Re: reverse proxy and SAML SSO
On Thursday, June 30, 2022, 02:11:22 PM GMT+2, Lee Doughty wrote: > It contains "guacamole" in the path because that's what Tomcat does... it > infers paths by the name of the file, as you see. > > If it's easier, you can also achieve this by setting WEBAPP_CONTEXT in the > environment: > > https://github.com/apache/guacamole-client/blob/1.4.0/guacamole-docker/bin/start.sh#L728 Thanks, but isn't that a docket script? I can't just SetEnv that variable to "guacamole" in Apache. So, no matter how I look at it, it seems that the only way (if I wanted more than one webapp) is to configure 1 VitualHost that reverse-proxies to different specific Locations, one for each webapp. Thanks, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
It contains "guacamole" in the path because that's what Tomcat does... it
infers paths by the name of the file, as you see.
If it's easier, you can also achieve this by setting WEBAPP_CONTEXT in the
environment:
https://github.com/apache/guacamole-client/blob/1.4.0/guacamole-docker/bin/start.sh#L728
On Thu, Jun 30, 2022 at 7:20 AM Vieri wrote:
> The problem seems to be with the onelogin library:
>
> java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
>
> contains:
>
> protected void validateDestination(final Element element) throws
> ValidationError {
> if (element.hasAttribute("Destination")) {
> final String destinationUrl =
> element.getAttribute("Destination");
> if (destinationUrl != null) {
> if (destinationUrl.isEmpty()) {
> throw new ValidationError("The
> response has an empty Destination value",
> ValidationError.EMPTY_DESTINATION);
> } else if
> (!destinationUrl.equals(currentUrl)) {
> throw new ValidationError("The
> response was received at " + currentUrl + " instead of " + destinationUrl,
> ValidationError.WRONG_DESTINATION);
> }
> }
> }
> }
>
> Now, considering my Apache reverse proxy config and the "Destination"
> field in the SAML response here below:
>
> Destination="
> https://guac.mydomain.org/api/ext/saml/callback;
> ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
>
> InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
> IssueInstant="2022-06-30T06:44:57.465Z"
> Version="2.0"
> >
>
> I guess that's why it's "failing" because currentUrl != destinationUrl.
>
> Now, how come currentUrl is
> https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
> Who is requesting that URL and why does it contain "guacamole" in the path?
> Neither the IdP nor the guacamole SP ever mention that the callback should
> be https://guac.mydomain.org/guacamole/api/ext/saml/callback.
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>
Re: reverse proxy and SAML SSO
The only way I found to fix this is to rename my guacamole.war to ROOT.war (and modify the Apache reverse proxy path settings accordingly). This makes the "new-path" configuration described in the Guacamole documentation incomplete when using SAML SSO. It seems that this SAML issue has already been discussed (lightly) here: https://lists.apache.org/thread/p09kz5sch60bpcxo6g95l843mgr47sdg However, I don't quite understand when Mike says that: "You just need to make sure that the webapp's .war file matches the path that you've specified when you registered the webapp with your SAML IdP. If the path that the webapp is served at by Tomcat doesn't match the publicly-visible path, then SAML validation will fail." What is "the path you've specified when you registered the webapp with your SAML IdP"? I sent the IdP just 2 values - the entity ID and the callback URL. The only real URL/path is the callback URL which in my case is https://guac.mydomain.org/ So I guess the path here is "/", right? Also, does "the webapp's .war file matches the path" mean exactly? My guacamole.war is in /var/lib/tomcat-8.5-hman/webapps and it deploys as /var/lib/tomcat-8.5-hman/webapps/guacamole, so does this mean that the path here is "/guacamole"? So does this produce the dreaded "/" != "/guacamole" condition? So, if I wanted to configure a reverse proxy with a virtual domain *for each* tomcat container/webapp how should I do that? I do not want to configure 1 virtual domain as the root reverse proxy and from there deploy tomcat webapps. I require each virtualhost to point to a specific tomcat webaoo, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
The problem seems to be with the onelogin library:
java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
contains:
protected void validateDestination(final Element element) throws
ValidationError {
if (element.hasAttribute("Destination")) {
final String destinationUrl =
element.getAttribute("Destination");
if (destinationUrl != null) {
if (destinationUrl.isEmpty()) {
throw new ValidationError("The response
has an empty Destination value", ValidationError.EMPTY_DESTINATION);
} else if (!destinationUrl.equals(currentUrl)) {
throw new ValidationError("The response
was received at " + currentUrl + " instead of " + destinationUrl,
ValidationError.WRONG_DESTINATION);
}
}
}
}
Now, considering my Apache reverse proxy config and the "Destination" field in
the SAML response here below:
https://guac.mydomain.org/api/ext/saml/callback;
ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
IssueInstant="2022-06-30T06:44:57.465Z"
Version="2.0"
>
I guess that's why it's "failing" because currentUrl != destinationUrl.
Now, how come currentUrl is
https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
Who is requesting that URL and why does it contain "guacamole" in the path?
Neither the IdP nor the guacamole SP ever mention that the callback should be
https://guac.mydomain.org/guacamole/api/ext/saml/callback.
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
On Thursday, June 30, 2022, 01:22:13 AM GMT+2, Vieri wrote: > Apparently, the IdP had a misconfiguration for the guacamole SP. My original > error is now solved, and I can now log into the IdP. > However, when I am redirected back to guacamole I enter an infinite > redirection loop between SP and IdP. > That is because Tomcat/Guacamole complains about: > > ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at > https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of > https://guac.mydomain.org/api/ext/saml/callback I can see the SAML response in the client browser, and it seems that the callback URL is correct (https://guac.mydomain.org/api/ext/saml/callback). https://guac.mydomain.org/api/ext/saml/callback; ID="_f53e5bfaf4fae92d0cc4c602f59b8a98" InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95" IssueInstant="2022-06-30T06:44:57.465Z" Version="2.0" > If Guacamole complains (onelogin used by the SAML extension) it must be because of the Apache reverse proxy, right? I didn't change anything in the Apache and guacamole.properties files, but here's a reminder. Apache config contains: Require all granted ProxyPass https://localhost:8543/guacamole/ flushpackets=on ProxyPassReverse https://localhost:8543/guacamole/ ProxyPassReverseCookiePath /guacamole/ / Require all granted ProxyPass wss://localhost:8543/guacamole/websocket-tunnel ProxyPassReverse wss://localhost:8543/guacamole/websocket-tunnel guacamole.properties contains: saml-callback-url: https://guac.mydomain.org/ So, I'm pretty sure if I were to *not* use a "new-path" in the reverse proxy everything would work fine as long as I'd specify the callback URL as https://guac.mydomain.org/guacamole/. However, I'm guessing it's failing here with the "new-path" configuration because: 1) the SAML response is properly being directed to the "new-path" 2) the Apache reverse proxy is passing the callback POST request for https://guac.mydomain.org/api/ext/saml/callback to https://guac.mydomain.org/guacamole/api/ext/saml/callback because it mathes the '/' Location 3) the Tomcat Guacamole application complains that it's receiving the callback request at https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback Maybe I'm missing a rewriterule in my Apache config? Any ideas? Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
Apparently, the IdP had a misconfiguration for the guacamole SP. My original error is now solved, and I can now log into the IdP. However, when I am redirected back to guacamole I enter an infinite redirection loop between SP and IdP. That is because Tomcat/Guacamole complains about: ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback Sorry for the SAML newbie question but "who" is sending the response? I'm guessing the IdP tells the client browser to send the response back to https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback, right? If that's so then I guess the IdP is misconfigured again because it should tell the client to send the response to https://guac.mydomain.org/api/ext/saml/callback. Regards, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
On Wednesday, June 29, 2022 at 03:00:12 PM GMT+2, chomik MChamster wrote: > Hey Vieri, > Not sure if you want to try this - I could not get guacamole-auth-saml-1.4 > working with my guacamole 1.4 deployment. As far as I > remember it had to do with the proxy config (I'm not an expert) > I reverted back to guacamole-auth-saml-1.3.0.jar (the rest of the deployment > is still v1.4, only that jar file is v 1.3) and everything was > working back again. > > my saml-entity-id value in guacamole.properites is the same as > saml-callback-url value, i.e. https://my-guacamole.mydomain.com/ Hi, So I downloaded https://archive.apache.org/dist/guacamole/1.3.0/binary/guacamole-auth-saml-1.3.0.tar.gz, removed my 1.4.0 SAML module from the extensions subdir, added the 1.3 version, restarted tomcat. I still get the same behavior as in my first post. I'm wondering if it's an issue on the IdP instead. Thanks, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
Hey Vieri, Not sure if you want to try this - I could not get guacamole-auth-saml-1.4 working with my guacamole 1.4 deployment. As far as I remember it had to do with the proxy config (I'm not an expert) I reverted back to guacamole-auth-saml-1.3.0.jar (the rest of the deployment is still v1.4, only that jar file is v 1.3) and everything was working back again. my saml-entity-id value in guacamole.properites is the same as saml-callback-url value, i.e. https://my-guacamole.mydomain.com/ Thanks, T On Wed, 29 Jun 2022 at 11:40, Vieri wrote: > Hi, > > When using the "new-path" example config in > https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html, how > would one define the saml* options in guacamole.properties, ie. > saml-callback-url? > > This is what I set: > > saml-entity-id: whatever (same as defined in IdP) > saml-callback-url: https://guac.mydomain.org/ > > > I'm asking because my SAML requests contains: > > AssertionConsumerServiceURL=" > https://guac.mydomain.org/api/ext/saml/callback; > > but I am unable to log-in because I get an HTTP error 405 when calling > https://guac.mydomain.org/api/ext/saml/callback. > > My apache config contains: > > ProxyRequests Off > ProxyPreserveHost On > > > Require all granted > ProxyPass https://localhost:8543/guacamole/ flushpackets=on > ProxyPassReverse https://localhost:8543/guacamole/ > ProxyPassReverseCookiePath /guacamole/ / > > > > Require all granted > ProxyPass wss://localhost:8543/guacamole/websocket-tunnel > ProxyPassReverse > wss://localhost:8543/guacamole/websocket-tunnel > > > > Any thoughts? > > Regards, > > Vieri > > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > >
Re: reverse proxy and SAML SSO
On Wednesday, June 29, 2022 at 01:44:02 PM GMT+2, Lee Doughty wrote: > you mentioned > https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html -- which > is for 0.9.7 > > If you were on 0.9.7 I would not expect you to be able to do SAML, so I > pointed it out. > > The updated docs might or might not provide more guidance for you since you > are on 1.4.. or maybe someone else will chime in with more > help. Right, thanks. Well, the 1.4.0 manual here is just as much the same as far as Apache reverse proxy configuration: https://guacamole.apache.org/doc/1.4.0/gug/reverse-proxy.html Unfortunately, I do not have access to the IdP so I don't know if the problem is in my SP or in the remote IdP. Thanks anyway, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
you mentioned https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html -- which is for 0.9.7 If you were on 0.9.7 I would not expect you to be able to do SAML, so I pointed it out. The updated docs might or might not provide more guidance for you since you are on 1.4.. or maybe someone else will chime in with more help. On Wed, Jun 29, 2022, 7:22 AM Vieri wrote: > > On Wednesday, June 29, 2022 at 12:57:44 PM GMT+2, Lee Doughty < > l...@virginiacyberrange.org> wrote: > > > I don't believe guacamole 0.9x has support for SAML... > > Can you upgrade to 1.4 and look at the latest guacamole manual? > > Hi, > > Why did you assume I was using 0.9x. I am using 1.4, and everything is > working fine without the reverse proxy. The SAML callback URL seems to be > the culprit, but I don't know why. > > Thanks, > > Vieri > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > >
Re: reverse proxy and SAML SSO
On Wednesday, June 29, 2022 at 12:57:44 PM GMT+2, Lee Doughty wrote: > I don't believe guacamole 0.9x has support for SAML... > Can you upgrade to 1.4 and look at the latest guacamole manual? Hi, Why did you assume I was using 0.9x. I am using 1.4, and everything is working fine without the reverse proxy. The SAML callback URL seems to be the culprit, but I don't know why. Thanks, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: reverse proxy and SAML SSO
I don't believe guacamole 0.9x has support for SAML... Can you upgrade to 1.4 and look at the latest guacamole manual? https://guacamole.apache.org/doc/gug/ I believe SAML support was not added until 1.1 or 1.2 -Lee On Wed, Jun 29, 2022, 6:40 AM Vieri wrote: > Hi, > > When using the "new-path" example config in > https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html, how > would one define the saml* options in guacamole.properties, ie. > saml-callback-url? > > This is what I set: > > saml-entity-id: whatever (same as defined in IdP) > saml-callback-url: https://guac.mydomain.org/ > > > I'm asking because my SAML requests contains: > > AssertionConsumerServiceURL=" > https://guac.mydomain.org/api/ext/saml/callback; > > but I am unable to log-in because I get an HTTP error 405 when calling > https://guac.mydomain.org/api/ext/saml/callback. > > My apache config contains: > > ProxyRequests Off > ProxyPreserveHost On > > > Require all granted > ProxyPass https://localhost:8543/guacamole/ flushpackets=on > ProxyPassReverse https://localhost:8543/guacamole/ > ProxyPassReverseCookiePath /guacamole/ / > > > > Require all granted > ProxyPass wss://localhost:8543/guacamole/websocket-tunnel > ProxyPassReverse > wss://localhost:8543/guacamole/websocket-tunnel > > > > Any thoughts? > > Regards, > > Vieri > > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > >
