On Wed, Sep 27, 2017 at 5:35 PM, Colin McGuigan < colin_guacam...@walkingshadows.org> wrote:
> So I went ahead and created an external web service that internally calls > /guacamole/api/tokens, and then redirects to /guacamole/#/token=<token> > When you say you created an external web service, what do you mean? > > Doesn't work. > > Investigation of the network traffic shows that the /guacamole/api/tokens > call does not have the token in it at all (in Mike's OpenID implementation > id_token is passed along this way, and I was hoping it would work the same > for token). Changing the name of the parameter, so it's now redirecting to > /guacamole/#/id_token=<token> also does not pass a token_id parameter to > /guacamole/api/tokens, which confuses me, because I saw this behavior with > the OpenID plugin. > > So new questions: > > 1) Is this a valid approach? Ie, can a Guacamole authorization token even > be passed around in this manner? > > 2) Why is the token not being passed from /guacamole/#/token=<token> to > /guacamole/api/tokens? > > > So, I think the approach you need to take is that, within the SAML extension itself, you need to create a REST endpoint that consumes handles a POST call to it, processes the data from the POST, and then translates that to the correct call to /guacamole/api/tokens to tell Guacamole that the login has succeeded. You can have a look at the other REST source code to see code that creates these types of services: https://github.com/apache/incubator-guacamole-client/tree/master/guacamole/src/main/java/org/apache/guacamole/rest I've not actually implemented an extension-specific REST endpoint myself, so I can't provide very detailed instructions, but it is possible - Mike can probably provide further guidance, if needed. Once you have that working, when you call the SAML authentication, you need to make sure that SAML is redirecting back to your new REST endpoint, which will then process the body of the POST request, authenticate the user in Guacamole, and redirect on to the Guacamole home page or connection. Mike or James, am I providing accurate information? -Nick
