RE: SAML Groups not recognised

["Tweed, Peter" <Pe...@verint.com>]

Resending - as email didn't appear in archive so I don't know if it sent.

Peter T
d  +44 (0) 141 533 4043  m  +44 (0) 778 927 3030

From: Tweed, Peter
Sent: 18 October 2021 16:54
To: user@guacamole.apache.org
Subject: SAML Groups not recognised

Hi
I have connected SAML to Guacamole (1.3.0, docker version), with:
saml-group-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

I've created groups in Guacamole (Postgres DB) to match the GUIDs that come back from active directory:
aaa-aaa-aaa-aaa-aaa
bbb-bbb-bbb-bbb-bbb
ccc-ccc-ccc-ccc-ccc

Our admins have all three AD groups.  Our users have the first two groups., so I've created two nicely named groups: Consultants, Admins.
Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb
Member of Admins: ccc-ccc-ccc-ccc-ccc

Excerpt from guacamole log:
Admins: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc],
Consultants: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ],

I've attached some connections to the consultants group, some to the admins group.

When an admin logs in, they can see everything (including connections only assigned to the consultant group).
When a consultant logs in, they can see nothing.  They should be able to see the connections assigned to the consultants.  I've manually assigned group aaa-aaa-aaa-aaa-aaa to a consultant, and they can then see the required connections.

I feel like I'm missing something obvious!  Why does having 3 groups work, but two groups doesn't!

(AD Group IDs replaced above for security)

Peter T
d  +44 (0) 141 533 4043  m  +44 (0) 778 927 3030



This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.

RE: SAML Groups not recognised

["Tweed, Peter" <Pe...@verint.com>]

Nick
Azure active directory is returning the group ids only via SAML.  Apparently this is the default<https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims?WT.mc_id=AZ-MVP-5003833#configure-the-azure-ad-application-registration-for-group-attributes> (I don’t have control over this) and perhaps something to do with a migration from an on-premise version.  Anyway – it shouldn’t matter, they should be just treated as text.

I’ve got two nicely named groups in guacamole (Admins, consultants)
I’ve created groups in guacamole with the same names as the IDs which come back via SAML (aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ,ccc-ccc-ccc-ccc-ccc)
I’ve made aaa and bbb groups, members of group “consultants”
I’ve made ccc group member of group “admins”.

Test 1: When I manually assign a user group aaa within guacamole, then user gets the connections linked to “consultants” (working as expected)
Test 2: When a user logs in with groups aaa, bbb and ccc from SAML they get access to connections attached to consultants and admins (working as expected).
Test 3: When a user logs in with groups aaa & bbb from SAML they get access to no connections (they should get access to the connections attached to “consultants”).
There is no manual assignment of connections to users.
Test 1 shows that the “member groups” hierarchy works between aaa and consultants.
If SAML group name to guacamole group name mapping didn’t work, or groups weren’t then following the “member groups” hierarchy configured, I would expect Test 2 to return no connections.
Which is why I’m confused that test 3 doesn’t work.
Does that make sense?

Peter T
d  +44 (0) 141 533 4043  m  +44 (0) 778 927 3030

From: Nick Couchman <vn...@apache.org>
Sent: 19 October 2021 18:27
To: user@guacamole.apache.org
Subject: Re: SAML Groups not recognised

On Tue, Oct 19, 2021 at 11:49 AM Tweed, Peter <Pe...@verint.com>> wrote:
Resending – as email didn’t appear in archive so I don’t know if it sent.

Peter T
d  +44 (0) 141 533 4043  m  +44 (0) 778 927 3030

From: Tweed, Peter
Sent: 18 October 2021 16:54
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: SAML Groups not recognised

Hi
I have connected SAML to Guacamole (1.3.0, docker version), with:
saml-group-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

I’ve created groups in Guacamole (Postgres DB) to match the GUIDs that come back from active directory:
aaa-aaa-aaa-aaa-aaa
bbb-bbb-bbb-bbb-bbb
ccc-ccc-ccc-ccc-ccc

Our admins have all three AD groups.  Our users have the first two groups., so I’ve created two nicely named groups: Consultants, Admins.
Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb
Member of Admins: ccc-ccc-ccc-ccc-ccc

Excerpt from guacamole log:
Admins: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc],
Consultants: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[<http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=%5b> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ],


I'm a bit confused, here, as to what you've done with GUIDs vs. "nicely named groups"? It sounds like your SAML IdP is returning the groups as GUIDs, and you've possibly created some of the groups with those names, or not? I'm not clear on this point. Guacamole won't be able to do any additional lookup to translate those Group GUIDs to their actual names, so if you're wanting to assign permissions via group, no matter what the groups are named or how many there are, the names of the groups need to match what the SAML IdP is returning for claims.

Is it possible for one or more of the admin accounts you're using that you've manually added that account to a JDBC group, or assigned permissions directly to the account? That would explain why it appears to work for some users and not for others.

-NIck


This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.

Re: SAML Groups not recognised

[Nick Couchman <vn...@apache.org>]

On Tue, Oct 19, 2021 at 11:49 AM Tweed, Peter <Pe...@verint.com>
wrote:

> Resending – as email didn’t appear in archive so I don’t know if it sent.
>
>
>
> Peter T
>
> *d*  +44 (0) 141 533 4043  *m*  +44 (0) 778 927 3030
>
>
>
> *From:* Tweed, Peter
> *Sent:* 18 October 2021 16:54
> *To:* user@guacamole.apache.org
> *Subject:* SAML Groups not recognised
>
>
>
> Hi
>
> I have connected SAML to Guacamole (1.3.0, docker version), with:
> saml-group-attribute:
> http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
>
>
>
> I’ve created groups in Guacamole (Postgres DB) to match the GUIDs that
> come back from active directory:
> aaa-aaa-aaa-aaa-aaa
>
> bbb-bbb-bbb-bbb-bbb
>
> ccc-ccc-ccc-ccc-ccc
>
>
>
> Our admins have all three AD groups.  Our users have the first two
> groups., so I’ve created two nicely named groups: Consultants, Admins.
>
> Member of Consultants: aaa-aaa-aaa-aaa-aaa , bbb-bbb-bbb-bbb-bbb
>
> Member of Admins: ccc-ccc-ccc-ccc-ccc
>
>
> Excerpt from guacamole log:
>
> Admins: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[
> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb, ccc-ccc-ccc-ccc-ccc],
>
> Consultants:
> http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[
> aaa-aaa-aaa-aaa-aaa, bbb-bbb-bbb-bbb-bbb ],
>
>
>
I'm a bit confused, here, as to what you've done with GUIDs vs. "nicely
named groups"? It sounds like your SAML IdP is returning the groups as
GUIDs, and you've possibly created some of the groups with those names, or
not? I'm not clear on this point. Guacamole won't be able to do any
additional lookup to translate those Group GUIDs to their actual names, so
if you're wanting to assign permissions via group, no matter what the
groups are named or how many there are, the names of the groups need to
match what the SAML IdP is returning for claims.

Is it possible for one or more of the admin accounts you're using that
you've manually added that account to a JDBC group, or assigned permissions
directly to the account? That would explain why it appears to work for some
users and not for others.

-NIck

>