You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by michael böhm <ks...@gmx.net> on 2021/03/31 09:24:52 UTC

SAML and LDAP simultaneously

Hi everyone



we are planning to connect our Guacamole instances to a central SAML IDP.
Currently we are using LDAP.



Is it possible to activate both LDAP and SAML as authentication methods in
Guacamole at the same time or does one cancel out the other? How can the users
choose which way the want to use to authenticate?



The mapping of the connections to the LDAP users is currently done in mysql
with a matching user name as the criteria. Is this the same for SAML?



Thanks and best wishes



Michael

\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org

Re: Re: SAML and LDAP simultaneously

Posted by Nick Couchman <vn...@apache.org>.
On Wed, Mar 31, 2021 at 7:27 AM michael böhm <ks...@gmx.net> wrote:

> Hi Nick,
>
> thanks for your answer. I understood that using LDAP and SAML IDP on the
> same Guacamole instance does not work as the redirect to the IDP is
> performed the moment the user hits Guacamole's web GUI.
>
> When I still want to support LDAP in addition to SAML, would it be
> possible to create another Guacamole container that uses the same guacd and
> the same database but the authentication in this container is configured
> for LDAP? Then I could configure my reverse-proxy with two subpaths like
> /guacamole and /guacamole-saml.
>
>

Yes, that would work fine. The only thing you'd be missing is that active
connections would not be synchronized between the two - so if someone
opened a connection logged in as a SAML user, while that connection is
running the users logged in with LDAP would not see it as an active
connection.

-Nick

Aw: Re: SAML and LDAP simultaneously

Posted by michael böhm <ks...@gmx.net>.
Hi Nick,



thanks for your answer. I understood that using LDAP and SAML IDP on the same
Guacamole instance does not work as the redirect to the IDP is performed the
moment the user hits Guacamole's web GUI.



When I still want to support LDAP in addition to SAML, would it be possible to
create another Guacamole container that uses the same guacd and the same
database but the authentication in this container is configured for LDAP? Then
I could configure my reverse-proxy with two subpaths like /guacamole and
/guacamole-saml.



Best wishes



Michael



**Gesendet:**  Mittwoch, 31. Marz 2021 um 12:40 Uhr  
**Von:**  "Nick Couchman" <vn...@apache.org>  
**An:**  user@guacamole.apache.org  
**Betreff:**  Re: SAML and LDAP simultaneously

On Wed, Mar 31, 2021 at 5:25 AM michael bohm
<[ksk2@gmx.net](mailto:ksk2@gmx.net)> wrote:

> Hi everyone

>

>  
>

> we are planning to connect our Guacamole instances to a central SAML IDP.
Currently we are using LDAP.

>

>  
>

> Is it possible to activate both LDAP and SAML as authentication methods in
Guacamole at the same time or does one cancel out the other? How can the users
choose which way the want to use to authenticate?

>

>  



Using the SSO modules, including SAML, means that the user will be
automatically redirected to the SAML IdP page when they access Guacamole. So,
yes, in essence the SAML module does "cancel out" the LDAP module.



> The mapping of the connections to the LDAP users is currently done in mysql
with a matching user name as the criteria. Is this the same for SAML?

>

>  



Yes, the modules all "stack" on each other (with some caveats), but using the
JDBC module for connection storage and permission mapping along with a SSO
module for user authentication is a very common use-case. Also, the SAML
module supports retrieving group membership and passing that on to Guacamole,
so you can also map through those groups and use group-based permissions.



-Nick

\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org

Re: SAML and LDAP simultaneously

Posted by Nick Couchman <vn...@apache.org>.
On Wed, Mar 31, 2021 at 5:25 AM michael böhm <ks...@gmx.net> wrote:

> Hi everyone
>
> we are planning to connect our Guacamole instances to a central SAML IDP.
> Currently we are using LDAP.
>
> Is it possible to activate both LDAP and SAML as authentication methods in
> Guacamole at the same time or does one cancel out the other? How can the
> users choose which way the want to use to authenticate?
>
>

Using the SSO modules, including SAML, means that the user will be
automatically redirected to the SAML IdP page when they access Guacamole.
So, yes, in essence the SAML module does "cancel out" the LDAP module.


> The mapping of the connections to the LDAP users is currently done in
> mysql with a matching user name as the criteria. Is this the same for SAML?
>
>

Yes, the modules all "stack" on each other (with some caveats), but using
the JDBC module for connection storage and permission mapping along with a
SSO module for user authentication is a very common use-case. Also, the
SAML module supports retrieving group membership and passing that on to
Guacamole, so you can also map through those groups and use group-based
permissions.

-Nick