Re: Guacamole 1.4.0 problem using SAML authentication

Fri, 08 Apr 2022 09:20:57 -0700 

Hi Mike
Thank for the help

Apply the recommended changes and now it does allow authenticating using
saml. But when trying to connect to a Host I get the error of no WebSocket,
but I see that my configuration is as it should, which could be that I am
missing. I am basically using the same configuration that I have in my
other Guacamole Server 1.3 Production.
The error is:
INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel
(not WebSocket). Performance may be sub-optimal.

location / {
proxy_pass http://10.10.10.1:8080/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection
$http_connection;
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite";
access_log /var/log/nginx/guac_access.log;
error_log /var/log/nginx/guac_error.log;
}

Victor J. Martínez
RHCE
Cel.: (595)972-918-550
Asunción - Paraguay



El jue, 7 abr 2022 a las 19:30, Michael Jumper (<[email protected]>)
escribió:

> On Thu, Apr 7, 2022 at 3:03 PM Victor Martinez <[email protected]>
> wrote:
>
>> I am configuring the latest version 1.4 with SAML support. When I
>> authenticate, in the logs I see the following error: 17:50:07.920
>> [http-nio-8080-exec-3] ERROR c.onelogin.saml2.authn.SamlResponse - The
>> response was received at https://miserver/guacamole/api/ext/saml/callback
>> instead of https ://miserver/api/ext/saml/callback 17:50:07.920
>> [http-nio-8080-exec-3] WARN oagasaAssertionConsumerServiceResource -
>> Authentication attempted with an invalid SAML response: SAML response did
>> not pass validation: The response was received at
>> https://miserver/guacamole/api/ ext/saml/callback instead of
>> https://miserver/api/ext/saml/callback If I use version 1.3 , I don't
>> have this problem. Would you know what could be causing the error?
>>
>
> The 1.4.0 release tightened SAML request validation.
>
> Rather than leverage your reverse proxy to rewrite the path from
> "/guacamole" to "/", I would recommend just reploying the webapp at the
> desired path to begin with, and reconfiguring your reverse proxy
> accordingly. The webapp can be deployed directly at "/" by renaming the
> .war file to "ROOT.war".
>
> - Mike
>
>

Reply via email to