Hey Mike, Thanks, I realized I made a mistake in the configuration and after clearing that up and passing the correct configuration, everything worked as expected.
On Sat, Dec 16, 2023 at 8:01 PM Michael Jumper <mjum...@apache.org> wrote: > The "RelayState" parameter is a value that's passed _back_ to the > application by the SAML IdP. The value is unique to each authentication > attempt and is generated by Guacamole when the user is redirected to the > SAML IdP to authenticate. The SAML IdP receives that value and includes > it in its response, which Guacamole then validates. > > If the SAML response doesn't contain a valid "RelayState", then one of > the following must be true: > > * Your SAML provider is not handling the SAML request correctly. > * You are attempting IdP-initiated SSO, which is not supported. > * Something between yourself and your browser is preventing the > "RelayState" parameter from being received. > > - Mike > > On 12/16/23 12:10, Invite System wrote: > > Hello, > > > > I have a functioning Guacamole configuration in Docker, that is > > currently working well. User created, TOTP enabled, Can connect to a RDP > > instance, etc. > > > > However, as soon as I attempt to: enable SAML, enable more verbose > > logging in Logbook, enable a custom Home directory, etc. Things tend to > > go wrong. > > > > I currently access Guacamole at: https://guacamole.domain.org > > <https://guacamole.domain.org/> > > > > As an example, my docker compose for guacamole only is below: > > > > guacamole: > > container_name: guacamole > > depends_on: > > - guacd > > - postgres.16 > > environment: > > GUACD_HOSTNAME: guacd > > POSTGRES_DATABASE: ${guacamole_db} > > POSTGRES_HOSTNAME: ${POSTGRES_HOST} > > POSTGRES_PASSWORD: ${guac_postgres_pass} > > POSTGRES_USER: ${guac_postgres_user} > > WEBAPP_CONTEXT: ROOT > > GUACAMOLE_HOME: /data > > EXTENSIONS: "openid, saml" > > EXTENSION_PRIORITY: "*, saml, openid, totp" > > RECORDING_SEARCH_PATH: /record > > REMOTE_IP_VALVE_ENABLED: true > > ENABLE_ENVIRONMENT_PROPERTIES: true > > SAML_IDP_METADATA_URL: > > https://subdomain.okta.com/app/UUID1/sso/saml/metadata > > <https://subdomain.okta.com/app/UUID1/sso/saml/metadata> > > SAML_ENTITY_ID: https://guacamole.DOMAIN.org > > <https://guacamole.domain.org/> > > SAML_CALLBACK_URL: > > > https://subdomain.okta.com/app/subdomain_guacamoleDOMAIN_1/UUID2/sso/saml > <https://subdomain.okta.com/app/subdomain_guacamoleDOMAIN_1/UUID2/sso/saml > > > > SAML_DEBUG: true > > SAML_STRICT: true > > TOTP_ENABLED: true > > TOTP_MODE: sha256 > > TOTP_ISSUER: "Guacamole" > > image: guacamole/guacamole:latest > > volumes: > > - /mnt/docker/guacamole/home:/home/guacamole:rw > > - /mnt/docker/guacamole/data:/data:rw > > - /mnt/docker/guacamole/guacd/record:/record:rw > > links: > > - guacd > > networks: > > - guacnetwork > > - database > > - tailscale > > ports: > > # - 8080:8080 > > - 8080/tcp > > restart: always > > > > > > Unfortunately, for whatever reason, Guacamole can't solely use the > > metadata file - even though the URL is connectable (I can curl from > > within the container to the URL). So I have to use the two other options > > listed. > > > > I have also tried this with SAML_STRICT set to true or false, and still > > receive the following error; > > > > 16:44:05.563 [http-nio-8080-exec-4] WARN > o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted > with an invalid SAML response: "RelayState" value included with SAML > response is not valid. > > > > > > > > Now, I have looked at various websites, but I can't seem to find this > > error anywhere, and the only mention I can find of a potential > > workaround is this: > > > https://support.okta.com/help/s/question/0D51Y00006aAeE9SAK/sp-initiated-saml-sso-relay-state-issue?language=en_US > < > https://support.okta.com/help/s/question/0D51Y00006aAeE9SAK/sp-initiated-saml-sso-relay-state-issue?language=en_US > > > > > > I have also reviewed this blog post: > > https://nathancatania.com/posts/deploy-guacamole-ssl-saml/ > > <https://nathancatania.com/posts/deploy-guacamole-ssl-saml/> , which > > appears to be (so far from what I have read) the best documentation on > > getting Okta and Guacamole working, however, it doesn't mention > RelayState. > > > > Which unfortunately, does not work when placed on the > > SAML_IDP_METADATA_URL: env variable. When running a SAML trace in the > > browser, I notice a switch between RelayState and "state", in the > > response from Guacamole to Okta (and vice-a-versa), and am wondering if > > that is expected. > > > > While I would absolutely prefer to use OIDC here, I believe that the > > docker container does not natively support OIDC out of the box (EG: > > through Env variables) and I would have to use the GUACAMOLE_HOME > > configuration to work around this. Unfortunately, Guacamole doesn't seem > > to be recognizing the paths specificed and setting the configuration > > there. I tried to search for the ENV variables required for this, but > > couldn't find anything specifically. > > > > > > I was wondering if there was any guidance on setting up the SAML > > configuration or how I can remove the RelayState error listed above, > > until I can get a hold of someone at Okta to assist - or if there is a > > convenient way to get OIDC working with the Docker container given that > > I can't get GUACAMOLE_HOME to work at the moment. > > > > Best regards, > > > > Andrew > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > >