You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Dana Shaw <ds...@medata.com> on 2021/02/03 21:54:18 UTC
I keep getting invalid_user_credentials from keycloak with saml2.0
Hi all,
I have not been able to get guacamole + saml2 + keycloak to work.. I keep getting an invalid login (the login is valid).
Has anyone here ever got saml + keycloak + guacamole to work?
I'm at my wits end.. thinking of abandoning saml and giving openid a try.
Env:
Keycloak 11.0.2
Guacamole guacamole-1.3.0
Haproxy
The error I keep getting: invalid_user_credentials.
The same credentials works just fine for another saml2 client. The other client goes thru the same haproxy server and works fine.
I have tried both with and without saml-group-attribute. The group 'Group' exists and my user is a member.
I don't see anything in the guacamole webapp logs that's really helpful.
The other saml2 client that I have is signing the request and response. This is the only difference that I can see between that client and the guacamole client.
I'm at a lost.. if anyone had some insight I would appreciate it.
One strange thing that I did notice.. if I attempt to login with an invalid password keycloak will return a http 200 with an appropriate error message.. but if I try to login with a correct password it will throw a http 400.
Thanks in advance!
cat /etc/guacamole/guacamole.properties
guacd-hostname: devdocker.<host>.com
guacd-port: 4822
saml-idp-metadata-url: file:///etc/guacamole/idp.xml
saml-entity-id : https://<host>.com/guacamole-1.3.0
saml-callback-url: https://<host>/guacamole-1.3.0
saml-debug: true
saml-strict: true
saml-group-attribute : Group
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: I keep getting invalid_user_credentials from keycloak with
saml2.0
Posted by Dana Shaw <ds...@medata.com>.
I got openid + guacamole with keycloak working just fine.. it looks to be an issue with guacamoles saml implementation in my humble opinion.
I'd like to help if I can...
----- Original Message -----
From: "Dana Shaw" <ds...@medata.com>
To: "user" <us...@guacamole.apache.org>
Sent: Wednesday, February 3, 2021 1:54:18 PM
Subject: I keep getting invalid_user_credentials from keycloak with saml2.0
Hi all,
I have not been able to get guacamole + saml2 + keycloak to work.. I keep getting an invalid login (the login is valid).
Has anyone here ever got saml + keycloak + guacamole to work?
I'm at my wits end.. thinking of abandoning saml and giving openid a try.
Env:
Keycloak 11.0.2
Guacamole guacamole-1.3.0
Haproxy
The error I keep getting: invalid_user_credentials.
The same credentials works just fine for another saml2 client. The other client goes thru the same haproxy server and works fine.
I have tried both with and without saml-group-attribute. The group 'Group' exists and my user is a member.
I don't see anything in the guacamole webapp logs that's really helpful.
The other saml2 client that I have is signing the request and response. This is the only difference that I can see between that client and the guacamole client.
I'm at a lost.. if anyone had some insight I would appreciate it.
One strange thing that I did notice.. if I attempt to login with an invalid password keycloak will return a http 200 with an appropriate error message.. but if I try to login with a correct password it will throw a http 400.
Thanks in advance!
cat /etc/guacamole/guacamole.properties
guacd-hostname: devdocker.<host>.com
guacd-port: 4822
saml-idp-metadata-url: file:///etc/guacamole/idp.xml
saml-entity-id : https://<host>.com/guacamole-1.3.0
saml-callback-url: https://<host>/guacamole-1.3.0
saml-debug: true
saml-strict: true
saml-group-attribute : Group
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: I keep getting invalid_user_credentials from keycloak with saml2.0
Posted by Mike Jumper <mi...@glyptodon.com>.
On Thu, Feb 4, 2021 at 12:41 PM Dana Shaw <ds...@medata.com> wrote:
> The only thing I see in the keycloak logs is invalid login.. but I can
> confirm the login is correct.
>
But what about the Guacamole webapp logs (Tomcat logs)?
- Mike
Re: I keep getting invalid_user_credentials from keycloak with
saml2.0
Posted by Dana Shaw <ds...@medata.com>.
The only thing I see in the keycloak logs is invalid login.. but I can confirm the login is correct.
One thing that I noticed is when I purposely put in an invalid password I get an http 200 from keycloak vs when I put in the correct password I get a http 400.
In both cases (correct password vs purposely incorrect password) keycloak logged an invalid password event.
I got guacamole and keycloak working with the openid extension so and leaning toward an issue with the saml extension.. but am not sure.
I have another saml client(spring mvc) that is working with keycloak but the big difference if the sp metadata is signed where guacamole is not.
Attached screenshot.. hope this helps.
Any help would be appreciated!
----- Original Message -----
From: "Mike Jumper" <mi...@glyptodon.com>
To: "user" <us...@guacamole.apache.org>
Sent: Thursday, February 4, 2021 11:00:18 AM
Subject: Re: I keep getting invalid_user_credentials from keycloak with saml2.0
On Wed, Feb 3, 2021 at 1:54 PM Dana Shaw <ds...@medata.com> wrote:
> ...
> I don't see anything in the guacamole webapp logs that's really helpful.
What do you see in those logs?
The other saml2 client that I have is signing the request and response.
> This is the only difference that I can see between that client and the
> guacamole client.
>
Are you sure the XML metadata file provided to Guacamole is the same as
that provided to your other client?
- Mike
Re: I keep getting invalid_user_credentials from keycloak with saml2.0
Posted by Mike Jumper <mi...@glyptodon.com>.
On Wed, Feb 3, 2021 at 1:54 PM Dana Shaw <ds...@medata.com> wrote:
> ...
> I don't see anything in the guacamole webapp logs that's really helpful.
What do you see in those logs?
The other saml2 client that I have is signing the request and response.
> This is the only difference that I can see between that client and the
> guacamole client.
>
Are you sure the XML metadata file provided to Guacamole is the same as
that provided to your other client?
- Mike