Hello, I have a functioning Guacamole configuration in Docker, that is currently working well. User created, TOTP enabled, Can connect to a RDP instance, etc.
However, as soon as I attempt to: enable SAML, enable more verbose logging in Logbook, enable a custom Home directory, etc. Things tend to go wrong. I currently access Guacamole at: https://guacamole.domain.org As an example, my docker compose for guacamole only is below: > guacamole: > container_name: guacamole > depends_on: > - guacd > - postgres.16 > environment: > GUACD_HOSTNAME: guacd > POSTGRES_DATABASE: ${guacamole_db} > POSTGRES_HOSTNAME: ${POSTGRES_HOST} > POSTGRES_PASSWORD: ${guac_postgres_pass} > POSTGRES_USER: ${guac_postgres_user} > WEBAPP_CONTEXT: ROOT > GUACAMOLE_HOME: /data > EXTENSIONS: "openid, saml" > EXTENSION_PRIORITY: "*, saml, openid, totp" > RECORDING_SEARCH_PATH: /record > REMOTE_IP_VALVE_ENABLED: true > ENABLE_ENVIRONMENT_PROPERTIES: true > SAML_IDP_METADATA_URL: > https://subdomain.okta.com/app/UUID1/sso/saml/metadata > SAML_ENTITY_ID: https://guacamole.DOMAIN.org > <https://guacamole.domain.org/> > SAML_CALLBACK_URL: > https://subdomain.okta.com/app/subdomain_guacamoleDOMAIN_1/UUID2/sso/saml > SAML_DEBUG: true > SAML_STRICT: true > TOTP_ENABLED: true > TOTP_MODE: sha256 > TOTP_ISSUER: "Guacamole" > image: guacamole/guacamole:latest > volumes: > - /mnt/docker/guacamole/home:/home/guacamole:rw > - /mnt/docker/guacamole/data:/data:rw > - /mnt/docker/guacamole/guacd/record:/record:rw > links: > - guacd > networks: > - guacnetwork > - database > - tailscale > ports: > # - 8080:8080 > - 8080/tcp > restart: always > Unfortunately, for whatever reason, Guacamole can't solely use the metadata file - even though the URL is connectable (I can curl from within the container to the URL). So I have to use the two other options listed. I have also tried this with SAML_STRICT set to true or false, and still receive the following error; 16:44:05.563 [http-nio-8080-exec-4] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: "RelayState" value included with SAML response is not valid. > > Now, I have looked at various websites, but I can't seem to find this error anywhere, and the only mention I can find of a potential workaround is this: https://support.okta.com/help/s/question/0D51Y00006aAeE9SAK/sp-initiated-saml-sso-relay-state-issue?language=en_US I have also reviewed this blog post: https://nathancatania.com/posts/deploy-guacamole-ssl-saml/ , which appears to be (so far from what I have read) the best documentation on getting Okta and Guacamole working, however, it doesn't mention RelayState. Which unfortunately, does not work when placed on the SAML_IDP_METADATA_URL: env variable. When running a SAML trace in the browser, I notice a switch between RelayState and "state", in the response from Guacamole to Okta (and vice-a-versa), and am wondering if that is expected. While I would absolutely prefer to use OIDC here, I believe that the docker container does not natively support OIDC out of the box (EG: through Env variables) and I would have to use the GUACAMOLE_HOME configuration to work around this. Unfortunately, Guacamole doesn't seem to be recognizing the paths specificed and setting the configuration there. I tried to search for the ENV variables required for this, but couldn't find anything specifically. I was wondering if there was any guidance on setting up the SAML configuration or how I can remove the RelayState error listed above, until I can get a hold of someone at Okta to assist - or if there is a convenient way to get OIDC working with the Docker container given that I can't get GUACAMOLE_HOME to work at the moment. Best regards, Andrew
