I had one of my users test that after setting mysql-user-required: true in guacamole.properties. When he logs in with SAML, he is successfully authenticated. However, since he doesn't have a user in the MySQL database, he gets redirected back to the login page. So I believe that is working, but is there a way to notify a user when they don't have an account? Our test user was confused as to why they got sent back to the login screen and kept hitting the "Sign in with SAML" link, so he was in a loop until I explained what was happening.
Thanks, Harry -----Original Message----- From: Michael Jumper <[email protected]> Sent: Friday, December 20, 2024 2:53 PM To: [email protected] Subject: Re: Question about callback URL with SAML configuration CAUTION: This email originated from outside of the Federal Aviation Administration (FAA). Do not click on links or open attachments unless you recognize the sender and know the content is safe. On 12/18/24 12:20 PM, Devine, Harry (FAA) wrote: > OK, our Okta team had to make some changes on their end to send the > data back properly. So now I can get in using our smart card > authentication. But this leads to 2 questions/issues that I still > need help with: > > 1. How can I by-pass the SAML authentication to be able to log in as > the guacadmin user? You can configure things to present a login UI, with SAML being an option: https://guacamole.apache.org/doc/gug/saml-auth.html#presenting-unauthenticated-users-with-a-login-screen The default is otherwise to redirect all users to the SAML IdP. > 2. I had a user try to log in, and he did successfully. But he doesn’t > have a user account in the internal MySQL database, so why wouldn’t > that be rejected? He has no permissions and can’t assign his user > to any connections, but I was thinking that there should’ve been > some sort of block. > Nope, it's perfectly legitimate for a user to come purely through SSO, LDAP, or similar and have no associated record in the database at all. It's common to configure such users to inherit connection access rights through group memberships. If you want to require all users to have an account in your database, there is an option for that: https://guacamole.apache.org/doc/gug/jdbc-auth.html#restricting-authentication-to-database-users-only - Mike --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
