Hi!
I have a very similar setup, and for me it was a combination of thigs (nginx
configs, saml configs, etc).
This is a part of my guacamole setup in compose for reference:
initdb:
image: docker.io/guacamole/guacamole:1.5.3
user: root
command: bash -c "/opt/guacamole/bin/initdb.sh --postgresql >
/usr/src/app/initdb.sql; tail -f /dev/null"
volumes:
- initdb:/usr/src/app/:rw
db:
image: docker.io/library/postgres:16.2
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=**************
volumes:
- pgdata:/var/lib/postgresql/data
- initdb:/docker-entrypoint-initdb.d/:ro
depends_on:
- "initdb"
daemon:
image: docker.io/guacamole/guacd:1.5.3
environment:
- GUACD_LOG_LEVEL=info
ports:
- "4822"
web:
image: docker.io/guacamole/guacamole:1.5.3
depends_on:
- "db"
- "daemon"
environment:
- GUACD_HOSTNAME=daemon
- GUACD_PORT=4822
- POSTGRESQL_HOSTNAME=db
- POSTGRESQL_PORT=5432
- POSTGRESQL_DATABASE=postgres
- POSTGRESQL_USER=postgres
- POSTGRESQL_PASSWORD=**************
- SAML_IDP_METADATA_URL=https://<URL>/<SOME ONMICROSOFT
URL>/<POLICY>/samlp/metadata
- SAML_ENTITY_ID=https://localhost/guacamole
- SAML_CALLBACK_URL=https://localhost/guacamole
- SAML_STRICT=true
- SAML_DEBUG=false
- EXTENSION_PRIORITY=*,saml,postgresql
- REMOTE_IP_VALVE_ENABLED=true
initnginx:
image: docker.io/library/nginx:1.25.4
entrypoint: ''
command: bash -c "
openssl req -x509 -nodes -days 365 -subj '/C=/ST=/L=/O=/OU=/CN='
-newkey rsa:2048 -keyout /usr/src/app/ssl.key -out /usr/src/app/ssl.crt;
tail -f /dev/null
"
volumes:
- initnginx:/usr/src/app/:rw
nginx:
image: docker.io/library/nginx:1.25.4
depends_on:
- "web"
- "initnginx"
volumes:
- ./nginx/templates/:/etc/nginx/templates
- initnginx:/etc/ssl/certs/
- ./nginx/html:/usr/share/nginx/html
ports:
- "443:443"
environment:
- NGINX_HOST=localhost
- NGINX_PORT=443
And the NGINX configuration is:
server {
listen $NGINX_PORT ssl;
server_name ${NGINX_HOST};
ssl_certificate /etc/ssl/certs/ssl.crt;
ssl_certificate_key /etc/ssl/certs/ssl.key;
error_page 500 502 503 504 /50x.html;
error_log /var/log/nginx/error.log debug;
access_log /var/log/nginx/access.log;
root /usr/share/nginx/html/;
location /guacamole/ {
proxy_pass http://web:8080;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
client_max_body_size 1g;
access_log off;
}
...
...
}
And this is my SAML configuration in the identity provider side (parts of it):
...
"identifierUris": [
"https://localhost/guacamole";
],
...
"replyUrlsWithType": [
{
"url": "https://localhost/guacamole/api/ext/saml/callback";,
"type": "Web"
}
],
...
"signInUrl": "https://localhost/guacamole";,
I'll say, start with running in non-strict mode. I think your error is related
to that, and it might be fixed with nginx configs (reported it in another
thread in this mail list, it was an undocumented setup)
SAML_STRICT=false
Something I discovered is that you better make guacamole serve in an standard
protocol port (80 for http or 443 for https) (it can run in any port, but it
has to be served in a known port otherwise you get redirected to the url
without the port AFAIK)
Try with a MockSAML identity provider first as well, this is a good one
https://mocksaml.com/ (it has a relaxed configuration, so you can defer
fighting against "real" identity providers configurations)
SAML_IDP_METADATA_URL=https://mocksaml.com/api/saml/metadata
Hope it helps!
________________________________
From: Mike <[email protected]>
Sent: Sunday, March 10, 2024 12:15 PM
To: [email protected] <[email protected]>
Subject: Re: SAML + Docker/Nginix Proxy Issue
I managed to solve the hostname issue by using Hostname: guactest.mydomain.org
in the docker compose however now the issue is the port doesn't match and it's
looking for /guacamole and not / (and it's not https)
So now the error is:
ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at
http:/guactest.mydomain.org:8080/guacamole/api/ext/saml/callback instead of
https://guactest.mydomain.org:8443/api/ext/saml/callback
The problem is I can't change guacamole to port 8443 because that is what nginx
reverse proxy is listening on. I've re-read the SAML docs like 5 times, I
feel like I am missing something here, based on this experience, it seems like
SAML is not possible to use if using a reverse proxy, but that is required for
prod use.
Also, I assume the only way to change the war file to ROOT.war would be to
ditch docker and move to native install? My other option is to change to
guac.myserver.org:8443/guacamole.
Thanks for any direction anyone can point me. Should I just ditch Docker if I
want to get SAML Working? Perhaps OAuth Open Id doesn't have this strict
checking issue?
On Thursday, March 7, 2024 at 02:53:09 PM EST, Mike <[email protected]>
wrote:
Hi, I have a new Docker setup of Guacamole running in Docker with a Nginx
proxy. Everything works great but I can't get SAML working properly. The
issue is similar to other issues I found searching this mailing list archive
since the 1.4 tightened SAML validation but I couldnt find anyone with the same
issue.
My issue is that I am getting:
01:02:14.237 [http-nio-8080-exec-9] ERROR c.onelogin.saml2.authn.SamlResponse -
The response was received at http://guacamol
e:8080/guacamole/api/ext/saml/callback instead of
https://guactest.mydomain.org:8443/api/ext/saml/callback
I saw in the mailing list that some people were told to change guacamole.war to
ROOT.war but I wasnt sure if that would work because the domain will still be
wrong. (alsso need to figure out how to do this running in docker).
Thanks much.
Mike
