Guacamole 1.4.0 Issues setting up SAML authentication

["Michael Vasile (Student Employee)" <mv...@saunders.rit.edu>]

Hi all,

Trying to configure SAML on Guacamole for the first time. I have recently built a new Guacamole environment running version 1.4.0, and am having issues with having our IdP communicate back to the SAML extension.

When attempting to authenticate using SAML, the authentication fails with this error in the logs:
SAML response did not pass validation: The response was received at http://[HOSTNAME]/guacamole/api/ext/saml/callback instead of https://[HOSTNAME]/api/ext/saml/callback.

The ACS on the IdP is specified as the https://[HOSTNAME]/api/ext/saml/callback, so it seems that there is some configuration issue or Guacamole or the web server (I am using Nginx for reverse proxying).

Any ideas?

Thanks,
Mike

Re: Guacamole 1.4.0 Issues setting up SAML authentication

[Justin Engwer <ju...@mautobu.com>]

Hi,
Is there an equivalent for apache2?
Cheers,
Justin

On Fri, Jul 22, 2022 at 6:56 PM Nick Couchman <vn...@apache.org> wrote:

> On Mon, Mar 7, 2022 at 3:31 PM Michael Vasile (Student Employee)
> <mv...@saunders.rit.edu> wrote:
> >
> > Hi all,
> >
> >
> >
> > Trying to configure SAML on Guacamole for the first time. I have
> recently built a new Guacamole environment running version 1.4.0, and am
> having issues with having our IdP communicate back to the SAML extension.
> >
> >
> >
> > When attempting to authenticate using SAML, the authentication fails
> with this error in the logs:
> >
> > SAML response did not pass validation: The response was received at
> http://[HOSTNAME]/guacamole/api/ext/saml/callback instead of https://
> [HOSTNAME]/api/ext/saml/callback.
> >
> >
> >
> > The ACS on the IdP is specified as the https://[HOSTNAME]/api/ext/saml/callback,
> so it seems that there is some configuration issue or Guacamole or the web
> server (I am using Nginx for reverse proxying).
> >
> >
>
> This seems to come up frequently - we probably need to document it a
> bit better, but you might try setting these options in your Nginx
> configuration:
>
> proxy_set_header Host $host;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-Proto $scheme;
>
> That final one - the X-Forwarded-Proto - should set up the https correctly.
>
> -NIck
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>

Re: Guacamole 1.4.0 Issues setting up SAML authentication

[Nick Couchman <vn...@apache.org>]

On Mon, Mar 7, 2022 at 3:31 PM Michael Vasile (Student Employee)
<mv...@saunders.rit.edu> wrote:
>
> Hi all,
>
>
>
> Trying to configure SAML on Guacamole for the first time. I have recently built a new Guacamole environment running version 1.4.0, and am having issues with having our IdP communicate back to the SAML extension.
>
>
>
> When attempting to authenticate using SAML, the authentication fails with this error in the logs:
>
> SAML response did not pass validation: The response was received at http://[HOSTNAME]/guacamole/api/ext/saml/callback instead of https://[HOSTNAME]/api/ext/saml/callback.
>
>
>
> The ACS on the IdP is specified as the https://[HOSTNAME]/api/ext/saml/callback, so it seems that there is some configuration issue or Guacamole or the web server (I am using Nginx for reverse proxying).
>
>

This seems to come up frequently - we probably need to document it a
bit better, but you might try setting these options in your Nginx
configuration:

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;

That final one - the X-Forwarded-Proto - should set up the https correctly.

-NIck

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org