SSO with Guacamole behind Reverse Proxy - Permission Denied for /api/session/data/saml/users

[Nick Ragsdale <nr...@montgomerytech.net>]

Hey folks,

Hope this is the right place and that this email finds you well. I've been
struggling for a fair bit with getting a POC up for Guacamole behind a
reverse proxy in our environment, to be integrated with Okta SSO. We are
leveraging SAML through Okta's offerings, and the authentication part is
working just fine - but when a user successfully logs in, none of the
connections are made available and no permissions are granted.

I worked with Okta and took a SAML trace to confirm that Okta is sending
the groups correctly, but it appears Guacamole isn't receiving them.
Furthermore, when looking at the console and initiating a network
connection, I do get a 404 error for the path
"api/session/data/saml/users/<username>" with the following:

{"message":"Permission
Denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission
Denied."}},"statusCode":null,"expected":null,"type":"PERMISSION_DENIED"}

We're using version 1.5.0 for both Guacamole and the SAML plugin,
using the pre-packaged Bitnami appliance from VMware. I get the
feeling that I'm not passing a header or cookie or something correctly
between Guacamole and Okta, but I'm lost. Hoping y'all can help point
me in the right direction - let me know what other information you
need from me and I'll gladly supply it.

Warm regards,

Nick Ragsdale

Re: SSO with Guacamole behind Reverse Proxy - Permission Denied for /api/session/data/saml/users

[Nick Ragsdale <nr...@montgomerytech.net>]

Thanks for getting back to me Mike. We're using the "groups" attribute and
the names of the groups do match identically, including case. I've also
ensured the user groups within Guacamole have the "READ" permission for the
appropriate connections.

-Nick

On Thu, Mar 30, 2023 at 2:08 PM Michael Jumper <mj...@apache.org> wrote:

> On Mon, Mar 27, 2023 at 1:31 PM Nick Ragsdale <
> nragsdale@montgomerytech.net> wrote:
>
>> Hey folks,
>>
>> Hope this is the right place and that this email finds you well. I've
>> been struggling for a fair bit with getting a POC up for Guacamole behind a
>> reverse proxy in our environment, to be integrated with Okta SSO. We are
>> leveraging SAML through Okta's offerings, and the authentication part is
>> working just fine - but when a user successfully logs in, none of the
>> connections are made available and no permissions are granted.
>>
>> I worked with Okta and took a SAML trace to confirm that Okta is sending
>> the groups correctly, but it appears Guacamole isn't receiving them.
>>
>
> What attribute is being used within the SAML response to provide group
> memberships?
>
> Do the names of the groups within the SAML response identically match the
> names of corresponding groups within Guacamole, including case?
>
> - Mike
>
>

-- 
Nick Ragsdale
Sr. Network Engineer
Montgomery Technologies
Technology Management of Premier Commercial Buildings
Office 844.824.0100 x245
www.montgomerytech.net | www.riser.com

Re: SSO with Guacamole behind Reverse Proxy - Permission Denied for /api/session/data/saml/users

[Michael Jumper <mj...@apache.org>]

On Mon, Mar 27, 2023 at 1:31 PM Nick Ragsdale <nr...@montgomerytech.net>
wrote:

> Hey folks,
>
> Hope this is the right place and that this email finds you well. I've been
> struggling for a fair bit with getting a POC up for Guacamole behind a
> reverse proxy in our environment, to be integrated with Okta SSO. We are
> leveraging SAML through Okta's offerings, and the authentication part is
> working just fine - but when a user successfully logs in, none of the
> connections are made available and no permissions are granted.
>
> I worked with Okta and took a SAML trace to confirm that Okta is sending
> the groups correctly, but it appears Guacamole isn't receiving them.
>

What attribute is being used within the SAML response to provide group
memberships?

Do the names of the groups within the SAML response identically match the
names of corresponding groups within Guacamole, including case?

- Mike