On 12/17/23 09:44, Vieri wrote:
Hi again,
Please consider the following database data.
...
Table guacamole_sharing_profile is also empty.
Any connection that will be shared needs a sharing profile dictating how
it will be shared. It is the sharing profile(s) associated with a
connection that populate that "Share" dropdown in the menu.
...
Table guacamole_sharing_profile_permission is empty.
Any user/group that needs to share a connection will need "READ" access
to the sharing profile dictating how they should be allowed to share it.
...
From the Guacamole client web UI if I edit the user I can see that it doesn't
belong to any group.
However, I'm "expecting" in a SAML/SSO authenticated system that Guacamole
should be aware of the user/group relationships.
Is the assumption incorrect?
It's correct only with respect to the SAML assertion received with the
user logs in.
Guacamole will not know what users exist in SAML, nor what groups they
belong to, *until the user authenticates with SAML*.
If the SAML IdP is configured to include group memberships in the SAML
assertion (beware there is no standard for this - the attribute used and
the configuration necessary can vary by IdP), and a user authenticates
with Guacamole using SAML, then the group memberships included in that
specific SAML assertion will affect that specific session.
As far as connections are concerned Guacamole shows a user's "personal" and
group connections, eg. user with entity_id 3 will see both connection with connection_id
85 and connections with group entity_id 159-161.
That works even with an empty guacamole_user_group_member table.
The groups are named just like the ones provisioned by the IdP.
As long as the group names match the IdP, this _should_ be all that's
necessary ... unless you're using SAML provided by Azure. The SAML IdP
provided by Azure sends opaque UUIDs instead of names, and can only be
configured to send actual names in certain cases. If you're in the
situation where you are using Azure for SAML and cannot configure Azure
to send anything but UUIDs, you'll need to use those same UUID values as
the group names in Guacamole.
If things are not behaving as expected, I'd recommend using a SAML
tracing extension for your browser to inspect the actual content of the
SAML assertion. If it doesn't match what you're expecting, then there's
your problem.
...
Is it required to manually associate a user to a group in the guacd database or via
guacamole client web UI even in the case of "IdP groups" (in my case my_user is
a member of my_admin_group)?
No, as long as the name matches the user will inherit the permissions
granted to the group in the DB. It is possible for the name to
mysteriously not match due to variation in the content of the SAML
assertion (see above).
In any case, I tried to add the user to the group with sharing profile enabled
via the web UI (not that I'm looking forward to doing this as I don't
necessarily know or need to know the user/group relationships). I can see that
the DB table is updated:
"SELECT * FROM guacamole_user_group_member;":
user_group_id | member_entity_id
---------------+------------------
3 | 3
However, even after logging out and back in I still can't see the Sharing
dropdown menu with my_user connected to connection_id 85.
What am I doing wrong?
You need to create and grant access to sharing profiles for the "Share"
menu to appear (see above).
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
