The problem seems to be with the onelogin library: java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
contains: protected void validateDestination(final Element element) throws ValidationError { if (element.hasAttribute("Destination")) { final String destinationUrl = element.getAttribute("Destination"); if (destinationUrl != null) { if (destinationUrl.isEmpty()) { throw new ValidationError("The response has an empty Destination value", ValidationError.EMPTY_DESTINATION); } else if (!destinationUrl.equals(currentUrl)) { throw new ValidationError("The response was received at " + currentUrl + " instead of " + destinationUrl, ValidationError.WRONG_DESTINATION); } } } } Now, considering my Apache reverse proxy config and the "Destination" field in the SAML response here below: <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://guac.mydomain.org/api/ext/saml/callback" ID="_f53e5bfaf4fae92d0cc4c602f59b8a98" InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95" IssueInstant="2022-06-30T06:44:57.465Z" Version="2.0" > I guess that's why it's "failing" because currentUrl != destinationUrl. Now, how come currentUrl is https://guac.mydomain.org/guacamole/api/ext/saml/callback ? Who is requesting that URL and why does it contain "guacamole" in the path? Neither the IdP nor the guacamole SP ever mention that the callback should be https://guac.mydomain.org/guacamole/api/ext/saml/callback. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org