[jira] [Commented] (GUACAMOLE-1603) guacamole SAML 1.4 authentication loop

Wed, 18 May 2022 16:27:10 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539129#comment-17539129
 ] 

Mike Jumper commented on GUACAMOLE-1603:
----------------------------------------

While it's true that this isn't a bug per se, I think we need to look into 
whether there is something missing from the docs. Following 1.4.0, SAML 
validation issues have been frequent on the mailing list, and they have 
generally all boiled down to missing reverse proxy headers.

It may be that our proxying docs are out-of-date, or that the SAML docs need an 
additional note, or both.

> guacamole SAML 1.4 authentication loop
> --------------------------------------
>
>                 Key: GUACAMOLE-1603
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1603
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-saml
>    Affects Versions: 1.4.0
>            Reporter: Sid Bose
>            Priority: Major
>
> I have a working setup with ms app proxy in front end internet facing and 
> guacamole with SAML ext of 1.3 with below guacamole.properties file.
>     # Available as "Login URL" from the Azure Active Directory Console
>     saml-idp-metadata-url: file:///etc/guacamole/metadata.xml
>     
>     # The Entity ID you assigned to this application
>     saml-entity-id: https://example.privatedomain.com
>     
>     # The redirect URL
>     saml-callback-url: https://example-public.msappproxy.net/
>     
>     saml-debug: true
> Now when you use https://example-public.msappproxy.net/ it redirects to azure 
> for authentication and then redirects to guacamole but in the browser the URI 
> remains as 
> "https://example-public.msappproxy.net/#/?responseHash=E666C2CD34669C06776889QCJKADTAOIUD8A763FD0B77F";
>  
> But with SAML 1.4 this setup ends up in loop from ms to guacamole and back.
> MS App proxy setup is exactly the same. Are there any additional config 
> required at guacamole or MS end?
> NOTE: Just a brief MS app proxy has got both reply URI set 
> "https://example.privatedomain.com"; and 
> "https://example-public.msappproxy.net/"; but the MS app proxy one as default.
> Below is the error in guacamole logs for 1.4
>     ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at 
> https://example.privatedomain.com/api/ext/saml/callback instead of 
> https://example-public.msappproxy.net/api/ext/saml/callback
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to