Trevor Kuhlengel created GUACAMOLE-2224:
-------------------------------------------
Summary: SAML-authenticated users cannot see connections inherited
through parent group membership
Key: GUACAMOLE-2224
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2224
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-jdbc, guacamole-auth-sso-saml
Affects Versions: 1.6.0
Environment: - OS: Ubuntu 24.04
- Guacamole version: 1.6.0
- Authentication: SAML (Azure AD as IdP) + guacamole-auth-jdbc-mysql
- Database: MySQL 8.0
- Java: 21
Reporter: Trevor Kuhlengel
h2. Summary
When a user authenticates via SAML SSO, group membership claims from the
identity provider (e.g. Azure AD) are matched against group names in the
Guacamole database. If the matched group is a *child* of one or more parent
groups in the database, the user can only see connections and connection groups
that are granted directly to that child group. Connections and connection
groups granted to any *ancestor* group in the hierarchy are invisible to the
user, even though database-native users who are members of the same child group
see the full inherited permission set.
h2. Steps to Reproduce
# Configure Guacamole with the SAML SSO extension and a JDBC (MySQL/PostgreSQL)
authentication extension.
# In the database, create a group hierarchy, e.g.:
## {{parent-group}} (has READ permission on a set of connections)
### {{child-group}} (member of {{parent-group}}) with a name matching the SAML
group claim asserted by the IdP (sometimes the UUID of the group in the IdP,
sometimes a friendly name depending on configuration).
# In the identity provider, configure a group claim that asserts the user is a
member of {{child-group}}.
# Log in as a SAML-authenticated user who receives the {{child-group}} claim.
*Expected:* The user sees all connections and connection groups that
{{parent-group}} has READ permission on, because {{child-group}} inherits those
permissions through group membership.
*Actual:* The user sees no connections. Only connections granted directly to
{{child-group}} (with no parent group involved) are visible.
h2. Additional Context
* Database-native users who are manually added as members of {{child-group}}
via the Guacamole admin UI see the full inherited permission set correctly.
* The issue is specific to externally-asserted group memberships via SAML —
groups that are assigned to a user by an SSO provider rather than through a
direct database membership record.
* The user's effective group set as reported by the SAML extension contains
only the raw claim identifier(s), with no expansion to include ancestor groups.
* The problem manifests in all permission-guarded queries that control the
connection tree display (what appears in the home screen connection list), even
when the user may have other permissions that indicate their groups are being
partially resolved.
* No error is shown to the user; the home screen simply presents an empty
connection list.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
