[
https://issues.apache.org/jira/browse/GUACAMOLE-2224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Trevor Kuhlengel updated GUACAMOLE-2224:
----------------------------------------
Attachment:
guacamole-auth-jdbc_add_method_to_expand_effective_user_groups.patch
> SAML-authenticated users cannot see connections inherited through parent
> group membership
> -----------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2224
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2224
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc, guacamole-auth-sso-saml
> Affects Versions: 1.6.0
> Environment: - OS: Ubuntu 24.04
> - Guacamole version: 1.6.0
> - Authentication: SAML (Azure AD as IdP) + guacamole-auth-jdbc-mysql
> - Database: MySQL 8.0
> - Java: 21
> Reporter: Trevor Kuhlengel
> Priority: Major
> Attachments:
> guacamole-auth-jdbc_add_method_to_expand_effective_user_groups.patch
>
>
> h2. Summary
> When a user authenticates via SAML SSO, group membership claims from the
> identity provider (e.g. Azure AD) are matched against group names in the
> Guacamole database. If the matched group is a *child* of one or more parent
> groups in the database, the user can only see connections and connection
> groups that are granted directly to that child group. Connections and
> connection groups granted to any *ancestor* group in the hierarchy are
> invisible to the user, even though database-native users who are members of
> the same child group see the full inherited permission set.
> h2. Steps to Reproduce
> # Configure Guacamole with the SAML SSO extension and a JDBC
> (MySQL/PostgreSQL) authentication extension.
> # In the database, create a group hierarchy, e.g.:
> ## {{parent-group}} (has READ permission on a set of connections)
> ### {{child-group}} (member of {{parent-group}}) with a name matching the
> SAML group claim asserted by the IdP (sometimes the UUID of the group in the
> IdP, sometimes a friendly name depending on configuration).
> # In the identity provider, configure a group claim that asserts the user is
> a member of {{child-group}}.
> # Log in as a SAML-authenticated user who receives the {{child-group}} claim.
> *Expected:* The user sees all connections and connection groups that
> {{parent-group}} has READ permission on, because {{child-group}} inherits
> those permissions through group membership.
> *Actual:* The user sees no connections. Only connections granted directly to
> {{child-group}} (with no parent group involved) are visible.
> h2. Additional Context
> * Database-native users who are manually added as members of {{child-group}}
> via the Guacamole admin UI see the full inherited permission set correctly.
> * The issue is specific to externally-asserted group memberships via SAML —
> groups that are assigned to a user by an SSO provider rather than through a
> direct database membership record.
> * The user's effective group set as reported by the SAML extension contains
> only the raw claim identifier(s), with no expansion to include ancestor
> groups.
> * The problem manifests in all permission-guarded queries that control the
> connection tree display (what appears in the home screen connection list),
> even when the user may have other permissions that indicate their groups are
> being partially resolved.
> * No error is shown to the user; the home screen simply presents an empty
> connection list.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
