RE: Question about callback URL with SAML configuration

[Devine, Harry (FAA)]

So my Tomcat server.xml, near the bottom, has:

      <Host name="localhost"  appBase="webapps"
                     unpackWARs="true" autoDeploy="true">

               <Context path="" docBase="guacamole" debug="0" reloadable="true" 
/>

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127.0.0.1"
               remoteIpHeader="x-forwarded-for"
               remoteIpProxiesHeader="x-forwarded-by"
                      protocolHeader="x-forwarded-proto" />

My /etc/httpd/conf.d/forward.conf has:

<Location />
    Order allow,deny
    Allow from all
    ProxyPass http://localhost:8080/ flushpackets=on
    ProxyPassReverse http://localhost:8080/
</Location>

<Location /websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://localhost:8080/websocket-tunnel
    ProxyPassReverse ws://localhost:8080/websocket-tunnel
</Location>

Do I need any Apache proxy headers set?  I saw something about 
X-Forwarded-Proto, but I assumed that the Valve in server.xml would be setting 
that.  I just can’t seem to find out what I’m missing.

Thanks,
Harry

From: Devine, Harry (FAA) <harry.dev...@faa.gov.INVALID>
Sent: Wednesday, December 18, 2024 11:18 AM
To: user@guacamole.apache.org
Subject: RE: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

I do all of that, and restart everything, but I still get the redirect loop.  I 
get the initial redirect to the Okta SAML provider, and I can authenticate, but 
when I get redirected back to the Guac server, the redirect loops start again 
until I eventually get the 429 error in the browser.  And in the Developer 
Tools console, it shows tokens in red, and clicking on that gives me a 403 
Forbidden error on 
https://<guac-server>/api/tokens<https://%3cguac-server%3e/api/tokens>.

Thanks,
Harry

From: Jon Gerdes <gerd...@blueloop.net<mailto:gerd...@blueloop.net>>
Sent: Wednesday, December 18, 2024 11:02 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

Harry

The <Context ... line will make Guacamole listen on the URL / instead of 
/guacamole on Tomcat.  Put it in the gap between <Host and <Valve in your 
configuration.

Change your Apache config to:

<Location />
Order allow,deny
Allow from all
ProxyPass http://localhost:8080/<http://localhost:8080/guacamole/> 
flushpackets=on
ProxyPassReverse http://localhost:8080/<http://localhost:8080/guacamole/>
</Location>

Also you will need to account for the web sockets.  I use nginx for the reverse 
proxy.  That document you listed is the source I used originally and it gets 
you to add a second Location for Apache.  Yours would now be something like:

<Location /websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://localhost:8080/websocket-tunnel
ProxyPassReverse ws://localhost:8080/websocket-tunnel
</Location>

Cheers
Jon



On Wed, 2024-12-18 at 15:50 +0000, Devine, Harry (FAA) wrote:
This is what I have in server.xml now (I just added the Valve section within 
the last half hour based on an article I found 
here:https://guacamole.apache.org/doc/gug/reverse-proxy.html):

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127.0.0.1"
               remoteIpHeader="x-forwarded-for"
               remoteIpProxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

It didn’t make much of a difference.  But what do I need to change for the 
Apache ProxyPass lines in forward.conf?  I also see some references to the 
WebSocket Tunnel, which I don’t have in Apache at the moment.  Do I need that 
part also?

Thanks,
Harry

From: Jon Gerdes <gerd...@blueloop.net<mailto:gerd...@blueloop.net>>
Sent: Wednesday, December 18, 2024 10:46 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

Harry

I had a similar issue recently.  I "fixed" that by making the Guacamole WAR the 
root of the Tomcat server.  Add a Context section similar to this:


<Host name="localhost"  appBase="webapps"

            unpackWARs="true" autoDeploy="true">



        <Context path="" docBase="guacamole" debug="0" 
reloadable="true"></Context>



inside the Tomcat server.xml and restart it.  You will also need to change the 
ProxyPass lines in Apache.

Cheers
Jon



On Wed, 2024-12-18 at 14:02 +0000, Devine, Harry (FAA) wrote:
Also, I am doing a ProxyPass to proxy the traffic through Apache to the 
Guacamole backend on 8080:

<Location />
    Order allow,deny
    Allow from all
    ProxyPass http://localhost:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://localhost:8080/guacamole/
</Location>

Not sure how this plays into things.  But when I sign into the SAML with my 
smart card, that works, and the redirect back just keeps sending me back to the 
Okta MFA page, which detects I’m already logged in, and redirects back to 
Guacamole, and the cycle continues for a while until the 429 Too Many Requests 
comes across.

Thanks,
Harry

From: Devine, Harry (FAA) 
<harry.dev...@faa.gov.INVALID<mailto:harry.dev...@faa.gov.INVALID>>
Sent: Tuesday, December 17, 2024 3:26 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

I’m not really getting any errors in the Tomcat logs or /var/log/messages.  I 
eventually just get a 429 Too Many Redirects error.  And the callback I’m 
referring too is what we need to put into the saml-callback-url propery in 
/etc/guacamole/guacamole.properties.  Currently, we have the server name itself 
(https://<server<https://%3cserver>>).  I’m assuming that needs to be something 
different.

Thanks,
Harry

From: Nick Couchman <vn...@apache.org<mailto:vn...@apache.org>>
Sent: Tuesday, December 17, 2024 3:20 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

On Tue, Dec 17, 2024 at 3:13 PM Devine, Harry (FAA) 
<harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote:


We are on Guacamole 1.5.4 at the moment, and we have a mandate to implement 
MFA.  We have been working with our IT department and using a test Guacamole 
server for the configuration testing.  We were initially trying OpenID but we 
kept getting an invalid response_type value.  So they suggested SAML, which we 
implemented and proved that we could log in.  However, we do get an error from 
Guacamole because the MFA doesn’t seem to know how to return the response back 
to our Guacamole server.


What error are you seeing? And what messages are you getting in the logs?

So, my question is: how to I implement or configure the Callback URL on our 
Guacamole server so the response that comes back can be retrieved?


Are you talking about the callback URL in the Guacamole configuration, or one 
specific to the SAML IdP?

-Nick