You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Victor Martinez <vj...@gmail.com> on 2022/04/07 22:03:30 UTC

Guacamole 1.4.0 problem using SAML authentication

I am configuring the latest version 1.4 with SAML support. When I
authenticate, in the logs I see the following error: 17:50:07.920
[http-nio-8080-exec-3] ERROR c.onelogin.saml2.authn.SamlResponse - The
response was received at https://miserver/guacamole/api/ext/saml/callback
instead of https ://miserver/api/ext/saml/callback 17:50:07.920
[http-nio-8080-exec-3] WARN oagasaAssertionConsumerServiceResource -
Authentication attempted with an invalid SAML response: SAML response did
not pass validation: The response was received at
https://miserver/guacamole/api/ ext/saml/callback instead of
https://miserver/api/ext/saml/callback If I use version 1.3 , I don't have
this problem. Would you know what could be causing the error?

Victor J. Martínez
RHCE
Cel.: (595)972-918-550
Asunción - Paraguay

Re: Guacamole 1.4.0 problem using SAML authentication

Posted by Michael Jumper <mj...@apache.org>.

On Sat, Apr 9, 2022 at 2:50 AM Vieri <re...@yahoo.com.invalid> wrote:

> ...
> >> The 1.4.0 release tightened SAML request validation.
> >>
> >> Rather than leverage your reverse proxy to rewrite the path from
> "/guacamole" to "/", I would recommend just reploying the webapp at the
> desired path to begin with, and
> >>reconfiguring your reverse proxy accordingly. The webapp can be deployed
> directly at "/" by renaming the .war file to "ROOT.war".
>
> So with that in mind, one cannot have more than one backend on the reverse
> proxy?
>

Sure you can. You just need to make sure that the webapp's .war file
matches the path that you've specified when you registered the webapp
with your SAML IdP. If the path that the webapp is served at by Tomcat
doesn't match the publicly-visible path, then SAML validation will fail.

- Mike

Re: Guacamole 1.4.0 problem using SAML authentication

Posted by Vieri <re...@yahoo.com.INVALID>.

On Friday, April 8, 2022, 06:20:05 PM GMT+2, Victor Martinez <vj...@gmail.com> wrote: 

> The error is:
> INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. 

You may need /websocket-tunnel. I have this:

        <Location /websocket-tunnel>
            Require all granted
            ProxyPass wss://localhost:8443/guacamole/websocket-tunnel
            ProxyPassReverse wss://localhost:8443/guacamole/websocket-tunnel
        </Location>

>> The 1.4.0 release tightened SAML request validation.
>> 
>> Rather than leverage your reverse proxy to rewrite the path from "/guacamole" to "/", I would recommend just reploying the webapp at the desired path to begin with, and 
>>reconfiguring your reverse proxy accordingly. The webapp can be deployed directly at "/" by renaming the .war file to "ROOT.war".

So with that in mind, one cannot have more than one backend on the reverse proxy?

Vieri



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Guacamole 1.4.0 problem using SAML authentication

Posted by Victor Martinez <vj...@gmail.com>.

Hi Mike
Thank for the help

Apply the recommended changes and now it does allow authenticating using
saml. But when trying to connect to a Host I get the error of no WebSocket,
but I see that my configuration is as it should, which could be that I am
missing. I am basically using the same configuration that I have in my
other Guacamole Server 1.3 Production.
The error is:
INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel
(not WebSocket). Performance may be sub-optimal.

location / {
proxy_pass http://10.10.10.1:8080/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection
$http_connection;
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite";
access_log /var/log/nginx/guac_access.log;
error_log /var/log/nginx/guac_error.log;
}

Victor J. Martínez
RHCE
Cel.: (595)972-918-550
Asunción - Paraguay



El jue, 7 abr 2022 a las 19:30, Michael Jumper (<mj...@apache.org>)
escribió:

> On Thu, Apr 7, 2022 at 3:03 PM Victor Martinez <vj...@gmail.com>
> wrote:
>
>> I am configuring the latest version 1.4 with SAML support. When I
>> authenticate, in the logs I see the following error: 17:50:07.920
>> [http-nio-8080-exec-3] ERROR c.onelogin.saml2.authn.SamlResponse - The
>> response was received at https://miserver/guacamole/api/ext/saml/callback
>> instead of https ://miserver/api/ext/saml/callback 17:50:07.920
>> [http-nio-8080-exec-3] WARN oagasaAssertionConsumerServiceResource -
>> Authentication attempted with an invalid SAML response: SAML response did
>> not pass validation: The response was received at
>> https://miserver/guacamole/api/ ext/saml/callback instead of
>> https://miserver/api/ext/saml/callback If I use version 1.3 , I don't
>> have this problem. Would you know what could be causing the error?
>>
>
> The 1.4.0 release tightened SAML request validation.
>
> Rather than leverage your reverse proxy to rewrite the path from
> "/guacamole" to "/", I would recommend just reploying the webapp at the
> desired path to begin with, and reconfiguring your reverse proxy
> accordingly. The webapp can be deployed directly at "/" by renaming the
> .war file to "ROOT.war".
>
> - Mike
>
>

Re: Guacamole 1.4.0 problem using SAML authentication

Posted by Michael Jumper <mj...@apache.org>.

On Thu, Apr 7, 2022 at 3:03 PM Victor Martinez <vj...@gmail.com>
wrote:

> I am configuring the latest version 1.4 with SAML support. When I
> authenticate, in the logs I see the following error: 17:50:07.920
> [http-nio-8080-exec-3] ERROR c.onelogin.saml2.authn.SamlResponse - The
> response was received at https://miserver/guacamole/api/ext/saml/callback
> instead of https ://miserver/api/ext/saml/callback 17:50:07.920
> [http-nio-8080-exec-3] WARN oagasaAssertionConsumerServiceResource -
> Authentication attempted with an invalid SAML response: SAML response did
> not pass validation: The response was received at
> https://miserver/guacamole/api/ ext/saml/callback instead of
> https://miserver/api/ext/saml/callback If I use version 1.3 , I don't
> have this problem. Would you know what could be causing the error?
>

The 1.4.0 release tightened SAML request validation.

Rather than leverage your reverse proxy to rewrite the path from
"/guacamole" to "/", I would recommend just reploying the webapp at the
desired path to begin with, and reconfiguring your reverse proxy
accordingly. The webapp can be deployed directly at "/" by renaming the
.war file to "ROOT.war".

- Mike