Hi Nick, Thanks for the response. The only issue I seem to be having with just using SAML is that when I have an RDP connection for a shared server, and have SFTP also configured for the file transfers, the connection hangs and does not ask for the password for the SFTP connection. If I disable the SFTP the RDP session asks for the password and connects fine. Am I doing something wrong, or is there a way I can provide “some sort of way that a user can enter and store the password for the remainder of the session”? Sorry if I am missing something obvious.
Thanks again, Cale From: Nick Couchman <[email protected]> Sent: August 6, 2025 16:32 To: [email protected] Subject: Re: SAML and LDAP together? We couldn't recognize this email as this is the first time you received an email from this sender vnick @ apache.org On Wed, Aug 6, 2025 at 8:59 AM Cale Fairchild <[email protected]<mailto:[email protected]>> wrote: Greetings, I am a new user and have spent considerable time searching the manual and mailing list archives, so I apologize if I have missed the answer to this. I am migrating a 1.3.0 Guacamole installation to 1.6.0 and we are interested in the SAML feature to provide a consistent MFA experience to our users. However, since there appears to be no defined ${GUAC_PASSWORD} at the end of that process (which makes sense), we would have to redefine all of our connections and there seems to be issues with RDP with SFTP for file transfer (the connection just hangs instead of prompting for a password). Also I have the group names coming back in the claim but they don’t seem to be recognized (the group based connections are not visible to the user). So my question is whether you can force the LDAP login to happen after the SAML authentication? Essentially we are not as worried about the SSO as just introducing a familiar MFA mechanism to the users, who would then still login to Guacamole through LDAP (preferably just prompting for the password to avoid them changing usernames between the two stages). This would enable us to upgrade the current database and for the user experience to remain mostly unchanged through the upgrade. This is, indeed, an oft-asked question - probably worthy of an entry in our FAQ. There are a couple of limitations to the way that the LDAP module "stacks" with other modules: * In cases, like yours, where another module may authenticate the user, first, the LDAP module will never be tried, because the login has already succeeded. And, to answer your second question, no, there is no way to force the LDAP login to happen after the SAML login - you could force the LDAP login to happen, first, but then SAML will never be processed, because the LDAP login will succeed. Since each one of those modules will ultimately fully succeed (and won't through any sort of an error that "more credentials are required" - we call it an InsufficientCredentialsException), there's no way to currently do what you're asking to do. That said, I'm not really sure that forcing one or the other is really the way to go - I suspect you'd be much better off just accepting the SAML authentication and then having some sort of way that a user can enter and store the password for the remainder of the session? * In cases where you want to store connection information in LDAP but authenticate users through another method (SAML or another SSO provider), this also causes problems, because the search of the LDAP tree happens as the LDAP user who logs in, and, if there's no username and/or password provided for LDAP to log in, the LDAP tree does not get searched. I don't think this is your scenario - seems you are storing your connections in the JDBC module and not LDAP, but I thought it worth mentioning. -Nick
