Nick; Thanks for all your help. Let me elaborate.
When I say I have a REST service, it's just as you described -- a WS annotated class that is returned from the authentication provider's getResource method. I can call this REST service just fine, and know that it works. This service takes in as POST (from the SAML identity provider), calls the existing /api/tokens endpoint, passing all of the same content, and receives a Guacamole authentication token -- ie, the user is know authenticated by Guacamole (specifically by my authentication provider), and is stored in the session. This also works. I receive the token just fine. The problem is I need to pass this token, somehow, to the Guacamole UI so that when it calls /api/tokens itself, it can pass in the same token. The essentials of the REST method: @POST @Path("/postredirect") public Response redirectSamlPostToGet(@Context HttpServletRequest request, String content) throws GuacamoleException, URISyntaxException { try { String token = callTokenService(request, content); return Response.seeOther(new URI("http://<site>/guacamole/#/token=" + token)).build(); } catch (Exception e) { logger.error("Error occurred in postredirect", e); throw new RuntimeException(e); } } There is no errors in the logs. In network traffic I see the redirect happen correctly. However, Guacamole is ignoring the token=<token> portion of the URL. I've tried using id_token instead, but that is also ignored. -- Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/