You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Timothy A. Dilbert | BMT" <Ti...@bmt.ky> on 2022/06/16 13:10:51 UTC
Issues configuring SAML authentication in Apache Guacamole behind a HAProxy
I've deployed an Apache Guacamole server and trying to configure SSO using SAML with a Cloud IdaaS. HAproxy is in front of the Guacamole server, providing SSL offloading.
[World Wide Web] -- HTTPS:443 --> [HAProxy] -- HTTP:8080 --> [Tomcat/Guacamole]
Apache Guacamole was configured following the tutorial on the Guacamole website.
When I attempt to authenticate using SAML, I am finding myself in a redirect loop. The following message is showing up in the Tomcat logs:
```
03:45:29.364 [http-nio-8080-exec-9] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://my.personal.domain/guacamole/api/ext/saml/callback instead of https://my.personal.domain/guacamole/api/ext/saml/callback
```
I've checked the setting in the IdP and confirmed that everything is indeed configured for HTTPS. I am now wondering if the issue has something to do with traffic between HAProxy and Guacamole being HTTP, but I don't know how or what to do to change that. I'm happy to use a self-signed certificate between HAProxy and Guacamole since they are both on a protected network.
Any ideas you could share would be much appreciated.
Timothy
Re: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Jun 17, 2022 at 10:52 AM Timothy A. Dilbert | BMT <
Timothy.Dilbert@bmt.ky> wrote:
> Figured it out.
>
> I was able to switch Tomcat over to SSL, which fixed the SAML issue.
>
Thanks for posting your solution - I'll just add that that you can usually
set your front-end proxy (HAProxy in your case, but Nginx and Apache httpd,
as well) to forward the protocol through. This has come up on the mailing
list a few times for folks using other proxy software (Nginx, for example).
Here was Mike's response to one of those questions:
https://lists.apache.org/thread/hvd23yylm3lr9swkqxghvwlro8nlgg95
Basically you need to tell the proxy software to forward through some other
items. Based on a couple of searches, it seems like HAProxy achieves this
through the "http-request set-header" options, which I would imagine could
be used for any/all of the required headers. The following page has some
discussion/reference for it - I've not actually tried it, so I can't
provide a complete working configuration, but should point in the right
direction:
https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy
-Nick
>
Re: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy
Posted by "Timothy A. Dilbert | BMT" <Ti...@bmt.ky>.
Figured it out.
I was able to switch Tomcat over to SSL, which fixed the SAML issue.
________________________________
From: Timothy A. Dilbert | BMT
Sent: 16 June 2022 08:10
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy
I've deployed an Apache Guacamole server and trying to configure SSO using SAML with a Cloud IdaaS. HAproxy is in front of the Guacamole server, providing SSL offloading.
[World Wide Web] -- HTTPS:443 --> [HAProxy] -- HTTP:8080 --> [Tomcat/Guacamole]
Apache Guacamole was configured following the tutorial on the Guacamole website.
When I attempt to authenticate using SAML, I am finding myself in a redirect loop. The following message is showing up in the Tomcat logs:
```
03:45:29.364 [http-nio-8080-exec-9] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://my.personal.domain/guacamole/api/ext/saml/callback instead of https://my.personal.domain/guacamole/api/ext/saml/callback
```
I've checked the setting in the IdP and confirmed that everything is indeed configured for HTTPS. I am now wondering if the issue has something to do with traffic between HAProxy and Guacamole being HTTP, but I don't know how or what to do to change that. I'm happy to use a self-signed certificate between HAProxy and Guacamole since they are both on a protected network.
Any ideas you could share would be much appreciated.
Timothy