tldr: The SAML POST body is getting thrown away, and I don't know how to keep that from happening.
Longer: I'm writing a SAML authentication extension, based off of Mike Jumper's OpenID extension: https://github.com/mike-jumper/guacamole-auth-openid I have successfully set up Mike Jumper's extension and used it to authenticate via OpenID, where the flow is: 1. User visits guacamole server, unauthorized 2. Guacamole extension checks for id_token, doesn't find it, throws GuacamoleInvalidCredentialsException 3. Javascript redirects user to identity provider site 4. User authorizes with identity provider 5. Identity provider redirects user back to guacamole site (<site>/?id_token=...) 6. Javascript detects id_token, redirects user again (<site>/#/id_token=...) (I don't fully understand the point of this step, but not relevant to my actual question) 7. Guacamole extension receives the id token and verifies it. This all works. Now on my SAML extension, step 1-4 are conceptually the same, and work fine. Step 5 is where things break down. The IDP isn't sending information back in the URL, as is done with the id_token request parameter -- instead, it's a POST with the SAMLRequest data in the request body. I see this POST going to the guacamole site. However, when it hits the extension, the request body is empty, which is not what I want -- I want the SAMLRequest body that the IDP sent. I /presume/ that what is happening is that client-side Javascript is executing a separate POST to guacamole/api/tokens, and that it is this request that is actually being handled by the authentication extension. However, this request does not contain the original request body, hence, my problem. Sadly, I'm not proficient enough in the JS framework to fully understand what's going on here, if there's an easy way to pass the request body along, or if I'm entirely off base. If anyone could help me, I would very much appreciate it. Thanks in advance. -- Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/
