Re: saml-group-attribute
On Fri, Apr 16, 2021 at 12:09 PM Simon Müller wrote: > This has helped me a lot, finally I can get my users mapped to groups. I > just > used Group instead of Role but the important part is to fill > "saml-group-attribute" with the full url. Thanks alot! > > Btw, is there any table which claims my IdP would have to provide in order > to fill the fields for my user's email address, organization, full name and > so forth? > > Not at present, no - it does not support passing through that information. -NIck
RE: saml-group-attribute
This has helped me a lot, finally I can get my users mapped to groups. I just used Group instead of Role but the important part is to fill "saml-group-attribute" with the full url. Thanks alot! Btw, is there any table which claims my IdP would have to provide in order to fill the fields for my user's email address, organization, full name and so forth? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
RE: saml-group-attribute
Hi Nick, Thanks for your very speedy response. You're are correct. I’ve changed some of the claims around in MS ADFS and now successfully using “http://schemas.xmlsoap.org/claims/Role” as the saml-group-attribute to map my groups. Thanks again! Cheers Michael Michael Taylor | Senior Cyber Security Professional t +44 1522 502086 mtay...@mass.co.uk From: Nick Couchman Sent: 08 January 2021 19:03 To: user@guacamole.apache.org Subject: Re: saml-group-attribute This e-mail message originated from outside this system. For guidance on how to deal with suspicious e-mail click https://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGdCVfHN8-w=https%3a%2f%2fintranet%2emass%2eco%2euk%2fsites%2fIntranet%2fIT%2fDocuments%2fHow%2520to%2520Handle%2520Suspicious%2520Emails%2epdf. If you believe this e-mail to be SPAM / Phishing / Suspicious please forward the message to mailto:suspici...@mass.co.uk On Fri, Jan 8, 2021 at 4:37 AM Michael Taylor <mailto:m...@michael-taylor.net> wrote: The Guacamole SAML extension appears to support group mapping but I cant get this to work. SAML authentication itself is working. I have set the saml-group-attribute to: Group in http://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGdrPdSAt8Q=http%3a%2f%2fguacamole%2eproperties Within the SAMLResponse I see that groups are being correctly passed; http://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYLIK3Ap8A=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fws%2f2005%2f05%2fidentity%2fclaims%2femailaddress;> mtaylor http://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYaVfyMsoA=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fclaims%2fGroup;> Domain Users IT My initial thought is that "saml-group-attribute: Group" is not matching to "http://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYaVfyMsoA=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fclaims%2fGroup; - that is, you should either specify: saml-group-attribute: http://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGYaVfyMsoA=http%3a%2f%2fschemas%2exmlsoap%2eorg%2fclaims%2fGroup in http://scanmail.trustwave.com/?c=7851=jqz435yufgiC-KE5M3dvMiDpj4M43VKdGdrPdSAt8Q=http%3a%2f%2fguacamole%2eproperties or the attribute should be returned as: ... from SAML. I don't think those items are matching up. -Nick -- This E-mail is the property of Mass Consultants Ltd. It is confidential and intended only for the use of the addressee or with its permission. Use by anyone else for any purpose is prohibited. If you are not the addressee, you should not use, disclose, copy or distribute this e-mail and should notify us of receipt immediately by return e-mail to the address where the e-mail originated. This E-mail may not have been sent through a secure system and accordingly (i) its contents should not be relied upon by any person without independent verification from Mass Consultants Ltd and (ii) it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by Mass Consultants Ltd in this regard. Any e-mails that are sent to Mass Consultants Ltd's e-mail addresses may be monitored by systems or persons other than the addressee, for the purposes of ascertaining whether the communication complies with the law and Mass Consultants Ltd's policies. Mass Consultants Ltd is registered in England No. 1705804, Enterprise House, Great North Road, Little Paxton, Cambs., PE19 6BN, United Kingdom. Tel: +44 (0) 1480 222600. --
Re: saml-group-attribute
On Fri, Jan 8, 2021 at 4:37 AM Michael Taylor wrote: > The Guacamole SAML extension appears to support group mapping but I cant > get this to work. SAML authentication itself is working. > > > > I have set the saml-group-attribute to: Group in guacamole.properties > > > > Within the SAMLResponse I see that groups are being correctly passed; > > > > > > > > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress;> > > mtaylor > > > > http://schemas.xmlsoap.org/claims/Group;> > > Domain Users > > IT > > > > My initial thought is that "saml-group-attribute: Group" is not matching to "http://schemas.xmlsoap.org/claims/Group; - that is, you should either specify: saml-group-attribute: http://schemas.xmlsoap.org/claims/Group in guacamole.properties, or the attribute should be returned as: ... from SAML. I don't think those items are matching up. -Nick >
Re: SAML Group Attribute
Thanks Nick - I got it to work after inspecting the claims. You were right,
I had to increase the logging in the logback.xml.
For reference for anyone else, this is how it worked for me:
saml-group-attribute: companyname
matches this claim:
Nov 13 21:19:30 localhost tomcat9[10242]: 21:19:30.652
[http-nio-8080-exec-10] DEBUG c.onelogin.saml2.authn.SamlResponse -
SAMLResponse has attributes: {..., companyname=[MyCompany], ... }
I added a group in Guacamole called 'MyCompany' and now my SAML users are
automatically added to that group.
On Fri, Nov 13, 2020 at 2:06 PM Nick Couchman wrote:
> On Fri, Nov 13, 2020 at 1:59 PM Tyler Marcotte
> wrote:
>
>> Hi there,
>>
>> I've successfully enabled SAML auth against our Azure AD infrastructure.
>> One thing that I'm trying to figure out though is how to use the
>> 'saml-group-attribute' value. From reading the description in the docs, it
>> looks like I should be able to assign group membership based off a SAML
>> response.
>>
>>
> Yes, this *should* work, but, I wrote the SAML extension, so it's quite
> possible that there's a bug/mistake there :-).
>
>
>> Assuming that's correct, I'm trying to look into the SAML response from
>> the server, but I don't see the SAML Debug logs in the syslog directory or
>> the catalina.out file.
>>
>> Is there additional debug I need to enable so I can see what the idp is
>> providing back to guacamole?
>>
>>
> Possibly so - you may need to turn up debug logging for the web app as a
> whole in logback.xml:
>
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>
> -Nick
>
>>
Re: SAML Group Attribute
On Fri, Nov 13, 2020 at 1:59 PM Tyler Marcotte wrote: > Hi there, > > I've successfully enabled SAML auth against our Azure AD infrastructure. > One thing that I'm trying to figure out though is how to use the > 'saml-group-attribute' value. From reading the description in the docs, it > looks like I should be able to assign group membership based off a SAML > response. > > Yes, this *should* work, but, I wrote the SAML extension, so it's quite possible that there's a bug/mistake there :-). > Assuming that's correct, I'm trying to look into the SAML response from > the server, but I don't see the SAML Debug logs in the syslog directory or > the catalina.out file. > > Is there additional debug I need to enable so I can see what the idp is > providing back to guacamole? > > Possibly so - you may need to turn up debug logging for the web app as a whole in logback.xml: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging -Nick >
