Hi Nick,
thanks for your answer. I understood that using LDAP and SAML IDP on the same Guacamole instance does not work as the redirect to the IDP is performed the moment the user hits Guacamole's web GUI.
When I still want to support LDAP in addition to SAML, would it be possible to create another Guacamole container that uses the same guacd and the same database but the authentication in this container is configured for LDAP? Then I could configure my reverse-proxy with two subpaths like /guacamole and /guacamole-saml.
Best wishes
Michael
Gesendet: Mittwoch, 31. März 2021 um 12:40 Uhr
Von: "Nick Couchman" <vn...@apache.org>
An: user@guacamole.apache.org
Betreff: Re: SAML and LDAP simultaneously
Von: "Nick Couchman" <vn...@apache.org>
An: user@guacamole.apache.org
Betreff: Re: SAML and LDAP simultaneously
On Wed, Mar 31, 2021 at 5:25 AM michael böhm <k...@gmx.net> wrote:
Hi everyonewe are planning to connect our Guacamole instances to a central SAML IDP. Currently we are using LDAP.Is it possible to activate both LDAP and SAML as authentication methods in Guacamole at the same time or does one cancel out the other? How can the users choose which way the want to use to authenticate?
Using the SSO modules, including SAML, means that the user will be automatically redirected to the SAML IdP page when they access Guacamole. So, yes, in essence the SAML module does "cancel out" the LDAP module.
The mapping of the connections to the LDAP users is currently done in mysql with a matching user name as the criteria. Is this the same for SAML?
Yes, the modules all "stack" on each other (with some caveats), but using the JDBC module for connection storage and permission mapping along with a SSO module for user authentication is a very common use-case. Also, the SAML module supports retrieving group membership and passing that on to Guacamole, so you can also map through those groups and use group-based permissions.
-Nick
