The "RelayState" parameter is a value that's passed _back_ to the
application by the SAML IdP. The value is unique to each authentication
attempt and is generated by Guacamole when the user is redirected to the
SAML IdP to authenticate. The SAML IdP receives that value and includes
it in its response, which Guacamole then validates.
If the SAML response doesn't contain a valid "RelayState", then one of
the following must be true:
* Your SAML provider is not handling the SAML request correctly.
* You are attempting IdP-initiated SSO, which is not supported.
* Something between yourself and your browser is preventing the
"RelayState" parameter from being received.
- Mike
On 12/16/23 12:10, Invite System wrote:
Hello,
I have a functioning Guacamole configuration in Docker, that is
currently working well. User created, TOTP enabled, Can connect to a RDP
instance, etc.
However, as soon as I attempt to: enable SAML, enable more verbose
logging in Logbook, enable a custom Home directory, etc. Things tend to
go wrong.
I currently access Guacamole at: https://guacamole.domain.org
<https://guacamole.domain.org/>
As an example, my docker compose for guacamole only is below:
guacamole:
container_name: guacamole
depends_on:
- guacd
- postgres.16
environment:
GUACD_HOSTNAME: guacd
POSTGRES_DATABASE: ${guacamole_db}
POSTGRES_HOSTNAME: ${POSTGRES_HOST}
POSTGRES_PASSWORD: ${guac_postgres_pass}
POSTGRES_USER: ${guac_postgres_user}
WEBAPP_CONTEXT: ROOT
GUACAMOLE_HOME: /data
EXTENSIONS: "openid, saml"
EXTENSION_PRIORITY: "*, saml, openid, totp"
RECORDING_SEARCH_PATH: /record
REMOTE_IP_VALVE_ENABLED: true
ENABLE_ENVIRONMENT_PROPERTIES: true
SAML_IDP_METADATA_URL:
https://subdomain.okta.com/app/UUID1/sso/saml/metadata
<https://subdomain.okta.com/app/UUID1/sso/saml/metadata>
SAML_ENTITY_ID: https://guacamole.DOMAIN.org
<https://guacamole.domain.org/>
SAML_CALLBACK_URL:
https://subdomain.okta.com/app/subdomain_guacamoleDOMAIN_1/UUID2/sso/saml
<https://subdomain.okta.com/app/subdomain_guacamoleDOMAIN_1/UUID2/sso/saml>
SAML_DEBUG: true
SAML_STRICT: true
TOTP_ENABLED: true
TOTP_MODE: sha256
TOTP_ISSUER: "Guacamole"
image: guacamole/guacamole:latest
volumes:
- /mnt/docker/guacamole/home:/home/guacamole:rw
- /mnt/docker/guacamole/data:/data:rw
- /mnt/docker/guacamole/guacd/record:/record:rw
links:
- guacd
networks:
- guacnetwork
- database
- tailscale
ports:
# - 8080:8080
- 8080/tcp
restart: always
Unfortunately, for whatever reason, Guacamole can't solely use the
metadata file - even though the URL is connectable (I can curl from
within the container to the URL). So I have to use the two other options
listed.
I have also tried this with SAML_STRICT set to true or false, and still
receive the following error;
16:44:05.563 [http-nio-8080-exec-4] WARN
o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid
SAML response: "RelayState" value included with SAML response is not valid.
Now, I have looked at various websites, but I can't seem to find this
error anywhere, and the only mention I can find of a potential
workaround is this:
https://support.okta.com/help/s/question/0D51Y00006aAeE9SAK/sp-initiated-saml-sso-relay-state-issue?language=en_US <https://support.okta.com/help/s/question/0D51Y00006aAeE9SAK/sp-initiated-saml-sso-relay-state-issue?language=en_US>
I have also reviewed this blog post:
https://nathancatania.com/posts/deploy-guacamole-ssl-saml/
<https://nathancatania.com/posts/deploy-guacamole-ssl-saml/> , which
appears to be (so far from what I have read) the best documentation on
getting Okta and Guacamole working, however, it doesn't mention RelayState.
Which unfortunately, does not work when placed on the
SAML_IDP_METADATA_URL: env variable. When running a SAML trace in the
browser, I notice a switch between RelayState and "state", in the
response from Guacamole to Okta (and vice-a-versa), and am wondering if
that is expected.
While I would absolutely prefer to use OIDC here, I believe that the
docker container does not natively support OIDC out of the box (EG:
through Env variables) and I would have to use the GUACAMOLE_HOME
configuration to work around this. Unfortunately, Guacamole doesn't seem
to be recognizing the paths specificed and setting the configuration
there. I tried to search for the ENV variables required for this, but
couldn't find anything specifically.
I was wondering if there was any guidance on setting up the SAML
configuration or how I can remove the RelayState error listed above,
until I can get a hold of someone at Okta to assist - or if there is a
convenient way to get OIDC working with the Docker container given that
I can't get GUACAMOLE_HOME to work at the moment.
Best regards,
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
