You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Vieri <re...@yahoo.com.INVALID> on 2022/06/29 10:39:52 UTC
reverse proxy and SAML SSO
Hi,
When using the "new-path" example config in https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html, how would one define the saml* options in guacamole.properties, ie. saml-callback-url?
This is what I set:
saml-entity-id: whatever (same as defined in IdP)
saml-callback-url: https://guac.mydomain.org/
I'm asking because my SAML requests contains:
AssertionConsumerServiceURL="https://guac.mydomain.org/api/ext/saml/callback"
but I am unable to log-in because I get an HTTP error 405 when calling https://guac.mydomain.org/api/ext/saml/callback.
My apache config contains:
ProxyRequests Off
ProxyPreserveHost On
<Location />
Require all granted
ProxyPass https://localhost:8543/guacamole/ flushpackets=on
ProxyPassReverse https://localhost:8543/guacamole/
ProxyPassReverseCookiePath /guacamole/ /
</Location>
<Location /websocket-tunnel>
Require all granted
ProxyPass wss://localhost:8543/guacamole/websocket-tunnel
ProxyPassReverse wss://localhost:8543/guacamole/websocket-tunnel
</Location>
Any thoughts?
Regards,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
The only way I found to fix this is to rename my guacamole.war to ROOT.war (and modify the Apache reverse proxy path settings accordingly).
This makes the "new-path" configuration described in the Guacamole documentation incomplete when using SAML SSO.
It seems that this SAML issue has already been discussed (lightly) here:
https://lists.apache.org/thread/p09kz5sch60bpcxo6g95l843mgr47sdg
However, I don't quite understand when Mike says that:
"You just need to make sure that the webapp's .war file
matches the path that you've specified when you registered the webapp
with your SAML IdP. If the path that the webapp is served at by Tomcat
doesn't match the publicly-visible path, then SAML validation will fail."
What is "the path you've specified when you registered the webapp with your SAML IdP"?
I sent the IdP just 2 values - the entity ID and the callback URL.
The only real URL/path is the callback URL which in my case is https://guac.mydomain.org/
So I guess the path here is "/", right?
Also, does "the webapp's .war file matches the path" mean exactly?
My guacamole.war is in /var/lib/tomcat-8.5-hman/webapps and it deploys as /var/lib/tomcat-8.5-hman/webapps/guacamole, so does this mean that the path here is "/guacamole"?
So does this produce the dreaded "/" != "/guacamole" condition?
So, if I wanted to configure a reverse proxy with a virtual domain *for each* tomcat container/webapp how should I do that?
I do not want to configure 1 virtual domain as the root reverse proxy and from there deploy tomcat webapps.
I require each virtualhost to point to a specific tomcat webaoo,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
On Thursday, June 30, 2022, 02:11:22 PM GMT+2, Lee Doughty <le...@virginiacyberrange.org> wrote:
> It contains "guacamole" in the path because that's what Tomcat does... it infers paths by the name of the file, as you see.
>
> If it's easier, you can also achieve this by setting WEBAPP_CONTEXT in the environment:
>
> https://github.com/apache/guacamole-client/blob/1.4.0/guacamole-docker/bin/start.sh#L728
Thanks, but isn't that a docket script?
I can't just SetEnv that variable to "guacamole" in Apache.
So, no matter how I look at it, it seems that the only way (if I wanted more than one webapp) is to configure 1 VitualHost that reverse-proxies to different specific Locations, one for each webapp.
Thanks,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Lee Doughty <le...@virginiacyberrange.org>.
It contains "guacamole" in the path because that's what Tomcat does... it
infers paths by the name of the file, as you see.
If it's easier, you can also achieve this by setting WEBAPP_CONTEXT in the
environment:
https://github.com/apache/guacamole-client/blob/1.4.0/guacamole-docker/bin/start.sh#L728
On Thu, Jun 30, 2022 at 7:20 AM Vieri <re...@yahoo.com.invalid> wrote:
> The problem seems to be with the onelogin library:
>
> java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
>
> contains:
>
> protected void validateDestination(final Element element) throws
> ValidationError {
> if (element.hasAttribute("Destination")) {
> final String destinationUrl =
> element.getAttribute("Destination");
> if (destinationUrl != null) {
> if (destinationUrl.isEmpty()) {
> throw new ValidationError("The
> response has an empty Destination value",
> ValidationError.EMPTY_DESTINATION);
> } else if
> (!destinationUrl.equals(currentUrl)) {
> throw new ValidationError("The
> response was received at " + currentUrl + " instead of " + destinationUrl,
> ValidationError.WRONG_DESTINATION);
> }
> }
> }
> }
>
> Now, considering my Apache reverse proxy config and the "Destination"
> field in the SAML response here below:
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="
> https://guac.mydomain.org/api/ext/saml/callback"
> ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
>
> InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
> IssueInstant="2022-06-30T06:44:57.465Z"
> Version="2.0"
> >
>
> I guess that's why it's "failing" because currentUrl != destinationUrl.
>
> Now, how come currentUrl is
> https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
> Who is requesting that URL and why does it contain "guacamole" in the path?
> Neither the IdP nor the guacamole SP ever mention that the callback should
> be https://guac.mydomain.org/guacamole/api/ext/saml/callback.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
The problem seems to be with the onelogin library:
java-saml/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
contains:
protected void validateDestination(final Element element) throws ValidationError {
if (element.hasAttribute("Destination")) {
final String destinationUrl = element.getAttribute("Destination");
if (destinationUrl != null) {
if (destinationUrl.isEmpty()) {
throw new ValidationError("The response has an empty Destination value", ValidationError.EMPTY_DESTINATION);
} else if (!destinationUrl.equals(currentUrl)) {
throw new ValidationError("The response was received at " + currentUrl + " instead of " + destinationUrl, ValidationError.WRONG_DESTINATION);
}
}
}
}
Now, considering my Apache reverse proxy config and the "Destination" field in the SAML response here below:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://guac.mydomain.org/api/ext/saml/callback"
ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
IssueInstant="2022-06-30T06:44:57.465Z"
Version="2.0"
>
I guess that's why it's "failing" because currentUrl != destinationUrl.
Now, how come currentUrl is https://guac.mydomain.org/guacamole/api/ext/saml/callback ?
Who is requesting that URL and why does it contain "guacamole" in the path?
Neither the IdP nor the guacamole SP ever mention that the callback should be https://guac.mydomain.org/guacamole/api/ext/saml/callback.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
On Thursday, June 30, 2022, 01:22:13 AM GMT+2, Vieri <re...@yahoo.com.invalid> wrote:
> Apparently, the IdP had a misconfiguration for the guacamole SP. My original error is now solved, and I can now log into the IdP.
> However, when I am redirected back to guacamole I enter an infinite redirection loop between SP and IdP.
> That is because Tomcat/Guacamole complains about:
>
> ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback
I can see the SAML response in the client browser, and it seems that the callback URL is correct (https://guac.mydomain.org/api/ext/saml/callback).
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://guac.mydomain.org/api/ext/saml/callback"
ID="_f53e5bfaf4fae92d0cc4c602f59b8a98"
InResponseTo="ONELOGIN_515df37e-aaa0-4024-bd29-8c869fb7ea95"
IssueInstant="2022-06-30T06:44:57.465Z"
Version="2.0"
>
If Guacamole complains (onelogin used by the SAML extension) it must be because of the Apache reverse proxy, right?
I didn't change anything in the Apache and guacamole.properties files, but here's a reminder.
Apache config contains:
<Location />
Require all granted
ProxyPass https://localhost:8543/guacamole/ flushpackets=on
ProxyPassReverse https://localhost:8543/guacamole/
ProxyPassReverseCookiePath /guacamole/ /
</Location>
<Location /websocket-tunnel>
Require all granted
ProxyPass wss://localhost:8543/guacamole/websocket-tunnel
ProxyPassReverse wss://localhost:8543/guacamole/websocket-tunnel
</Location>
guacamole.properties contains:
saml-callback-url: https://guac.mydomain.org/
So, I'm pretty sure if I were to *not* use a "new-path" in the reverse proxy everything would work fine as long as I'd specify the callback URL as https://guac.mydomain.org/guacamole/.
However, I'm guessing it's failing here with the "new-path" configuration because:
1) the SAML response is properly being directed to the "new-path"
2) the Apache reverse proxy is passing the callback POST request for https://guac.mydomain.org/api/ext/saml/callback to https://guac.mydomain.org/guacamole/api/ext/saml/callback because it mathes the '/' Location
3) the Tomcat Guacamole application complains that it's receiving the callback request at https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback
Maybe I'm missing a rewriterule in my Apache config?
Any ideas?
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
Apparently, the IdP had a misconfiguration for the guacamole SP. My original error is now solved, and I can now log into the IdP.
However, when I am redirected back to guacamole I enter an infinite redirection loop between SP and IdP.
That is because Tomcat/Guacamole complains about:
ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback
Sorry for the SAML newbie question but "who" is sending the response? I'm guessing the IdP tells the client browser to send the response back to https://guac.mydomain.org/guacamole/api/ext/saml/callback instead of https://guac.mydomain.org/api/ext/saml/callback, right?
If that's so then I guess the IdP is misconfigured again because it should tell the client to send the response to https://guac.mydomain.org/api/ext/saml/callback.
Regards,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
On Wednesday, June 29, 2022 at 03:00:12 PM GMT+2, chomik MChamster <tu...@gmail.com> wrote:
> Hey Vieri,
> Not sure if you want to try this - I could not get guacamole-auth-saml-1.4 working with my guacamole 1.4 deployment. As far as I
> remember it had to do with the proxy config (I'm not an expert)
> I reverted back to guacamole-auth-saml-1.3.0.jar (the rest of the deployment is still v1.4, only that jar file is v 1.3) and everything was
> working back again.
>
> my saml-entity-id value in guacamole.properites is the same as saml-callback-url value, i.e. https://my-guacamole.mydomain.com/
Hi,
So I downloaded https://archive.apache.org/dist/guacamole/1.3.0/binary/guacamole-auth-saml-1.3.0.tar.gz, removed my 1.4.0 SAML module from the extensions subdir, added the 1.3 version, restarted tomcat.
I still get the same behavior as in my first post.
I'm wondering if it's an issue on the IdP instead.
Thanks,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by chomik MChamster <tu...@gmail.com>.
Hey Vieri,
Not sure if you want to try this - I could not get guacamole-auth-saml-1.4
working with my guacamole 1.4 deployment. As far as I remember it had to do
with the proxy config (I'm not an expert)
I reverted back to guacamole-auth-saml-1.3.0.jar (the rest of the
deployment is still v1.4, only that jar file is v 1.3) and everything was
working back again.
my saml-entity-id value in guacamole.properites is the same as
saml-callback-url value, i.e. https://my-guacamole.mydomain.com/
Thanks,
T
On Wed, 29 Jun 2022 at 11:40, Vieri <re...@yahoo.com.invalid> wrote:
> Hi,
>
> When using the "new-path" example config in
> https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html, how
> would one define the saml* options in guacamole.properties, ie.
> saml-callback-url?
>
> This is what I set:
>
> saml-entity-id: whatever (same as defined in IdP)
> saml-callback-url: https://guac.mydomain.org/
>
>
> I'm asking because my SAML requests contains:
>
> AssertionConsumerServiceURL="
> https://guac.mydomain.org/api/ext/saml/callback"
>
> but I am unable to log-in because I get an HTTP error 405 when calling
> https://guac.mydomain.org/api/ext/saml/callback.
>
> My apache config contains:
>
> ProxyRequests Off
> ProxyPreserveHost On
>
> <Location />
> Require all granted
> ProxyPass https://localhost:8543/guacamole/ flushpackets=on
> ProxyPassReverse https://localhost:8543/guacamole/
> ProxyPassReverseCookiePath /guacamole/ /
> </Location>
>
> <Location /websocket-tunnel>
> Require all granted
> ProxyPass wss://localhost:8543/guacamole/websocket-tunnel
> ProxyPassReverse
> wss://localhost:8543/guacamole/websocket-tunnel
> </Location>
>
>
> Any thoughts?
>
> Regards,
>
> Vieri
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
On Wednesday, June 29, 2022 at 01:44:02 PM GMT+2, Lee Doughty <le...@virginiacyberrange.org> wrote:
> you mentioned https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html -- which is for 0.9.7
>
> If you were on 0.9.7 I would not expect you to be able to do SAML, so I pointed it out.
>
> The updated docs might or might not provide more guidance for you since you are on 1.4.. or maybe someone else will chime in with more
> help.
Right, thanks.
Well, the 1.4.0 manual here is just as much the same as far as Apache reverse proxy configuration:
https://guacamole.apache.org/doc/1.4.0/gug/reverse-proxy.html
Unfortunately, I do not have access to the IdP so I don't know if the problem is in my SP or in the remote IdP.
Thanks anyway,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Lee Doughty <le...@virginiacyberrange.org>.
you mentioned
https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html -- which
is for 0.9.7
If you were on 0.9.7 I would not expect you to be able to do SAML, so I
pointed it out.
The updated docs might or might not provide more guidance for you since you
are on 1.4.. or maybe someone else will chime in with more help.
On Wed, Jun 29, 2022, 7:22 AM Vieri <re...@yahoo.com.invalid> wrote:
>
> On Wednesday, June 29, 2022 at 12:57:44 PM GMT+2, Lee Doughty <
> lee@virginiacyberrange.org> wrote:
>
> > I don't believe guacamole 0.9x has support for SAML...
> > Can you upgrade to 1.4 and look at the latest guacamole manual?
>
> Hi,
>
> Why did you assume I was using 0.9x. I am using 1.4, and everything is
> working fine without the reverse proxy. The SAML callback URL seems to be
> the culprit, but I don't know why.
>
> Thanks,
>
> Vieri
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: reverse proxy and SAML SSO
Posted by Vieri <re...@yahoo.com.INVALID>.
On Wednesday, June 29, 2022 at 12:57:44 PM GMT+2, Lee Doughty <le...@virginiacyberrange.org> wrote:
> I don't believe guacamole 0.9x has support for SAML...
> Can you upgrade to 1.4 and look at the latest guacamole manual?
Hi,
Why did you assume I was using 0.9x. I am using 1.4, and everything is working fine without the reverse proxy. The SAML callback URL seems to be the culprit, but I don't know why.
Thanks,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: reverse proxy and SAML SSO
Posted by Lee Doughty <le...@virginiacyberrange.org>.
I don't believe guacamole 0.9x has support for SAML...
Can you upgrade to 1.4 and look at the latest guacamole manual?
https://guacamole.apache.org/doc/gug/
I believe SAML support was not added until 1.1 or 1.2
-Lee
On Wed, Jun 29, 2022, 6:40 AM Vieri <re...@yahoo.com.invalid> wrote:
> Hi,
>
> When using the "new-path" example config in
> https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html, how
> would one define the saml* options in guacamole.properties, ie.
> saml-callback-url?
>
> This is what I set:
>
> saml-entity-id: whatever (same as defined in IdP)
> saml-callback-url: https://guac.mydomain.org/
>
>
> I'm asking because my SAML requests contains:
>
> AssertionConsumerServiceURL="
> https://guac.mydomain.org/api/ext/saml/callback"
>
> but I am unable to log-in because I get an HTTP error 405 when calling
> https://guac.mydomain.org/api/ext/saml/callback.
>
> My apache config contains:
>
> ProxyRequests Off
> ProxyPreserveHost On
>
> <Location />
> Require all granted
> ProxyPass https://localhost:8543/guacamole/ flushpackets=on
> ProxyPassReverse https://localhost:8543/guacamole/
> ProxyPassReverseCookiePath /guacamole/ /
> </Location>
>
> <Location /websocket-tunnel>
> Require all granted
> ProxyPass wss://localhost:8543/guacamole/websocket-tunnel
> ProxyPassReverse
> wss://localhost:8543/guacamole/websocket-tunnel
> </Location>
>
>
> Any thoughts?
>
> Regards,
>
> Vieri
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>