On Fri, Jan 8, 2021 at 4:37 AM Michael Taylor <m...@michael-taylor.net> wrote:
> The Guacamole SAML extension appears to support group mapping but I cant > get this to work. SAML authentication itself is working. > > > > I have set the saml-group-attribute to: Group in guacamole.properties > > > > Within the SAMLResponse I see that groups are being correctly passed; > > > > <snip> > > <AttributeStatement> > > <Attribute Name=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> > > <AttributeValue>mtaylor</AttributeValue> > > </Attribute> > > <Attribute Name="http://schemas.xmlsoap.org/claims/Group"> > > <AttributeValue>Domain Users</AttributeValue> > > <AttributeValue>IT</AttributeValue> > > </snip> > > My initial thought is that "saml-group-attribute: Group" is not matching to "http://schemas.xmlsoap.org/claims/Group" - that is, you should either specify: saml-group-attribute: http://schemas.xmlsoap.org/claims/Group in guacamole.properties, or the attribute should be returned as: <Attribute Name="Group"> ... </Attribute> from SAML. I don't think those items are matching up. -Nick >