RE: saml-group-attribute
This has helped me a lot, finally I can get my users mapped to groups. I just used Group instead of Role but the important part is to fill "saml-group-attribute" with the full url. Thanks alot! Btw, is there any table which claims my IdP would have to provide in order to fill the fields for my user's email address, organization, full name and so forth? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: SAML SP Metadata
You do not necessarily provide SP Metadata to your IdP, it's optional. If you really have to implement this you need to create the metadata.xml and make it (publicly) available to your IdP. The important part is that you can reach your IdP's metadata.xml and this URL has to be entered as value for the "saml-idp-metadata-url" key. The parameter to only accept signed SamlResponses is "saml-strict: true" in your guacamole.properties file, it's up to the SP to decide if it accepts signed or unsigned responses from the IdP. As ACS URL you can tell your IdP to use the FQDN of Guacamole like a user accessing your guacamole instance would type it. Regards, Simon Müller -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership
Hey there, I am also trying to find a solution for this topic. Thanks to you, Ariel, I have successfully achieved logging in by transforming the claim in my IdP (ADFS) to Name Id - Format "Email-Address". Now I am struggling with the fact that for every user logging in, I would have to add them manually to a group and also add every connection to every group manually. That's where saml-group-attribute could come in handy...So I configured "Send group membership as claim" as an additional claim issuance rule and the debug messages look promising so far: In my guacamole.properties, I explicitly set "saml-group-attribute: Group" Of course I created this particular group beforehand in my guacamole-server currently backed by mysql. It seems the attributes are not honored at all. It would be really great if I could fill a mininum of attributes like "Full Name","E-Mail","Organization", "Department". Another question that arises: How can I still use the REST API with the saml-auth enabled? In Jira I read something about the idea to provide an extra button for the SSO authentication so that you can still login with local users. Is there any intel when and if this will be possible in the future? PS: Logging out currently is not possible at all, am I right? But that is my least concern. ;) -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org