You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Seth Weber <sw...@cfvna.org.INVALID> on 2021/09/08 17:31:22 UTC
Help getting SAML working
Hi all, I'm new to Apache Guacamole and I'm loving it so far, but I can't
get SAML to work...
I have the extension installed and configured with Google Workspace as our
IDP. When I visit my Guacamole interface, it redirects me to Google for
authentication (expected), but when I choose an account it redirects me to
Guacamole and Guacamole just redirects me again to the Google login page. I
suspected it's because in my guacamole.properties file the Entity ID and
Callback URL are the same, and I could see why that would make a loop, but
several comments from others said to make them the same. Regardless, the
Guacamole documentation doesn't give me any information on what the
callback URL needs to be, it just vaguely says:
> "The URL that the IdP will use once authentication has succeeded to return
> to the Guacamole web application and provide the authentication details to
> the SAML extension. The SAML extension currently only supports callback as
> a POST operation to this callback URL. This property is required."
I cannot figure this out, I appreciate any help. :)
--
Seth Weber
Network & Systems Administrator
271 Perkins Road
Clarion, PA 16214
Phone: 814-297-8400
Fax: 814-297-8801
https://cfvna.org/
[image: Like] <https://www.facebook.com/ClarionForestVNA>
[image: Clarion Forest VNA]
*The Clarion Forest VNA is proudly ranked within the Top 500 Providers
Nationwide!*
--
Confidentiality Statement: The information accompanying this email
transmission is intended for the use of the individual to whom it is
addressed & may contain information which is privileged, confidential &
exempt from disclosure under applicable law. If you are not the intended
recipient, employee or agent responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you have received this email in error please notify us immediately by
telephone at 814-297-8400.
Re: Help getting SAML working
Posted by Seth Weber <sw...@cfvna.org.INVALID>.
Tyler,
What SAML attributes are you passing to Guacamole? Maybe I don't have it
set up right there... I use Google Workspace as SAML.
On Wed, Sep 8, 2021 at 4:41 PM Tyler Marcotte <ma...@gmail.com> wrote:
> I had a hard time with this too when setting up originally. The secret was
> to use the following for the callback URL (at least this worked for me):
>
> https://<guacamole_host>/api/ext/saml/callback
>
> On Wed, Sep 8, 2021 at 1:31 PM Seth Weber <sw...@cfvna.org.invalid>
> wrote:
>
>> Hi all, I'm new to Apache Guacamole and I'm loving it so far, but I can't
>> get SAML to work...
>>
>> I have the extension installed and configured with Google Workspace as
>> our IDP. When I visit my Guacamole interface, it redirects me to Google for
>> authentication (expected), but when I choose an account it redirects me to
>> Guacamole and Guacamole just redirects me again to the Google login page. I
>> suspected it's because in my guacamole.properties file the Entity ID and
>> Callback URL are the same, and I could see why that would make a loop, but
>> several comments from others said to make them the same. Regardless, the
>> Guacamole documentation doesn't give me any information on what the
>> callback URL needs to be, it just vaguely says:
>>
>>> "The URL that the IdP will use once authentication has succeeded to
>>> return to the Guacamole web application and provide the authentication
>>> details to the SAML extension. The SAML extension currently only supports
>>> callback as a POST operation to this callback URL. This property is
>>> required."
>>
>>
>> I cannot figure this out, I appreciate any help. :)
>>
>> --
>>
>>
>> Seth Weber
>> Network & Systems Administrator
>> 271 Perkins Road
>> Clarion, PA 16214
>> Phone: 814-297-8400
>> Fax: 814-297-8801
>> https://cfvna.org/
>>
>> [image: Like] <https://www.facebook.com/ClarionForestVNA>
>>
>> [image: Clarion Forest VNA]
>>
>> *The Clarion Forest VNA is proudly ranked within the Top 500 Providers
>> Nationwide!*
>>
>>
>>
>> Confidentiality Statement: The information accompanying this email
>> transmission is intended for the use of the individual to whom it is
>> addressed & may contain information which is privileged, confidential &
>> exempt from disclosure under applicable law. If you are not the intended
>> recipient, employee or agent responsible for delivering the message to the
>> intended recipient you are hereby notified that any dissemination,
>> distribution or copying of this communication is strictly prohibited. If
>> you have received this email in error please notify us immediately by
>> telephone at 814-297-8400.
>
>
--
Seth Weber
Network & Systems Administrator
271 Perkins Road
Clarion, PA 16214
Phone: 814-297-8400
Fax: 814-297-8801
https://cfvna.org/
[image: Like] <https://www.facebook.com/ClarionForestVNA>
[image: Clarion Forest VNA]
*The Clarion Forest VNA is proudly ranked within the Top 500 Providers
Nationwide!*
--
Confidentiality Statement: The information accompanying this email
transmission is intended for the use of the individual to whom it is
addressed & may contain information which is privileged, confidential &
exempt from disclosure under applicable law. If you are not the intended
recipient, employee or agent responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you have received this email in error please notify us immediately by
telephone at 814-297-8400.
Re: Help getting SAML working
Posted by Seth Weber <sw...@cfvna.org.INVALID>.
Has anybody else gotten SAML working? I still can't figure this out.
On Wed, Sep 15, 2021 at 9:53 AM Seth Weber <sw...@cfvna.org> wrote:
> I increased the log level for Guacamole to DEBUG and here's what I got
> when I tried logging in with Google through SAML:
> [image: image.png]
> */opt/tomcat/tomcatapp/logs/catalina.out*
>
>> 13:50:23.678 [http-nio-8080-exec-4] DEBUG o.a.g.rest.RESTExceptionMapper
>> - Client request rejected: Redirecting to SAML IdP.
>> 13:50:36.129 [http-nio-8080-exec-5] ERROR o.a.g.rest.RESTExceptionMapper
>> - An internal error occurred, but did not contain an error message. Enable
>> debug-level logging for details.
>> 13:50:36.130 [http-nio-8080-exec-5] DEBUG o.a.g.rest.RESTExceptionMapper
>> - Unexpected error in REST endpoint.
>> javax.ws.rs.WebApplicationException: null
>> at
>> com.sun.jersey.server.impl.uri.rules.TerminatingRule.accept(TerminatingRule.java:66)
>> at
>> com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
>> at
>> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>> at
>> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
>> at
>> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>> at
>> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>> at
>> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
>> at
>> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
>> at
>> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
>> at
>> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
>> at
>> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
>> at
>> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
>> at
>> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
>> at
>> com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
>> at
>> com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
>> at
>> com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
>> at
>> com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
>> at
>> com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
>> at
>> com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
>> at
>> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769)
>> at
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
>> at
>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
>> at
>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>> at
>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726)
>> at
>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>> at
>> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
>> at
>> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.base/java.lang.Thread.run(Thread.java:829)
>
>
> On Tue, Sep 14, 2021 at 3:50 PM Nick Couchman <vn...@apache.org> wrote:
>
>> On Thu, Sep 9, 2021 at 8:31 AM Seth Weber <sw...@cfvna.org.invalid>
>> wrote:
>>
>>> I found that on some website and tried it (
>>> https://guac_host/guacamole/ap/ext/saml/callback) but I get this error
>>> page:
>>> [image: image.png]
>>>
>>>
>> You'll need to look at Tomcat logs and see if there's any information on
>> why it's failing. If there isn't enough information there you might need to
>> increase log verbosity:
>>
>>
>> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>>
>> Also, there's an option for enabling SAML debugging:
>>
>> http://guacamole.apache.org/doc/gug/saml-auth.html#guac-saml-config
>>
>> (saml-debug)
>>
>> -Nick
>>
>
>
> --
>
>
> Seth Weber
> Network & Systems Administrator
> 271 Perkins Road
> Clarion, PA 16214
> Phone: 814-297-8400
> Fax: 814-297-8801
> https://cfvna.org/
>
> [image: Like] <https://www.facebook.com/ClarionForestVNA>
>
> [image: Clarion Forest VNA]
>
> *The Clarion Forest VNA is proudly ranked within the Top 500 Providers
> Nationwide!*
>
>
>
--
Seth Weber
Network & Systems Administrator
271 Perkins Road
Clarion, PA 16214
Phone: 814-297-8400
Fax: 814-297-8801
https://cfvna.org/
[image: Like] <https://www.facebook.com/ClarionForestVNA>
[image: Clarion Forest VNA]
*The Clarion Forest VNA is proudly ranked within the Top 500 Providers
Nationwide!*
--
Confidentiality Statement: The information accompanying this email
transmission is intended for the use of the individual to whom it is
addressed & may contain information which is privileged, confidential &
exempt from disclosure under applicable law. If you are not the intended
recipient, employee or agent responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you have received this email in error please notify us immediately by
telephone at 814-297-8400.
Re: Help getting SAML working
Posted by Seth Weber <sw...@cfvna.org.INVALID>.
I increased the log level for Guacamole to DEBUG and here's what I got when
I tried logging in with Google through SAML:
[image: image.png]
*/opt/tomcat/tomcatapp/logs/catalina.out*
> 13:50:23.678 [http-nio-8080-exec-4] DEBUG o.a.g.rest.RESTExceptionMapper -
> Client request rejected: Redirecting to SAML IdP.
> 13:50:36.129 [http-nio-8080-exec-5] ERROR o.a.g.rest.RESTExceptionMapper -
> An internal error occurred, but did not contain an error message. Enable
> debug-level logging for details.
> 13:50:36.130 [http-nio-8080-exec-5] DEBUG o.a.g.rest.RESTExceptionMapper -
> Unexpected error in REST endpoint.
> javax.ws.rs.WebApplicationException: null
> at
> com.sun.jersey.server.impl.uri.rules.TerminatingRule.accept(TerminatingRule.java:66)
> at
> com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> at
> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
> at
> com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
> at
> com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
> at
> com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
> at
> com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
> at
> com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
> at
> com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> at
> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769)
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726)
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at
> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
> at
> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.base/java.lang.Thread.run(Thread.java:829)
On Tue, Sep 14, 2021 at 3:50 PM Nick Couchman <vn...@apache.org> wrote:
> On Thu, Sep 9, 2021 at 8:31 AM Seth Weber <sw...@cfvna.org.invalid>
> wrote:
>
>> I found that on some website and tried it (
>> https://guac_host/guacamole/ap/ext/saml/callback) but I get this error
>> page:
>> [image: image.png]
>>
>>
> You'll need to look at Tomcat logs and see if there's any information on
> why it's failing. If there isn't enough information there you might need to
> increase log verbosity:
>
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>
> Also, there's an option for enabling SAML debugging:
>
> http://guacamole.apache.org/doc/gug/saml-auth.html#guac-saml-config
>
> (saml-debug)
>
> -Nick
>
--
Seth Weber
Network & Systems Administrator
271 Perkins Road
Clarion, PA 16214
Phone: 814-297-8400
Fax: 814-297-8801
https://cfvna.org/
[image: Like] <https://www.facebook.com/ClarionForestVNA>
[image: Clarion Forest VNA]
*The Clarion Forest VNA is proudly ranked within the Top 500 Providers
Nationwide!*
--
Confidentiality Statement: The information accompanying this email
transmission is intended for the use of the individual to whom it is
addressed & may contain information which is privileged, confidential &
exempt from disclosure under applicable law. If you are not the intended
recipient, employee or agent responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you have received this email in error please notify us immediately by
telephone at 814-297-8400.
Re: Help getting SAML working
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Sep 9, 2021 at 8:31 AM Seth Weber <sw...@cfvna.org.invalid> wrote:
> I found that on some website and tried it (
> https://guac_host/guacamole/ap/ext/saml/callback) but I get this error
> page:
> [image: image.png]
>
>
You'll need to look at Tomcat logs and see if there's any information on
why it's failing. If there isn't enough information there you might need to
increase log verbosity:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
Also, there's an option for enabling SAML debugging:
http://guacamole.apache.org/doc/gug/saml-auth.html#guac-saml-config
(saml-debug)
-Nick
Re: Help getting SAML working
Posted by Seth Weber <sw...@cfvna.org.INVALID>.
Bump - still can't get this to work. Has anybody else had problems setting
SAML callback up but got it working?
On Thu, Sep 9, 2021 at 8:30 AM Seth Weber <sw...@cfvna.org> wrote:
> I found that on some website and tried it (
> https://guac_host/guacamole/ap/ext/saml/callback) but I get this error
> page:
> [image: image.png]
>
> On Wed, Sep 8, 2021 at 4:41 PM Tyler Marcotte <ma...@gmail.com>
> wrote:
>
>> I had a hard time with this too when setting up originally. The secret
>> was to use the following for the callback URL (at least this worked for me):
>>
>> https://<guacamole_host>/api/ext/saml/callback
>>
>> On Wed, Sep 8, 2021 at 1:31 PM Seth Weber <sw...@cfvna.org.invalid>
>> wrote:
>>
>>> Hi all, I'm new to Apache Guacamole and I'm loving it so far, but I
>>> can't get SAML to work...
>>>
>>> I have the extension installed and configured with Google Workspace as
>>> our IDP. When I visit my Guacamole interface, it redirects me to Google for
>>> authentication (expected), but when I choose an account it redirects me to
>>> Guacamole and Guacamole just redirects me again to the Google login page. I
>>> suspected it's because in my guacamole.properties file the Entity ID and
>>> Callback URL are the same, and I could see why that would make a loop, but
>>> several comments from others said to make them the same. Regardless, the
>>> Guacamole documentation doesn't give me any information on what the
>>> callback URL needs to be, it just vaguely says:
>>>
>>>> "The URL that the IdP will use once authentication has succeeded to
>>>> return to the Guacamole web application and provide the authentication
>>>> details to the SAML extension. The SAML extension currently only supports
>>>> callback as a POST operation to this callback URL. This property is
>>>> required."
>>>
>>>
>>> I cannot figure this out, I appreciate any help. :)
>>>
>>> --
>>>
>>>
>>> Seth Weber
>>> Network & Systems Administrator
>>> 271 Perkins Road
>>> Clarion, PA 16214
>>> Phone: 814-297-8400
>>> Fax: 814-297-8801
>>> https://cfvna.org/
>>>
>>> [image: Like] <https://www.facebook.com/ClarionForestVNA>
>>>
>>> [image: Clarion Forest VNA]
>>>
>>> *The Clarion Forest VNA is proudly ranked within the Top 500 Providers
>>> Nationwide!*
>>>
>>>
>>>
>>> Confidentiality Statement: The information accompanying this email
>>> transmission is intended for the use of the individual to whom it is
>>> addressed & may contain information which is privileged, confidential &
>>> exempt from disclosure under applicable law. If you are not the intended
>>> recipient, employee or agent responsible for delivering the message to the
>>> intended recipient you are hereby notified that any dissemination,
>>> distribution or copying of this communication is strictly prohibited. If
>>> you have received this email in error please notify us immediately by
>>> telephone at 814-297-8400.
>>
>>
>
> --
>
>
> Seth Weber
> Network & Systems Administrator
> 271 Perkins Road
> Clarion, PA 16214
> Phone: 814-297-8400
> Fax: 814-297-8801
> https://cfvna.org/
>
> [image: Like] <https://www.facebook.com/ClarionForestVNA>
>
> [image: Clarion Forest VNA]
>
> *The Clarion Forest VNA is proudly ranked within the Top 500 Providers
> Nationwide!*
>
>
>
--
Seth Weber
Network & Systems Administrator
271 Perkins Road
Clarion, PA 16214
Phone: 814-297-8400
Fax: 814-297-8801
https://cfvna.org/
[image: Like] <https://www.facebook.com/ClarionForestVNA>
[image: Clarion Forest VNA]
*The Clarion Forest VNA is proudly ranked within the Top 500 Providers
Nationwide!*
--
Confidentiality Statement: The information accompanying this email
transmission is intended for the use of the individual to whom it is
addressed & may contain information which is privileged, confidential &
exempt from disclosure under applicable law. If you are not the intended
recipient, employee or agent responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you have received this email in error please notify us immediately by
telephone at 814-297-8400.
Re: Help getting SAML working
Posted by Seth Weber <sw...@cfvna.org.INVALID>.
I found that on some website and tried it (
https://guac_host/guacamole/ap/ext/saml/callback) but I get this error page:
[image: image.png]
On Wed, Sep 8, 2021 at 4:41 PM Tyler Marcotte <ma...@gmail.com> wrote:
> I had a hard time with this too when setting up originally. The secret was
> to use the following for the callback URL (at least this worked for me):
>
> https://<guacamole_host>/api/ext/saml/callback
>
> On Wed, Sep 8, 2021 at 1:31 PM Seth Weber <sw...@cfvna.org.invalid>
> wrote:
>
>> Hi all, I'm new to Apache Guacamole and I'm loving it so far, but I can't
>> get SAML to work...
>>
>> I have the extension installed and configured with Google Workspace as
>> our IDP. When I visit my Guacamole interface, it redirects me to Google for
>> authentication (expected), but when I choose an account it redirects me to
>> Guacamole and Guacamole just redirects me again to the Google login page. I
>> suspected it's because in my guacamole.properties file the Entity ID and
>> Callback URL are the same, and I could see why that would make a loop, but
>> several comments from others said to make them the same. Regardless, the
>> Guacamole documentation doesn't give me any information on what the
>> callback URL needs to be, it just vaguely says:
>>
>>> "The URL that the IdP will use once authentication has succeeded to
>>> return to the Guacamole web application and provide the authentication
>>> details to the SAML extension. The SAML extension currently only supports
>>> callback as a POST operation to this callback URL. This property is
>>> required."
>>
>>
>> I cannot figure this out, I appreciate any help. :)
>>
>> --
>>
>>
>> Seth Weber
>> Network & Systems Administrator
>> 271 Perkins Road
>> Clarion, PA 16214
>> Phone: 814-297-8400
>> Fax: 814-297-8801
>> https://cfvna.org/
>>
>> [image: Like] <https://www.facebook.com/ClarionForestVNA>
>>
>> [image: Clarion Forest VNA]
>>
>> *The Clarion Forest VNA is proudly ranked within the Top 500 Providers
>> Nationwide!*
>>
>>
>>
>> Confidentiality Statement: The information accompanying this email
>> transmission is intended for the use of the individual to whom it is
>> addressed & may contain information which is privileged, confidential &
>> exempt from disclosure under applicable law. If you are not the intended
>> recipient, employee or agent responsible for delivering the message to the
>> intended recipient you are hereby notified that any dissemination,
>> distribution or copying of this communication is strictly prohibited. If
>> you have received this email in error please notify us immediately by
>> telephone at 814-297-8400.
>
>
--
Seth Weber
Network & Systems Administrator
271 Perkins Road
Clarion, PA 16214
Phone: 814-297-8400
Fax: 814-297-8801
https://cfvna.org/
[image: Like] <https://www.facebook.com/ClarionForestVNA>
[image: Clarion Forest VNA]
*The Clarion Forest VNA is proudly ranked within the Top 500 Providers
Nationwide!*
--
Confidentiality Statement: The information accompanying this email
transmission is intended for the use of the individual to whom it is
addressed & may contain information which is privileged, confidential &
exempt from disclosure under applicable law. If you are not the intended
recipient, employee or agent responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you have received this email in error please notify us immediately by
telephone at 814-297-8400.
Re: Help getting SAML working
Posted by Tyler Marcotte <ma...@gmail.com>.
I had a hard time with this too when setting up originally. The secret was
to use the following for the callback URL (at least this worked for me):
https://<guacamole_host>/api/ext/saml/callback
On Wed, Sep 8, 2021 at 1:31 PM Seth Weber <sw...@cfvna.org.invalid> wrote:
> Hi all, I'm new to Apache Guacamole and I'm loving it so far, but I can't
> get SAML to work...
>
> I have the extension installed and configured with Google Workspace as our
> IDP. When I visit my Guacamole interface, it redirects me to Google for
> authentication (expected), but when I choose an account it redirects me to
> Guacamole and Guacamole just redirects me again to the Google login page. I
> suspected it's because in my guacamole.properties file the Entity ID and
> Callback URL are the same, and I could see why that would make a loop, but
> several comments from others said to make them the same. Regardless, the
> Guacamole documentation doesn't give me any information on what the
> callback URL needs to be, it just vaguely says:
>
>> "The URL that the IdP will use once authentication has succeeded to
>> return to the Guacamole web application and provide the authentication
>> details to the SAML extension. The SAML extension currently only supports
>> callback as a POST operation to this callback URL. This property is
>> required."
>
>
> I cannot figure this out, I appreciate any help. :)
>
> --
>
>
> Seth Weber
> Network & Systems Administrator
> 271 Perkins Road
> Clarion, PA 16214
> Phone: 814-297-8400
> Fax: 814-297-8801
> https://cfvna.org/
>
> [image: Like] <https://www.facebook.com/ClarionForestVNA>
>
> [image: Clarion Forest VNA]
>
> *The Clarion Forest VNA is proudly ranked within the Top 500 Providers
> Nationwide!*
>
>
>
> Confidentiality Statement: The information accompanying this email
> transmission is intended for the use of the individual to whom it is
> addressed & may contain information which is privileged, confidential &
> exempt from disclosure under applicable law. If you are not the intended
> recipient, employee or agent responsible for delivering the message to the
> intended recipient you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited. If
> you have received this email in error please notify us immediately by
> telephone at 814-297-8400.