Hi everyone
I'm in the process of connecting our Guacamole instance to the company's IDP using SAML.
IDP team provided the following dummy example for the ServiceProvider's Metadata XML:
Hi,
I'm trying to configure SAML in Guacamole.
The IdP admin is asking for a metadata XML file or the following data so the SP
metadata can be generated:
- EntityId: I guess I can make that up just as long as I set it in
guacamole.properties as saml-entity-id, right?
- public certificate and e
You do not necessarily provide SP Metadata to your IdP, it's optional. If you
really have to implement this you need to create the metadata.xml and make
it (publicly) available to your IdP.
The important part is that you can reach your IdP's metadata.xml and this
URL has to be entered as value for
I finally made it past the initial redirection to the IdP.
The IdP admin properly allowed my Guacamole SP, and now I can see that the
client browsers are being redirected to the IdP authentication portal as
expected.
When the user authenticates correctly, he/she is redirected back to Guacamole.
Yes, you want to use "https:///api/ext/saml/callback" as
the callback URL to finish out the process.
On Thu, Mar 17, 2022 at 4:16 AM Vieri wrote:
> I finally made it past the initial redirection to the IdP.
> The IdP admin properly allowed my Guacamole SP, and now I can see that the
> client bro
On Thursday, March 17, 2022, 01:14:18 PM GMT+1, Tyler Marcotte
wrote:
> Yes, you want to use "https:///api/ext/saml/callback" as the
> callback URL to finish out the process.
Thanks for that!
Hope this small but important piece of information makes its way into
https://guacamole.apache.org/
I'm afraid it still doesn't work even though this time I'm not getting an
infinite loop.
I set guac SAML like this:
extension-priority: saml
saml-idp-metadata-url: https://idp.domain.org/idp/shibboleth
saml-entity-id: https://guacamole.domain.org
saml-callback-url: https://guacamole.domain.org/
OK, so even if I remove my LDAP authentication extension and keep ONLY the SAML
SSO extension (to keep things simple) I still get a redirection loop:
DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirecting to
SAML IdP.
DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest
On Friday, March 18, 2022, 09:52:11 AM GMT+1, Vieri
wrote:
> OK, so even if I remove my LDAP authentication extension and keep ONLY the
> SAML SSO extension (to keep things simple) I still get a redirection loop:
>
>
> DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Redirect
By the way, my catalina.out log only shows SAML requests, but no replies. I
know there are replies because a tcpdump shows https traffic between the SP and
the IdP.
# tail -n 1 /var/log/tomcat-8.5-hman/catalina.out | grep logback
09:02:21.335 [localhost-startStop-1] INFO org.apache.guacamo
I finally have SAML working with my Guacamole installation. The problem was on
the IdP side as they were not using the right callback URL and they were
setting the user name/ID in a custom attribute instead of using nameID.
Now that I can log into Guacamole with the IdP via SAML, I'm unable to
On Sunday, March 20, 2022, 11:53:19 AM GMT+1, Vieri
wrote:
> This is my current guacamole.properties
If I replace LDAP connection provisioning with a Postgresql backend, I get the
expected result: connections are properly loaded even when authenticating with
SAML.
So I guess I'm better off
On Sun, Mar 20, 2022 at 7:37 AM Vieri wrote:
>
> On Sunday, March 20, 2022, 11:53:19 AM GMT+1, Vieri
> wrote:
>
> > This is my current guacamole.properties
>
> If I replace LDAP connection provisioning with a Postgresql backend, I get
> the expected result: connections are properly loaded even w
Thanks for clearing that up.
I'm using JDBC postgresql now.
My IdP has just now changed something (probably certificates), and I'm now
seeing this in my guacamole logs while in a redirection loop between SP and
IdP:
"Current SAML settings are insufficient to decrypt/parse the received SAML
re
On Tuesday, March 22, 2022, 06:00:26 PM GMT+1, Vieri
wrote:
> My IdP has just now changed something (probably certificates), and I'm now
> seeing this in my guacamole logs while in a redirection loop between SP and
> IdP:
> "Current SAML settings are insufficient to decrypt/parse the recei
On Tuesday, March 22, 2022, 11:15:10 PM GMT+1, Vieri
wrote:
>"No private key available for decrypt, check settings"
OK, scratch my last post. I think there's been a cert mixup between the SP and
IdP.
Either one is using the wrong certificate.
--
On Tuesday, March 22, 2022, 11:26:59 PM GMT+1, Vieri
wrote:
>"No private key available for decrypt, check settings"
How does the certificate bit work in layman's terms.
My guacamole config is:
extension-priority: saml
saml-idp-metadata-url: https://idp.domain.org/idp/shibboleth
saml-entity
I can't get past this. I keep getting the "No private key available for
decrypt, check settings" as seen here below:
[https-openssl-apr-8543-exec-2] WARN
o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an
invalid SAML response: Current SAML settings are insufficien
Is the current implementation of guacamole-auth-sso-saml-1.4.0 capable of
decrypting SAML responses with the SP's private key?
If it is, according to the Tomcat log there seems to be a problem specifying or
accessing the SP's private key.
[https-openssl-apr-8543-exec-1] DEBUG c.onelogin.saml2.au
On Friday, March 25, 2022, 12:03:21 PM GMT+1, Vieri
wrote:
>
>Is the current implementation of guacamole-auth-sso-saml-1.4.0 capable of
>decrypting SAML responses with the SP's private key?
Maybe when
https://github.com/apache/guacamole-client/blob/c63c02d645abf763db00de9174b4537739f52319/ex
If I edit the source code and change this file:
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java
so it contains these hard-coded values within getSamlSettings() (just for
testing -- I used my public and priv
On Saturday, March 26, 2022, 12:34:32 AM GMT+1, Vieri
wrote:
> samlMap.put(SettingsBuilder.SP_X509CERT_PROPERTY_KEY,
> "SP_PEM_public_key_string");
> samlMap.put(SettingsBuilder.SP_PRIVATEKEY_PROPERTY_KEY,
> "SP_PEM_private_key_string");
Just to let you know that the NameID bit was solved
On Saturday, March 26, 2022, 06:15:38 PM GMT+1, Vieri
wrote:
>> samlMap.put(SettingsBuilder.SP_X509CERT_PROPERTY_KEY,
>> "SP_PEM_public_key_string");
>> samlMap.put(SettingsBuilder.SP_PRIVATEKEY_PROPERTY_KEY,
>> "SP_PEM_private_key_string");
>
> Just to let you know that the NameID bit was s
On Sunday, March 27, 2022, 05:32:07 PM GMT+2, Vieri
wrote:
>
> I created this:
> https://issues.apache.org/jira/browse/GUACAMOLE-1565
Hi again,
Regarding SAML there's another important feature I haven't requested on Jira
yet.
I require the guacamole application to allow access to its servi
Thanks Simon, that helped me. So there is no way to configure signed requests
in Guacamole to the IDP?
> Gesendet: Freitag, 16. April 2021 um 15:35 Uhr
> Von: "Simon Müller"
> An: user@guacamole.apache.org
> Betreff: Re: SAML SP Metadata
>
> You do not necessarily
25 matches
Mail list logo
