On Fri, Dec 15, 2023 at 2:31 AM Vieri <[email protected]> wrote:
> Hi,
>
> In my setup Guacamole users authenticate with SAML SSO (I use postgresql
> as backend db).
> The only thing I do when I init the DB is create a record with group names
> just as they are "propagated" by the IdP.
> eg.:
> INSERT INTO guacamole_entity (name, type) VALUES ('my_admin_group',
> 'USER_GROUP');
> INSERT INTO guacamole_entity (name, type) VALUES ('my_super_user_group',
> 'USER_GROUP');
> INSERT INTO guacamole_entity (name, type) VALUES
> ('my_standard_user_group', 'USER_GROUP');
> ...
> I do not need to create each user because I have:
> postgresql-auto-create-accounts: true
>
> I then create connections and assign them to groups and/or users.
>
> All this works OK in the sense that when a user logs in via SAML/SSO only
> the allowed connections are displayed (according to both "users" and
> "groups" settings).
>
> However, I only allowed "Create new sharing profiles" for "my_admin_group"
> and "my_super_user_group", but if a user whose a member of one of those
> groups logs in the Sharing dropdown will not appear when in an RDP
> connection.
>
> What can I try? What can I check to see why Guacamole thinks that this
> user cannot share connections?
>
Have you granted the user(s)/group(s) permissions to the Sharing Profile?
If you want users to be able to share the connection, they need to have
permissions to the Share Profile, not just the connection, and they will
not automatically inherit that permission - you have to assign it.
-Nick
