You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by turbul3nt <ev...@gmail.com> on 2021/05/26 13:53:29 UTC
GUacamole, SAML authentication and the REST API
So after much trial and effort I managed to 'sort of' get my Guacamole to
work with my Shibboleth-based IDP. It doesn't seem to be working with the
group attribute that is confirmed to be sent in the assertion, but I'm still
working on that (tips welcomed).
That said, however, I read (and seems to be the case) that Guacamole will
ONLY use SAML as the primary authentication when it's enabled, and that
appears to be breaking the REST API access. Obviously that's no bueno as it
effectively kills my ability to programmatically with within Guacamole to
perform many automation tasks I'd like to do.
Is there ANY workaround that enables the API to authenticate (or another
user account, for that matter) outside of SAML, once SAML is configured and
working?
Any advice welcomed.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole, SAML authentication and the REST API
Posted by turbul3nt <ev...@gmail.com>.
For what it’s worth, I suspected the shorter / longer naming to be the case,
and I created test groups in guacamole with the long DN name versions as a
test, without success.
I’ll play with things more next week, as my day tomorrow isn’t looking
promising for time to test, and see where things go. I’ll update this thread
as to my findings.
Thanks.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole, SAML authentication and the REST API
Posted by Mike Jumper <mi...@glyptodon.com>.
The SAML support does handle groups as a multi-valued attribute, however it
expects each value to be a simple name, not a full LDAP-style DN. If your
SAML IdP is returning a full DN for each group, that will be interpreted as
if the entire DN is the name of the group.
If you can configure your IdP to return group names rather than DNs, that
should allow things to map as expected to Guacamole groups with identical
names. Otherwise, it sounds like something similar to the group format
attributes provided for CAS will need to be added for SAML.
For CAS, support for LDAP-formatted group names was added via:
https://github.com/apache/guacamole-client/pull/579
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.
On Thu, May 27, 2021 at 6:13 PM turbul3nt <ev...@gmail.com> wrote:
> The group names are returned directly from an Active Directory backend, so
> they’re in an RDN format (cn=Groupname,ou=Blah,dc=domain,dc=local)
>
> I can name the attribute anything I would like in the assertion, and I see
> the values sent back to guacamole in said assertions. It just doesn’t seem
> like it’s doing anything with it.
>
> Note = AD returns them as a list of groups that the user has memberships
> for, so unless guac doesn’t like / handle multi-valued attribute value
> returns like many other SP’s I’m running can work with…
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: Guacamole, SAML authentication and the REST API
Posted by turbul3nt <ev...@gmail.com>.
The group names are returned directly from an Active Directory backend, so
they’re in an RDN format (cn=Groupname,ou=Blah,dc=domain,dc=local)
I can name the attribute anything I would like in the assertion, and I see
the values sent back to guacamole in said assertions. It just doesn’t seem
like it’s doing anything with it.
Note = AD returns them as a list of groups that the user has memberships
for, so unless guac doesn’t like / handle multi-valued attribute value
returns like many other SP’s I’m running can work with…
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole, SAML authentication and the REST API
Posted by Mike Jumper <mi...@glyptodon.com>.
On Wed, May 26, 2021 at 7:59 AM turbul3nt <ev...@gmail.com> wrote:
> Well I spoke too soon. Reformatted my headers and body data in the post,
> and
> my API authentication works great and does not require SAML.
>
> That said, still open to any suggestions on the SAML Group attribute not
> working properly from my first post.
>
What does your SAML configuration currently look like?
Do you know what attribute your SAML provider uses to expose group
memberships?
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.
Re: Guacamole, SAML authentication and the REST API
Posted by turbul3nt <ev...@gmail.com>.
Well I spoke too soon. Reformatted my headers and body data in the post, and
my API authentication works great and does not require SAML.
That said, still open to any suggestions on the SAML Group attribute not
working properly from my first post.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org