Thanks! Actually, your last comment is how I think we are deciding to go with. One of the admins on a system we’re getting ready to implement SAML on had that question, and as we hashed it out, we realized that they are set as Administrator already, so they will have the same ability. So I think we’re good.
And I know of the branding as I use that currently to provide our mandated warning banner on the login screen. But bypassing the login screen and going direct to the SAML provider would be easier. I would just make sure that our admins are set as Admins in Guacamole before the switch so the local guacadmin login shouldn’t be necessary. Thanks, Harry From: Nick Couchman <[email protected]> Sent: Tuesday, January 7, 2025 1:45 PM To: [email protected] Subject: Re: Question about SAML and Local admin access CAUTION: This email originated from outside of the Federal Aviation Administration (FAA). Do not click on links or open attachments unless you recognize the sender and know the content is safe. On Tue, Jan 7, 2025 at 1:27 PM Devine, Harry (FAA) <[email protected]<mailto:[email protected]>> wrote: We are switching over to using SAML for logins. However, for those occasions when I need to log in as the guacadmin user, how can I have SAML be the first choice, and the local login be secondary? Is it just the extension-priority order? Right now, I have: extension-priority: *, saml This is the correct way to enable the login screen and have the "Sign in with: SAML" link appear. And that gives me the login screen as normal, and the “Sign in with: SAML” at the bottom left. What I’d like is to have the “Sign in with: SAML” a little more prevalent, with the local login available as a fallback. If you need to change this to be more prevalent, you can use the "branding" functionality to change the style of that section/link. There is documentation for this, here: https://guacamole.apache.org/doc/gug/guacamole-ext.html as well as an example, here: https://github.com/apache/guacamole-client/tree/main/doc/guacamole-branding-example Basically you'd just need to find the HTML elements for that link and either add overriding style sheets or HTML annotations to update or replace that HTML with whatever design you'd like. The other option you have is to use the IdP as the "front page" for the Guacamole login when using SAML, basically providing users with a link that takes them to the IdP, first, which then redirects to the appropriate Guacamole URL after logging the users in to the SAML IdP. In practice, in my day job, we use the "myapps.microsoft.com<http://myapps.microsoft.com>" page as a single point of reference for our SAML applications, and users can click on the links, there, to be logged into those applications using SAML credentials. If you're already pointing your users to a central SSO page or deploying a bookmark, you could use this route, effectively bypassing the Guacamole login page altogether, except for those users who need to log in with local credentials. One final note - you can make your SAML account an admin account by logging in with the guacadmin account and adding "System Admin" permissions for the user(s) who need to administer the system. This should limit the amount of logging in you need to do under the "guacadmin" account, unless you have some reason you don't want to provide this admin access to SAML accounts. -Nick
