I do all of that, and restart everything, but I still get the redirect loop. I get the initial redirect to the Okta SAML provider, and I can authenticate, but when I get redirected back to the Guac server, the redirect loops start again until I eventually get the 429 error in the browser. And in the Developer Tools console, it shows tokens in red, and clicking on that gives me a 403 Forbidden error on https://<guac-server>/api/tokens<https://%3cguac-server%3e/api/tokens>.
Thanks, Harry From: Jon Gerdes <[email protected]> Sent: Wednesday, December 18, 2024 11:02 AM To: [email protected] Subject: Re: Question about callback URL with SAML configuration CAUTION: This email originated from outside of the Federal Aviation Administration (FAA). Do not click on links or open attachments unless you recognize the sender and know the content is safe. Harry The <Context ... line will make Guacamole listen on the URL / instead of /guacamole on Tomcat. Put it in the gap between <Host and <Valve in your configuration. Change your Apache config to: <Location /> Order allow,deny Allow from all ProxyPass http://localhost:8080/<http://localhost:8080/guacamole/> flushpackets=on ProxyPassReverse http://localhost:8080/<http://localhost:8080/guacamole/> </Location> Also you will need to account for the web sockets. I use nginx for the reverse proxy. That document you listed is the source I used originally and it gets you to add a second Location for Apache. Yours would now be something like: <Location /websocket-tunnel> Order allow,deny Allow from all ProxyPass ws://localhost:8080/websocket-tunnel ProxyPassReverse ws://localhost:8080/websocket-tunnel </Location> Cheers Jon On Wed, 2024-12-18 at 15:50 +0000, Devine, Harry (FAA) wrote: This is what I have in server.xml now (I just added the Valve section within the last half hour based on an article I found here:https://guacamole.apache.org/doc/gug/reverse-proxy.html): <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> It didn’t make much of a difference. But what do I need to change for the Apache ProxyPass lines in forward.conf? I also see some references to the WebSocket Tunnel, which I don’t have in Apache at the moment. Do I need that part also? Thanks, Harry From: Jon Gerdes <[email protected]<mailto:[email protected]>> Sent: Wednesday, December 18, 2024 10:46 AM To: [email protected]<mailto:[email protected]> Subject: Re: Question about callback URL with SAML configuration CAUTION: This email originated from outside of the Federal Aviation Administration (FAA). Do not click on links or open attachments unless you recognize the sender and know the content is safe. Harry I had a similar issue recently. I "fixed" that by making the Guacamole WAR the root of the Tomcat server. Add a Context section similar to this: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Context path="" docBase="guacamole" debug="0" reloadable="true"></Context> inside the Tomcat server.xml and restart it. You will also need to change the ProxyPass lines in Apache. Cheers Jon On Wed, 2024-12-18 at 14:02 +0000, Devine, Harry (FAA) wrote: Also, I am doing a ProxyPass to proxy the traffic through Apache to the Guacamole backend on 8080: <Location /> Order allow,deny Allow from all ProxyPass http://localhost:8080/guacamole/ flushpackets=on ProxyPassReverse http://localhost:8080/guacamole/ </Location> Not sure how this plays into things. But when I sign into the SAML with my smart card, that works, and the redirect back just keeps sending me back to the Okta MFA page, which detects I’m already logged in, and redirects back to Guacamole, and the cycle continues for a while until the 429 Too Many Requests comes across. Thanks, Harry From: Devine, Harry (FAA) <[email protected]<mailto:[email protected]>> Sent: Tuesday, December 17, 2024 3:26 PM To: [email protected]<mailto:[email protected]> Subject: RE: Question about callback URL with SAML configuration CAUTION: This email originated from outside of the Federal Aviation Administration (FAA). Do not click on links or open attachments unless you recognize the sender and know the content is safe. I’m not really getting any errors in the Tomcat logs or /var/log/messages. I eventually just get a 429 Too Many Redirects error. And the callback I’m referring too is what we need to put into the saml-callback-url propery in /etc/guacamole/guacamole.properties. Currently, we have the server name itself (https://<server<https://%3cserver>>). I’m assuming that needs to be something different. Thanks, Harry From: Nick Couchman <[email protected]<mailto:[email protected]>> Sent: Tuesday, December 17, 2024 3:20 PM To: [email protected]<mailto:[email protected]> Subject: Re: Question about callback URL with SAML configuration CAUTION: This email originated from outside of the Federal Aviation Administration (FAA). Do not click on links or open attachments unless you recognize the sender and know the content is safe. On Tue, Dec 17, 2024 at 3:13 PM Devine, Harry (FAA) <[email protected]<mailto:[email protected]>> wrote: We are on Guacamole 1.5.4 at the moment, and we have a mandate to implement MFA. We have been working with our IT department and using a test Guacamole server for the configuration testing. We were initially trying OpenID but we kept getting an invalid response_type value. So they suggested SAML, which we implemented and proved that we could log in. However, we do get an error from Guacamole because the MFA doesn’t seem to know how to return the response back to our Guacamole server. What error are you seeing? And what messages are you getting in the logs? So, my question is: how to I implement or configure the Callback URL on our Guacamole server so the response that comes back can be retrieved? Are you talking about the callback URL in the Guacamole configuration, or one specific to the SAML IdP? -Nick
