Issues configuring SAML authentication in Apache Guacamole behind a HAProxy

["Timothy A. Dilbert | BMT" <Ti...@bmt.ky>]

I've deployed an Apache Guacamole server and trying to configure SSO using SAML with a Cloud IdaaS. HAproxy is in front of the Guacamole server, providing SSL offloading.


[World Wide Web] -- HTTPS:443 --> [HAProxy] -- HTTP:8080 --> [Tomcat/Guacamole]


Apache Guacamole was configured following the tutorial on the Guacamole website.

When I attempt to authenticate using SAML, I am finding myself in a redirect loop. The following message is showing up in the Tomcat logs:


```

03:45:29.364 [http-nio-8080-exec-9] WARN  o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://my.personal.domain/guacamole/api/ext/saml/callback instead of https://my.personal.domain/guacamole/api/ext/saml/callback
```

I've checked the setting in the IdP and confirmed that everything is indeed configured for HTTPS. I am now wondering if the issue has something to do with traffic between HAProxy and Guacamole being HTTP, but I don't know how or what to do to change that. I'm happy to use a self-signed certificate between HAProxy and Guacamole since they are both on a protected network.

Any ideas you could share would be much appreciated.

Timothy

Re: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy

[Nick Couchman <vn...@apache.org>]

On Fri, Jun 17, 2022 at 10:52 AM Timothy A. Dilbert | BMT <
Timothy.Dilbert@bmt.ky> wrote:

> Figured it out.
>
> I was able to switch Tomcat over to SSL, which fixed the SAML issue.
>

Thanks for posting your solution - I'll just add that that you can usually
set your front-end proxy (HAProxy in your case, but Nginx and Apache httpd,
as well) to forward the protocol through. This has come up on the mailing
list a few times for folks using other proxy software (Nginx, for example).
Here was Mike's response to one of those questions:

https://lists.apache.org/thread/hvd23yylm3lr9swkqxghvwlro8nlgg95

Basically you need to tell the proxy software to forward through some other
items. Based on a couple of searches, it seems like HAProxy achieves this
through the "http-request set-header" options, which I would imagine could
be used for any/all of the required headers. The following page has some
discussion/reference for it - I've not actually tried it, so I can't
provide a complete working configuration, but should point in the right
direction:

https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy

-Nick

>

Re: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy

["Timothy A. Dilbert | BMT" <Ti...@bmt.ky>]

Figured it out.

I was able to switch Tomcat over to SSL, which fixed the SAML issue.
________________________________
From: Timothy A. Dilbert | BMT
Sent: 16 June 2022 08:10
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Issues configuring SAML authentication in Apache Guacamole behind a HAProxy


I've deployed an Apache Guacamole server and trying to configure SSO using SAML with a Cloud IdaaS. HAproxy is in front of the Guacamole server, providing SSL offloading.


[World Wide Web] -- HTTPS:443 --> [HAProxy] -- HTTP:8080 --> [Tomcat/Guacamole]


Apache Guacamole was configured following the tutorial on the Guacamole website.

When I attempt to authenticate using SAML, I am finding myself in a redirect loop. The following message is showing up in the Tomcat logs:


```

03:45:29.364 [http-nio-8080-exec-9] WARN  o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://my.personal.domain/guacamole/api/ext/saml/callback instead of https://my.personal.domain/guacamole/api/ext/saml/callback
```

I've checked the setting in the IdP and confirmed that everything is indeed configured for HTTPS. I am now wondering if the issue has something to do with traffic between HAProxy and Guacamole being HTTP, but I don't know how or what to do to change that. I'm happy to use a self-signed certificate between HAProxy and Guacamole since they are both on a protected network.

Any ideas you could share would be much appreciated.

Timothy