Re: SAML Groups with Azure

[Michael Hess <mi...@nols.edu.INVALID>]

I cheated and installed Keeper Connection Manager. What I was missing, was yes, use the GUID as you said, but then in my guacamole.properties file, the line should read:

# SAML attribute/claim for group membership
saml-group-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

I had it set to groups, then tried the above, but with " " around it.

Once I removed the quotes, it worked great! Thank you for the help!
________________________________
From: Michael Jumper <mj...@apache.org>
Sent: Tuesday, January 31, 2023 1:38 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: SAML Groups with Azure

On Tue, Jan 31, 2023 at 10:39 AM Michael Hess <mi...@nols.edu.invalid> wrote:
I have the default saml-group-attribute set to "groups" and in Azure I have the Claim name of http://schemas.microsoft.com/ws/2008/06/identity/claims/groups set to value: user.groups [All], all default stuff.

I don't get any mappings from the groups I've added in Guacamole though, they have the same group name, caps and all.

IIRC, Azure's SAML is unique in its handling of groups in that it sends its own internal UUID values for group names instead of the actual group name.

How do I verify what's being sent and troubleshoot this?

Try installing a SAML-tracing extension for your browser - that should allow you to see the contents of the SAML assertion. You could also try setting Guacamole's "saml-debug" property to "true" and/or bump Guacamole's log level for the web application to "debug":

https://guacamole.apache.org/doc/gug/saml-auth.html#configuring-guacamole-for-saml-authentication
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application

- Mike