You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu> on 2020/10/01 03:09:02 UTC
RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I was able to sort out the logging and have more information now. Which assertions is Guacamole expecting from the identity provider (NameID, emailaddress, memberOf, etc) ? After I log into my idp and get back to Guacamole, I get an error and it says it was trying an anonymous authentication.
Also, is it correct that if SAML is going to be used, the LDAP configuration in guacamole.properties should be commented out?
Thanks
From: MARTINEZ, ARIEL
Sent: Friday, September 25, 2020 1:23 PM
To: user@guacamole.apache.org
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I'm not getting redirected to my idp with the SAML extension. Does anyone know where would the SAML debug logs would be logged to by default? I couldn't see anything inside of the tomcat directory in /var/log/tomcat
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 4:52 PM
To: 'user@guacamole.apache.org' <us...@guacamole.apache.org>>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
For the SSO, in general, is there a URL that Guacamole is using for SAML once the SAML extension is loaded? If not, is it just the Guacamole URL?
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 2:30 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I just reran the command that it referenced and after running make install again it completed without errors. So I think things should be good to with the upgrade part. Just in case, where would the guacd log file be to check on any potential errors?
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 1:40 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I was able to get past that error, but when I ran make install, I got the following error below. I am upgrading by running on top of an existing installation:
/usr/bin/mkdir -p '/usr/lib64/freerdp2'
/bin/sh ../../../libtool --mode=install /usr/bin/install -c libguac-common-svc-client.la libguacai-client.la '/usr/lib64/freerdp2'
libtool: install: warning: relinking `libguac-common-svc-client.la'
libtool: install: (cd /home/user/Downloads/guacamole-server-1.2.0/src/protocols/rdp; /bin/sh /home/user/Downloads/guacamole-server-1.2.0/libtool --silent --tag CC --mode=relink gcc -std=gnu99 -Werror -Wall -Iinclude -I../../../src/libguac -I/usr/include/freerdp2/ -I/usr/include/winpr2 -g -O2 -module -avoid-version -shared -lfreerdp2 -lfreerdp-client2 -lwinpr2 -o libguac-common-svc-client.la -rpath /usr/lib64/freerdp2 plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo ../../../src/libguac/libguac.la )
/bin/sh: /home/user/Downloads/guacamole-server-1.2.0/libtool: No such file or directory
libtool: install: error: relink `libguac-common-svc-client.la' with the above command before installing it
make[4]: *** [install-freerdpLTLIBRARIES] Error 1
make[4]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[3]: *** [install-am] Error 2
make[3]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[1]: *** [install] Error 2
make[1]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make: *** [install-recursive] Error 1
________________________________
From: Nick Couchman <vn...@apache.org>>
Sent: Wednesday, September 23, 2020 1:18 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
On Wed, Sep 23, 2020 at 12:42 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Thanks, I'll give it a shot. But I have to upgrade to 1.2.0 and I am having the issue with guacamole server. When I run make, I get the error discussed here : http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/1-2-server-build-fail-on-el7-and-el8-td8848.html
Yep, that was a bug in 1.2.0 that has been fixed for the next release (1.3.0). There are three ways around this:
- Install the libssh2-devel package and re-configure/compile so that it builds with SSH support.
- Check out the code from the git repo instead of downloading from the website, which has the fix.
- Back-port the patch for the issue (it's a one-line patch) to the 1.2.0 code: https://github.com/apache/guacamole-server/pull/298.patch
-Nick
RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
I looked at things on the ADFS side, and in the event logs I saw that Guacamole is expecting the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. Issue was solved by creating a Transform rule of Name ID to Email. I Used the following forum post: https://discuss.newrelic.com/t/sso-the-login-page/75259/2 . I ended up using UPN instead of Email in hopes that it can be used to lookup against groups.
Now the issue is that after being authenticated, Guacamole is not showing any of the connections. Before I had AD groups mapped in Guacamole. But with SAML it is as if the user is not a member of the group previously defined. Also I am not sure how to log in with guacadmin while SAML enabled .
From: MARTINEZ, ARIEL
Sent: Thursday, October 1, 2020 3:55 PM
To: user@guacamole.apache.org
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
Here is the debug logging:
Oct 1 15:32:25 hccVCLRDG01 server: 15:32:25.728 [http-bio-8443-exec-4] DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_51b77b70-a6ea-4da8-80b0-684d613cf0f0" Version="2.0" IssueInstant="2020-10-01T19:32:25Z" Destination="https://login.hostos.cuny.edu/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://hccvclrdg01.hostos.cuny.edu:8443/guacamole/api/ext/saml/callback"><saml:Issuer>https://hccvclrdg01.hostos.cuny.edu:8443/guacamole</saml:Issuer><samlp:NameIDPolicy<https://hccvclrdg01.hostos.cuny.edu:8443/guacamole%3c/saml:Issuer%3e%3csamlp:NameIDPolicy> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" /></samlp:AuthnRequest>
Oct 1 15:32:25 hccVCLRDG01 server: 15:32:25.732 [http-bio-8443-exec-4] DEBUG o.a.g.a.f.FileAuthenticationProvider - Reading user mapping file: "/etc/guacamole/user-mapping.xml"
Oct 1 15:32:25 hccVCLRDG01 server: 15:32:25.741 [http-bio-8443-exec-4] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 10.32.14.218 failed.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.004 [http-bio-8443-exec-2] WARN o.a.g.a.s.AuthenticationProviderService - SAML response contained other than single assertion.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.004 [http-bio-8443-exec-2] DEBUG o.a.g.a.s.AuthenticationProviderService - validateNumAssertions returned false.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.004 [http-bio-8443-exec-2] WARN o.a.g.a.s.AuthenticationProviderService - Exception while getting name from SAML response: Unable to validate SAML assertions.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.007 [http-bio-8443-exec-2] DEBUG o.a.g.a.s.AuthenticationProviderService - Received Exception while retrieving name from SAML response.
Oct 1 15:32:26 hccVCLRDG01 server: org.apache.guacamole.GuacamoleServerException: Unable to validate SAML assertions.
________________________________
From: MARTINEZ, ARIEL
Sent: Wednesday, September 30, 2020 11:09 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I was able to sort out the logging and have more information now. Which assertions is Guacamole expecting from the identity provider (NameID, emailaddress, memberOf, etc) ? After I log into my idp and get back to Guacamole, I get an error and it says it was trying an anonymous authentication.
Also, is it correct that if SAML is going to be used, the LDAP configuration in guacamole.properties should be commented out?
Thanks
From: MARTINEZ, ARIEL
Sent: Friday, September 25, 2020 1:23 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I'm not getting redirected to my idp with the SAML extension. Does anyone know where would the SAML debug logs would be logged to by default? I couldn't see anything inside of the tomcat directory in /var/log/tomcat
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 4:52 PM
To: 'user@guacamole.apache.org' <us...@guacamole.apache.org>>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
For the SSO, in general, is there a URL that Guacamole is using for SAML once the SAML extension is loaded? If not, is it just the Guacamole URL?
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 2:30 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I just reran the command that it referenced and after running make install again it completed without errors. So I think things should be good to with the upgrade part. Just in case, where would the guacd log file be to check on any potential errors?
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 1:40 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I was able to get past that error, but when I ran make install, I got the following error below. I am upgrading by running on top of an existing installation:
/usr/bin/mkdir -p '/usr/lib64/freerdp2'
/bin/sh ../../../libtool --mode=install /usr/bin/install -c libguac-common-svc-client.la libguacai-client.la '/usr/lib64/freerdp2'
libtool: install: warning: relinking `libguac-common-svc-client.la'
libtool: install: (cd /home/user/Downloads/guacamole-server-1.2.0/src/protocols/rdp; /bin/sh /home/user/Downloads/guacamole-server-1.2.0/libtool --silent --tag CC --mode=relink gcc -std=gnu99 -Werror -Wall -Iinclude -I../../../src/libguac -I/usr/include/freerdp2/ -I/usr/include/winpr2 -g -O2 -module -avoid-version -shared -lfreerdp2 -lfreerdp-client2 -lwinpr2 -o libguac-common-svc-client.la -rpath /usr/lib64/freerdp2 plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo ../../../src/libguac/libguac.la )
/bin/sh: /home/user/Downloads/guacamole-server-1.2.0/libtool: No such file or directory
libtool: install: error: relink `libguac-common-svc-client.la' with the above command before installing it
make[4]: *** [install-freerdpLTLIBRARIES] Error 1
make[4]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[3]: *** [install-am] Error 2
make[3]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[1]: *** [install] Error 2
make[1]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make: *** [install-recursive] Error 1
________________________________
From: Nick Couchman <vn...@apache.org>>
Sent: Wednesday, September 23, 2020 1:18 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
On Wed, Sep 23, 2020 at 12:42 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Thanks, I'll give it a shot. But I have to upgrade to 1.2.0 and I am having the issue with guacamole server. When I run make, I get the error discussed here : http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/1-2-server-build-fail-on-el7-and-el8-td8848.html
Yep, that was a bug in 1.2.0 that has been fixed for the next release (1.3.0). There are three ways around this:
- Install the libssh2-devel package and re-configure/compile so that it builds with SSH support.
- Check out the code from the git repo instead of downloading from the website, which has the fix.
- Back-port the patch for the issue (it's a one-line patch) to the 1.2.0 code: https://github.com/apache/guacamole-server/pull/298.patch
-Nick
Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
Posted by "MARTINEZ, ARIEL" <AM...@hostos.cuny.edu>.
Here is the debug logging:
Oct 1 15:32:25 hccVCLRDG01 server: 15:32:25.728 [http-bio-8443-exec-4] DEBUG c.onelogin.saml2.authn.AuthnRequest - AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_51b77b70-a6ea-4da8-80b0-684d613cf0f0" Version="2.0" IssueInstant="2020-10-01T19:32:25Z" Destination="https://login.hostos.cuny.edu/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://hccvclrdg01.hostos.cuny.edu:8443/guacamole/api/ext/saml/callback"><saml:Issuer>https://hccvclrdg01.hostos.cuny.edu:8443/guacamole</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" /></samlp:AuthnRequest>
Oct 1 15:32:25 hccVCLRDG01 server: 15:32:25.732 [http-bio-8443-exec-4] DEBUG o.a.g.a.f.FileAuthenticationProvider - Reading user mapping file: "/etc/guacamole/user-mapping.xml"
Oct 1 15:32:25 hccVCLRDG01 server: 15:32:25.741 [http-bio-8443-exec-4] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 10.32.14.218 failed.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.004 [http-bio-8443-exec-2] WARN o.a.g.a.s.AuthenticationProviderService - SAML response contained other than single assertion.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.004 [http-bio-8443-exec-2] DEBUG o.a.g.a.s.AuthenticationProviderService - validateNumAssertions returned false.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.004 [http-bio-8443-exec-2] WARN o.a.g.a.s.AuthenticationProviderService - Exception while getting name from SAML response: Unable to validate SAML assertions.
Oct 1 15:32:26 hccVCLRDG01 server: 15:32:26.007 [http-bio-8443-exec-2] DEBUG o.a.g.a.s.AuthenticationProviderService - Received Exception while retrieving name from SAML response.
Oct 1 15:32:26 hccVCLRDG01 server: org.apache.guacamole.GuacamoleServerException: Unable to validate SAML assertions.
________________________________
From: MARTINEZ, ARIEL
Sent: Wednesday, September 30, 2020 11:09 PM
To: user@guacamole.apache.org
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I was able to sort out the logging and have more information now. Which assertions is Guacamole expecting from the identity provider (NameID, emailaddress, memberOf, etc) ? After I log into my idp and get back to Guacamole, I get an error and it says it was trying an anonymous authentication.
Also, is it correct that if SAML is going to be used, the LDAP configuration in guacamole.properties should be commented out?
Thanks
From: MARTINEZ, ARIEL
Sent: Friday, September 25, 2020 1:23 PM
To: user@guacamole.apache.org
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I’m not getting redirected to my idp with the SAML extension. Does anyone know where would the SAML debug logs would be logged to by default? I couldn’t see anything inside of the tomcat directory in /var/log/tomcat
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 4:52 PM
To: 'user@guacamole.apache.org' <us...@guacamole.apache.org>>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
For the SSO, in general, is there a URL that Guacamole is using for SAML once the SAML extension is loaded? If not, is it just the Guacamole URL?
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 2:30 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I just reran the command that it referenced and after running make install again it completed without errors. So I think things should be good to with the upgrade part. Just in case, where would the guacd log file be to check on any potential errors?
Thanks
From: MARTINEZ, ARIEL
Sent: Wednesday, September 23, 2020 1:40 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
I was able to get past that error, but when I ran make install, I got the following error below. I am upgrading by running on top of an existing installation:
/usr/bin/mkdir -p '/usr/lib64/freerdp2'
/bin/sh ../../../libtool --mode=install /usr/bin/install -c libguac-common-svc-client.la libguacai-client.la '/usr/lib64/freerdp2'
libtool: install: warning: relinking `libguac-common-svc-client.la'
libtool: install: (cd /home/user/Downloads/guacamole-server-1.2.0/src/protocols/rdp; /bin/sh /home/user/Downloads/guacamole-server-1.2.0/libtool --silent --tag CC --mode=relink gcc -std=gnu99 -Werror -Wall -Iinclude -I../../../src/libguac -I/usr/include/freerdp2/ -I/usr/include/winpr2 -g -O2 -module -avoid-version -shared -lfreerdp2 -lfreerdp-client2 -lwinpr2 -o libguac-common-svc-client.la -rpath /usr/lib64/freerdp2 plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo ../../../src/libguac/libguac.la )
/bin/sh: /home/user/Downloads/guacamole-server-1.2.0/libtool: No such file or directory
libtool: install: error: relink `libguac-common-svc-client.la' with the above command before installing it
make[4]: *** [install-freerdpLTLIBRARIES] Error 1
make[4]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[3]: *** [install-am] Error 2
make[3]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make[1]: *** [install] Error 2
make[1]: Leaving directory `/root/.local/share/Trash/files/guacamole-server-1.2.0/src/protocols/rdp'
make: *** [install-recursive] Error 1
________________________________
From: Nick Couchman <vn...@apache.org>>
Sent: Wednesday, September 23, 2020 1:18 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: [EXTERNAL] Re: Configuring Guacamole with ADFS idp
On Wed, Sep 23, 2020 at 12:42 PM MARTINEZ, ARIEL <AM...@hostos.cuny.edu>> wrote:
Thanks, I’ll give it a shot. But I have to upgrade to 1.2.0 and I am having the issue with guacamole server. When I run make, I get the error discussed here : http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/1-2-server-build-fail-on-el7-and-el8-td8848.html
Yep, that was a bug in 1.2.0 that has been fixed for the next release (1.3.0). There are three ways around this:
- Install the libssh2-devel package and re-configure/compile so that it builds with SSH support.
- Check out the code from the git repo instead of downloading from the website, which has the fix.
- Back-port the patch for the issue (it's a one-line patch) to the 1.2.0 code: https://github.com/apache/guacamole-server/pull/298.patch
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org