Hello Harry,
This is more informational than a fix to your SAML issue, hope this helps.
Have you tried:
# Proxy all requests to the Guacamole server
ProxyPass */guacamole* http://localhost:8080/guacamole
ProxyPassReverse */guacamole* http://localhost:8080/guacamole
Or
# Proxy all requests to the Guacamole server
ProxyPass */* http://localhost:8080/guacamole
ProxyPassReverse */* http://localhost:8080/guacamole
You can also rename the .war create a slink in the tomcat9 directory
WEBAPP will also change the https://url/<here>
You will need to take this one step further, as the federal mandates
will require FIPS 140-2(3), you can get this done with Openssl 3.x, you
will also need to make sure that local SSH is using MFA this can be done
with Googles module or PAM
*TLS: 1.2: This will force AES256 over TCP/IP*
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256 Phased out in 2030
ECDHE-RSA-AES128-GCM-SHA256 Phased out in 2030
*Alternate Ciphers for TLS 1.2:*
EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES256:EECDH+AES128
*TLS: 1.3 No need to specify ciphers explicitly, as they are predefined:
Keep in mind that some federal departments only support TLS 1.2 still*
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256 - Phased out in 2030
*Additional Security Measures*
* *Certificate:* Use a certificate with at least 2048-bit RSA or an
ECDSA certificate with a 256-bit key.
* *OCSP Stapling:* Ensures efficient certificate status verification.
* *HSTS: *Enforces HTTPS across your domain.
* *Key Exchange:* Prefer Elliptic Curve Diffie-Hellman Ephemeral
(ECDHE) for forward secrecy.
*SSH:* Strong Ciphers
*Ciphers* [email protected],[email protected],aes256-ctr
*MACs*
[email protected],[email protected],[email protected]
*KexAlgorithms*
curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256
I only mention this so you have a heads up in your configuration as FIPS
can break updates and some functional capabilities in Guacamole.
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure CMMC/iTAR virtual desktops!
*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 12/18/2024 6:08 AM, Devine, Harry (FAA) wrote:
In the browser’s Debug console, I do see an error for “tokens”, and
when I click on it, the Headers show a “403 Forbidden” error for
https://<server>/api/tokens <https://%3cserver%3e/api/tokens>. I know
I’ve never set that up, so I wonder if that’s something needed? But I
can’t find that in the docs anywhere.
Thanks,
Harry
*From:* Devine, Harry (FAA) <[email protected]>
*Sent:* Wednesday, December 18, 2024 9:03 AM
*To:* [email protected]
*Subject:* RE: Question about callback URL with SAML configuration
*CAUTION:*This email originated from outside of the Federal Aviation
Administration (FAA). Do not click on links or open attachments unless
you recognize the sender and know the content is safe.
Also, I am doing a ProxyPass to proxy the traffic through Apache to
the Guacamole backend on 8080:
<Location />
Order allow,deny
Allow from all
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
</Location>
Not sure how this plays into things. But when I sign into the SAML
with my smart card, that works, and the redirect back just keeps
sending me back to the Okta MFA page, which detects I’m already logged
in, and redirects back to Guacamole, and the cycle continues for a
while until the 429 Too Many Requests comes across.
Thanks,
Harry
*From:* Devine, Harry (FAA) <[email protected]>
*Sent:* Tuesday, December 17, 2024 3:26 PM
*To:* [email protected]
*Subject:* RE: Question about callback URL with SAML configuration
*CAUTION:*This email originated from outside of the Federal Aviation
Administration (FAA). Do not click on links or open attachments unless
you recognize the sender and know the content is safe.
I’m not really getting any errors in the Tomcat logs or
/var/log/messages. I eventually just get a 429 Too Many Redirects
error. And the callback I’m referring too is what we need to put into
the saml-callback-url propery in /etc/guacamole/guacamole.properties.
Currently, we have the server name itself (https://<server
<https://%3cserver>>). I’m assuming that needs to be something different.
Thanks,
Harry
*From:* Nick Couchman <[email protected]>
*Sent:* Tuesday, December 17, 2024 3:20 PM
*To:* [email protected]
*Subject:* Re: Question about callback URL with SAML configuration
*CAUTION:*This email originated from outside of the Federal Aviation
Administration (FAA). Do not click on links or open attachments unless
you recognize the sender and know the content is safe.
On Tue, Dec 17, 2024 at 3:13 PM Devine, Harry (FAA)
<[email protected]> wrote:
We are on Guacamole 1.5.4 at the moment, and we have a mandate to
implement MFA. We have been working with our IT department and
using a test Guacamole server for the configuration testing. We
were initially trying OpenID but we kept getting an invalid
response_type value. So they suggested SAML, which we implemented
and proved that we could log in. However, we do get an error from
Guacamole because the MFA doesn’t seem to know how to return the
response back to our Guacamole server.
What error are you seeing? And what messages are you getting in the logs?
So, my question is: how to I implement or configure the Callback
URL on our Guacamole server so the response that comes back can be
retrieved?
Are you talking about the callback URL in the Guacamole configuration,
or one specific to the SAML IdP?
-Nick
