On Tue, Apr 2, 2024 at 12:29 AM Jesus Malena <jesus.mal...@gmail.com> wrote:
> Hi all, > > Currently I'm working on setting up Guacamole with SAML. I have gone ahead > and was able to get things working with Okta. My settings are as follows > (removing private data): > > saml-idp-metadata-url: > https://mytestidp.okta.com/app/th!$isn0Tm&@pp/sso/saml/metadata > saml-entity-id: https://guactest.mytestserver.com/ > saml-callback-url: https://guactest.mytestserver.com/ > saml-debug: false > saml-strict: false > saml-group-attribute: groups > skip-if-unavailable: saml > > As you can see, saml-strict is set to false. I want to set saml-strict to > true, but when I do my connections break with the following error: > > guacamole | 17:39:37.776 [http-nio-8080-exec-3] WARN > o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted > with an invalid SAML response: SAML response did not pass validation: The > response was received at > http://guactest.mytestserver.com/api/ext/saml/callback instead of > https://guactest.mytestserver.com/api/ext/saml/callback > > This is likely because you need a couple of extra proxy headers set. Depending on what software you're using to proxy Guacamole through https, this will vary a bit. For example, Nginx should have the following: proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; I would imagine your particular issue is because the X-Forwarded-Proto header is not being set. -Nick >
