The problem seems to be with the onelogin library:
java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
contains:
protected void validateDestination(final Element element) throws
ValidationError {
if (element.hasAttribute("Destination")) {
final String destinationUrl =
element.getAttribute("Destination");
if (destinationUrl != null) {
if (destinationUrl.isEmpty()) {
throw new ValidationError("The response
has an empty Destination value", ValidationError.EMPTY_DESTINATION);
} else if (!destinationUrl.equals(currentUrl)) {
throw new ValidationError("The response
was received at " + currentUrl + " instead of " + destinationUrl,
ValidationError.WRONG_DESTINATION);
}
}
}
}
Now, considering my Apache reverse proxy config and the "Destination" field in
the SAML response here below:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://guac.mydomain.org/api/ext/saml/callback";
ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
IssueInstant="2022-06-30T06:44:57.465Z"
Version="2.0"
>
I guess that's why it's "failing" because currentUrl != destinationUrl.
Now, how come currentUrl is
https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
Who is requesting that URL and why does it contain "guacamole" in the path?
Neither the IdP nor the guacamole SP ever mention that the callback should be
https://guac.mydomain.org/guacamole/api/ext/saml/callback.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
