Re: Issue with SSO (SAML) Login with TOTP Extension

[Nick Couchman <vn...@apache.org>]

On Tue, Feb 28, 2023 at 8:11 AM Tyler Hale <ty...@gmail.com> wrote:
>
> Hi Lorenzo,
>
> I have experienced this situation in both versions 1.4.0 and 1.5.0. For my case, the TOTP doesn't appear to be fully activating when it uses the SSO authentication method. After trying a new session, it still prompts to setup the TOTP code and the user account does not have the flag set for "TOTP key confirmed". I can manually set a password for a SSO account and login using the traditional login menu. That allows the TOTP code to be confirmed and works through the non-SSO login. However, when attempting the SSO login with the same account and confirmed OTP code, it still has the error when logging in.
>

Tyler,
I've never attempted to configure things in the way you're trying to
do it, but I'm wondering if either changing the order of the modules
might help - or if you've hit a bug or something that needs to be
updated within the Guacamole code in order to accomplish what you're
trying to do.

You might start by changing the load or evaluation order of the
extensions - I would make sure the order is SAML -> JDBC -> TOTP. The
reason for this is that TOTP needs to store its configuration data in
another extension - it has no storage mechanism of its own - and the
only extension to currently support this is the JDBC extension. Thus,
if the order is incorrect, it could be trying to store TOTP
configuration data in the SAML module and just silently failing to do
that.

Again, this is just something to try and see if that helps - I'm not
sure that it will. You also might want to put your Guacamole Client
instance into debug mode and look at the Tomcat logs during a login
and TOTP registration/confirmation process to see if anything gets
logged that might be useful to helping figure out why data isn't
getting saved/stored/updated.

-Nick

> Thanks!
>
> -Tyler
>
> On Tue, Feb 28, 2023 at 12:34 AM MAURIZI Lorenzo <l....@comune.jesi.an.it> wrote:
>>
>> Tyler,
>>
>> I noticed a similar behaviour in guacamole 1.4.0: after setting for the first time the TOTP with the QR Code, the subsequent login attempt fails.
>>
>> In my case I just need to close the browser and make login again: you will be asked for an OTP code (the TOTP was correctly activated in the previous login attempt) and the login succeeds.
>>
>>
>>
>> Regards.
>>
>> Lorenzo
>>
>>
>>
>>
>>
>> Da: Tyler Hale <ty...@gmail.com>
>> Inviato: lunedì 27 febbraio 2023 18:27
>> A: user@guacamole.apache.org
>> Oggetto: Issue with SSO (SAML) Login with TOTP Extension
>>
>>
>>
>> Hello, I am having an issue configuring Apache Guacamole when SAML and TOTP are both enabled. The backend for the server is using MariaDB with the MySQL connector. I am using SAML SSO to Azure AD which signs in successfully when the TOTP module is not enabled. The TOTP module works with a local user that is not using SSO.
>>
>>
>>
>> When the TOTP module is enabled, the SAML login completes and redirects to the screen for setting up a TOTP code. When you enter the TOTP code, it returns a 403 invalid login response. I have the 403 response below along with the debug logs that happen during the TOTP authentication attempt.
>>
>>
>>
>> 403 POST https://remote.redacted.com/api/tokens
>>
>> Response: {"message":"Invalid login","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Invalid login"}},"statusCode":null,"expected":[{"name":"username","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"INVALID_CREDENTIALS"}
>>
>>
>>
>> Debug logs: https://pastebin.com/GPCwP5Fk
>>
>> guacamole.properties: https://pastebin.com/DDtB1F8e
>>
>>
>>
>> Any help would be much appreciated. Thanks!
>>
>>
>>
>>
>>
>> -Tyler Hale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org