On Tue, Jan 7, 2025 at 1:27 PM Devine, Harry (FAA) <[email protected]> wrote:
> We are switching over to using SAML for logins. However, for those > occasions when I need to log in as the guacadmin user, how can I have SAML > be the first choice, and the local login be secondary? Is it just the > extension-priority order? Right now, I have: > > > > extension-priority: *, saml > > > This is the correct way to enable the login screen and have the "Sign in with: SAML" link appear. > And that gives me the login screen as normal, and the “Sign in with: SAML” > at the bottom left. What I’d like is to have the “Sign in with: SAML” a > little more prevalent, with the local login available as a fallback. > > > If you need to change this to be more prevalent, you can use the "branding" functionality to change the style of that section/link. There is documentation for this, here: https://guacamole.apache.org/doc/gug/guacamole-ext.html as well as an example, here: https://github.com/apache/guacamole-client/tree/main/doc/guacamole-branding-example Basically you'd just need to find the HTML elements for that link and either add overriding style sheets or HTML annotations to update or replace that HTML with whatever design you'd like. The other option you have is to use the IdP as the "front page" for the Guacamole login when using SAML, basically providing users with a link that takes them to the IdP, first, which then redirects to the appropriate Guacamole URL after logging the users in to the SAML IdP. In practice, in my day job, we use the "myapps.microsoft.com" page as a single point of reference for our SAML applications, and users can click on the links, there, to be logged into those applications using SAML credentials. If you're already pointing your users to a central SSO page or deploying a bookmark, you could use this route, effectively bypassing the Guacamole login page altogether, except for those users who need to log in with local credentials. One final note - you can make your SAML account an admin account by logging in with the guacadmin account and adding "System Admin" permissions for the user(s) who need to administer the system. This should limit the amount of logging in you need to do under the "guacadmin" account, unless you have some reason you don't want to provide this admin access to SAML accounts. -Nick >
