You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Vieri <re...@yahoo.com.INVALID> on 2022/06/01 11:24:41 UTC
user logs in but cannot see authorized connection
Hi,
A specific user logs in fine but is not shown the authorized connection list.
This user is a member of group My_Group.
I can see that the DB is OK:
"SELECT entity_id FROM guacamole_entity WHERE name = 'My_Group' AND type = 'USER_GROUP';"
entity_id
-----------
151
(1 row)
"SELECT * FROM guacamole_user_group WHERE entity_id = 151;"
user_group_id | entity_id | disabled
---------------+-----------+----------
1 | 151 | f
(1 row)
"SELECT * FROM guacamole_user_group WHERE entity_id = 151;"
user_group_id | entity_id | disabled
---------------+-----------+----------
1 | 151 | f
(1 row)
"SELECT * FROM guacamole_connection WHERE connection_name = 'Intranet kiosk (RDP)';"
connection_id | connection_name | parent_id | protocol | max_connections | max_connections_per_user | connection_weight | failover_only | proxy_port | proxy_hostname | proxy_encryption_method
---------------+---------------------+-----------+----------+-----------------+--------------------------+-------------------+---------------+------------+----------------+-------------------------
139 | Intranet kiosk (RDP)| | rdp | | | | f | | |
(1 row)
"SELECT * FROM guacamole_connection_parameter WHERE connection_id = 139;"
connection_id | parameter_name | parameter_value
---------------+------------------------+--------------------------------------------------------------
139 | hostname | ...
139 | load-balance-info | ...
139 | security | nla
139 | remote-app | ||IntranetFFkiosk
(17 rows) [trimmed]
"SELECT * FROM guacamole_connection_permission WHERE connection_id = 139;"
entity_id | connection_id | permission
-----------+---------------+------------
151 | 139 | READ
(1 row)
All the above should mean that the group 'My_Group' *should* see and access the connection "Intranet kiosk (RDP)", right?
Now, if the user who logs in doesn't it means that Guacamole does not consider it a member of 'My_Group', right?
I am using Postgresql as a backend, and I'm not specifying within the DB tht this user is a member of 'My_Group'. That's because I want to delegate user/group management to SAML.
I have this in my giavamole.properties:
saml-group-attribute: urn:oid:1.2.840.113556.1.2.102
I also have
saml-debug: true
When the user logs in I can see this in catalina:
c.onelogin.saml2.authn.SamlResponse - SAMLResponse has attributes: {urn:oid:1.2.840.113556.1.2.102=[Some_group, My_Group, Another_Group], urn:oid:2.5.4.3=[MyUser], IDP=[INTERNAL]}
The group is there, so what's wrong?
Vieri Jerome
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: user logs in but cannot see authorized connection
Posted by Vieri <re...@yahoo.com.INVALID>.
On Thursday, June 2, 2022, 02:35:47 AM GMT+2, Nick Couchman <vn...@apache.org> wrote:
> Does the case of the groups created in JDBC match the case in this log message?
That was it -- silly me.
Thanks!
Vieri Jerome
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: user logs in but cannot see authorized connection
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Jun 1, 2022 at 6:51 PM Vieri <re...@yahoo.com.invalid> wrote:
> Any ideas on this matter?
> It's important to correctly honor groups sent via SAML.
>
> I see this:
>
> SAMLAuthenticatedUser.java: List<String> samlGroups =
> identity.getAttributes().get(confService.getGroupAttribute());
>
> called in:
>
> SAMLAuthenticatedUser.java: private Set<String>
> getGroups(AssertedIdentity identity)
>
> called by:
>
> SAMLAuthenticatedUser.java: super.init(identity.getUsername(),
> credentials, getGroups(identity), getTokens(identity));
>
> and in the tomcat log everything seems to be in order:
>
> o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Parameters:
> 3(Integer), group1(String), group2(String), My_Group(String), group3(String)
>
>
Does the case of the groups created in JDBC match the case in this log
message? So, for example, is your JDBC group called "group1" or "Group1" or
"GROUP1"? It needs to match exactly.
-NIck
Re: user logs in but cannot see authorized connection
Posted by Vieri <re...@yahoo.com.INVALID>.
Any ideas on this matter?
It's important to correctly honor groups sent via SAML.
I see this:
SAMLAuthenticatedUser.java: List<String> samlGroups = identity.getAttributes().get(confService.getGroupAttribute());
called in:
SAMLAuthenticatedUser.java: private Set<String> getGroups(AssertedIdentity identity)
called by:
SAMLAuthenticatedUser.java: super.init(identity.getUsername(), credentials, getGroups(identity), getTokens(identity));
and in the tomcat log everything seems to be in order:
o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Parameters: 3(Integer), group1(String), group2(String), My_Group(String), group3(String)
So what next?
Am I misunderstanding the way SAML works with Guacamole, or could it be a bug or missing feature?
Any answer will do...
Thanks,
Vieri Jerome
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org