You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Michael White <cc...@gmail.com> on 2022/11/21 21:53:10 UTC
Infinite redirect loop with SAML auth
I recently started trying to get SSO working with my dockerized setup.
I placed the saml extension in my home directory, set the 3 required
variables in guacamole.properties. When I go to guac, it redirects me to
my provider, then redirects back to guacamole, but instead of signing me
in, it just redirects back to Keycloak, then back forever.
Looking at the guacamole container logs, I see this error
> 21:50:33.340 [http-nio-8080-exec-2] ERROR
c.onelogin.saml2.authn.SamlResponse - The response was received at
http://rdpb.example.com/api/ext/saml/callback instead of
https://rdpb.example.com/api/ext/saml/callback
> 21:50:33.341 [http-nio-8080-exec-2] WARN
o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted
with an invalid SAML response: SAML response did not pass validation: The
response was received at http://rdpb.example.com/api/ext/saml/callback
instead of https://rdpb.example.com/api/ext/saml/callback
Which makes it seem like the callback is being fired at http instead of
https. But I have the redirect URI set to https, so why is it using http?
Here is a bunch of relevant config files:
==========================================
guacamole.properties:
-----------------------------------------------------------
saml-idp-metadata-url:
https://keycloak.example.com/auth/realms/master/protocol/saml/descriptor
saml-callback-url: https://rdpb.example.com/
saml-entity-id: guac
extension-priority: saml
skip-if-unavailable: postgresql
==========================================
Kubernetes manifests
-----------------------------------------------------------
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: guacamolebackup
namespace: wfs
labels:
app: guacamolebackup
spec:
replicas: 1
selector:
matchLabels:
app: guacamolebackup
template:
metadata:
labels:
app: guacamolebackup
spec:
containers:
- name: guacamole
image: guacamole/guacamole:1.4.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: http
env:
- name: POSTGRES_HOSTNAME
value: db-postgres-postgresql
- name: POSTGRES_DATABASE
value: guacamolebackup
- name: POSTGRES_USER
value: guacamolebackup
- name: POSTGRES_PASSWORD
value: redacted
- name: GUACD_HOSTNAME
value: guacd
- name: GUACD_PORT
value: '4822'
- name: GUACAMOLE_HOME
value: '/data'
- name: WEBAPP_CONTEXT
value: 'ROOT'
volumeMounts:
- name: data
mountPath: /data
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: guacamolebackup
namespace: wfs
labels:
app: guacamolebackup
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: 'letsencrypt-prod'
nginx.ingress.kubernetes.io/enable-cors: 'true'
nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: 256M
nginx.ingress.kubernetes.io/proxy-connect-timeout: '30'
nginx.ingress.kubernetes.io/proxy-send-timeout: '3600'
nginx.ingress.kubernetes.io/proxy-read-timeout: '3600'
spec:
tls:
- hosts:
- rdpb.example.com
secretName: guacamole-tls
rules:
- host: rdpb.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: guacamolebackup
port:
name: http