with a volume mount, which worked fine. > > But I am wondering if I am not setting the proxy parameters properly, or > if the SAML extension is ignoring JAVA_OPTS (or CATALINA_OPTS but I > think this one doesn’t apply here) > > For reference, this is how I am running the container with docker compose: > ... > - JAVA_OPTS=” -Dhttp.proxyHost=10.0.0.100 -Dhttp.proxyPort=8800” > ... > > Any hints on what might be wrong with my setup? > I'm not sure whether the JVM parameters for proxy usage will affect the outbound HTTP connections created by the SAML library, but if they do I suspect you'll need to use CATALINA_OPTS. This would also allow you to see whether your options are being received as expected, as Tomcat will log the value of CATALINA_OPTS during startup. Is this a verbatim copy of the configuration you're using? If so, the quotes around your "JAVA_OPTS" value are not double quotes, but the Unicode character U+201D ("Right Double Quotation Mark"). I don't think those will be interpreted in the same way as a double quote by YAML. - Mike --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
