You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Shantanu Panda <sh...@snowflake.com.INVALID> on 2023/06/06 06:39:32 UTC
OKTA SAML Integration for Guacamole
Hi Team,
I am trying to integrate OKTA with Guacamole for SAML based sso : SAML
<https://guacamole.apache.org/doc/gug/guacamole-docker.html#saml-authentication>
I have a docker based setup for guacamole and using the below setup :
docker run --name sso-guacamole \
--link some-guacd:guacd \
--link some-postgres:postgres \
-e GUACD_HOSTNAME=guacd \
-e POSTGRES_HOSTNAME=postgres \
-e POSTGRES_PORT=5432 \
-e POSTGRES_USER=guacamole \
-e POSTGRES_PASSWORD=mysecretpassword \
-e POSTGRES_DATABASE=guacamole_db \
-e POSTGRESQL_AUTO_CREATE_ACCOUNTS=true \
-e SAML_IDP_METADATA_URL=https://<okta_url>/app/<id>/sso/saml/metadata
\
-e SAML_ENTITY_ID=https://<entity_id> \
-e SAML_CALLBACK_URL=https://<entity_id>/guacamole/ -e
SAML_DEBUG=true -e REMOTE_IP_VALVE_ENABLED=true -p 8080:8080 \
-e SAML_STRICT=false -e EXTENSION_PRIORITY="saml" -e
SAML_GROUP_ATTRIBUTE="groups" \
-d guacamole/guacamole
The OKTA SAML Application is configured with basic configuration.
The Authentication works but the permissions of OKTA groups are not being
mapped to guacamole and thus the user logged in has no access to the
administration settings.
Can you please help??
--
SHANTANU PANDA
Re: OKTA SAML Integration for Guacamole
Posted by Shantanu Panda <sh...@snowflake.com.INVALID>.
Hi Nick,
I am also getting this WARNING message in logs :
"AssertionConsumerServiceResource - Authentication attempted with an
invalid SAML response: "RelayState" value included with SAML response is
not valid."
Searched for its resolution and got this :
The RelayState parameter is used to maintain the state of a single sign-on
(SSO) transaction. It is typically used to redirect the user to the correct
application URL or resource within the Service Provider (SP) after they
have been authenticated by the Identity Provider (IdP).
If you're setting a default RelayState in Okta, you would typically set it
to the URL where you want users to be redirected after they've successfully
authenticated. The specific URL would depend on your application's
structure and the specific resources you want the user to access after
logging in. For example, if you want users to land on a specific dashboard
page in your application after they log in, the RelayState could be set to
that URL, such as "https://www.yourapp.com/dashboard".
However, in the context of the Guacamole SAMLService code you provided, the
RelayState is generated dynamically for each SAML request, and it's
expected to match the one returned in the SAML response from the IdP (Okta
in this case). It appears to be used as a key to retrieve the associated
SAMLAuthenticationSession from the sessionManager1
<https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java>.
Therefore, setting a static default RelayState in Okta might not work
correctly with this particular implementation, as it expects the RelayState
to be the dynamically generated value that corresponds to a valid session.
It's important to understand how your application uses the RelayState and
to configure it appropriately. If you're unsure, it might be best to
consult with a developer familiar with your specific application and its
SAML SSO implementation.
On Wed, Jun 7, 2023 at 10:49 AM Shantanu Panda <sh...@snowflake.com>
wrote:
> Yes, I have created a group in Guacamole as 'Admin' and have the same
> group as 'Admin' on OKTA.
>
> On Wed, Jun 7, 2023 at 6:57 AM Nick Couchman <vn...@apache.org> wrote:
>
>>
>>
>> On Tue, Jun 6, 2023 at 2:39 AM Shantanu Panda
>> <sh...@snowflake.com.invalid> wrote:
>>
>>> Hi Team,
>>>
>>> I am trying to integrate OKTA with Guacamole for SAML based sso : SAML
>>> <https://guacamole.apache.org/doc/gug/guacamole-docker.html#saml-authentication>
>>>
>>> I have a docker based setup for guacamole and using the below setup :
>>>
>>> docker run --name sso-guacamole \
>>> --link some-guacd:guacd \
>>> --link some-postgres:postgres \
>>> -e GUACD_HOSTNAME=guacd \
>>> -e POSTGRES_HOSTNAME=postgres \
>>> -e POSTGRES_PORT=5432 \
>>> -e POSTGRES_USER=guacamole \
>>> -e POSTGRES_PASSWORD=mysecretpassword \
>>> -e POSTGRES_DATABASE=guacamole_db \
>>> -e POSTGRESQL_AUTO_CREATE_ACCOUNTS=true \
>>> -e SAML_IDP_METADATA_URL=https://<okta_url>/app/<id>/sso/saml/metadata
>>> \
>>> -e SAML_ENTITY_ID=https://<entity_id> \
>>> -e SAML_CALLBACK_URL=https://<entity_id>/guacamole/ -e
>>> SAML_DEBUG=true -e REMOTE_IP_VALVE_ENABLED=true -p 8080:8080 \
>>> -e SAML_STRICT=false -e EXTENSION_PRIORITY="saml" -e
>>> SAML_GROUP_ATTRIBUTE="groups" \
>>> -d guacamole/guacamole
>>>
>>> The OKTA SAML Application is configured with basic configuration.
>>> The Authentication works but the permissions of OKTA groups are not
>>> being mapped to guacamole and thus the user logged in has no access to the
>>> administration settings.
>>>
>>
>> Can you confirm how the groups are being delivered from SAML, and they
>> match _exactly_ (including case sensitivity) the ones you/ve created in
>> JDBC?
>>
>> -Nick
>>
>>>
>
> --
> SHANTANU PANDA
> Sr. Security Devops Engineer
>
> MOBILE +91 7387087672
> EMAIL shantanu.panda@snowflake.com
>
>
> Snowflake Inc.
> Pune, India
>
--
SHANTANU PANDA
Sr. Security Devops Engineer
MOBILE +91 7387087672
EMAIL shantanu.panda@snowflake.com
Snowflake Inc.
Pune, India
Re: OKTA SAML Integration for Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Jun 8, 2023 at 2:57 AM Shantanu Panda
<sh...@snowflake.com.invalid> wrote:
> Thanks,I have enabled debugging in guacamole.properties ("saml-debug:
> true" in guacamole.properties) and got the 'RelayState' invalid message as
> WARN. Will check it out the debugging for logback.
>
Yeah, I doubt the RelayState WARNing message has anything to do with the
group issue. Hopefully there's a way between the SAML and Guacamole debug
logging to see what the SAML IdP is returning for assertions and make sure
that the ones the IdP is returning match up to your JDBC groups.
-Nick
>
Re: OKTA SAML Integration for Guacamole
Posted by Shantanu Panda <sh...@snowflake.com.INVALID>.
Thanks,I have enabled debugging in guacamole.properties ("saml-debug: true"
in guacamole.properties) and got the 'RelayState' invalid message as WARN.
Will check it out the debugging for logback.
On Wed, Jun 7, 2023 at 4:53 PM Nick Couchman <vn...@apache.org> wrote:
>
> On Wed, Jun 7, 2023 at 1:19 AM Shantanu Panda
> <sh...@snowflake.com.invalid> wrote:
>
>> Yes, I have created a group in Guacamole as 'Admin' and have the same
>> group as 'Admin' on OKTA.
>>
>
> You may need to enable debugging for both SAML ("saml-debug: true" in
> guacamole.properties) and the Guacamole Client code (logback.xml) and
> verify that SAML is delivering the assertions and that they are formatted
> the way you expect.
>
>
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
>
> https://guacamole.apache.org/doc/gug/saml-auth.html#configuring-guacamole-for-saml-authentication
>
> -Nick
>
>>
--
SHANTANU PANDA
Sr. Security Devops Engineer
MOBILE +91 7387087672
EMAIL shantanu.panda@snowflake.com
Snowflake Inc.
Pune, India
Re: OKTA SAML Integration for Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Jun 7, 2023 at 1:19 AM Shantanu Panda
<sh...@snowflake.com.invalid> wrote:
> Yes, I have created a group in Guacamole as 'Admin' and have the same
> group as 'Admin' on OKTA.
>
You may need to enable debugging for both SAML ("saml-debug: true" in
guacamole.properties) and the Guacamole Client code (logback.xml) and
verify that SAML is delivering the assertions and that they are formatted
the way you expect.
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
https://guacamole.apache.org/doc/gug/saml-auth.html#configuring-guacamole-for-saml-authentication
-Nick
>
Re: OKTA SAML Integration for Guacamole
Posted by Shantanu Panda <sh...@snowflake.com.INVALID>.
Yes, I have created a group in Guacamole as 'Admin' and have the same group
as 'Admin' on OKTA.
On Wed, Jun 7, 2023 at 6:57 AM Nick Couchman <vn...@apache.org> wrote:
>
>
> On Tue, Jun 6, 2023 at 2:39 AM Shantanu Panda
> <sh...@snowflake.com.invalid> wrote:
>
>> Hi Team,
>>
>> I am trying to integrate OKTA with Guacamole for SAML based sso : SAML
>> <https://guacamole.apache.org/doc/gug/guacamole-docker.html#saml-authentication>
>>
>> I have a docker based setup for guacamole and using the below setup :
>>
>> docker run --name sso-guacamole \
>> --link some-guacd:guacd \
>> --link some-postgres:postgres \
>> -e GUACD_HOSTNAME=guacd \
>> -e POSTGRES_HOSTNAME=postgres \
>> -e POSTGRES_PORT=5432 \
>> -e POSTGRES_USER=guacamole \
>> -e POSTGRES_PASSWORD=mysecretpassword \
>> -e POSTGRES_DATABASE=guacamole_db \
>> -e POSTGRESQL_AUTO_CREATE_ACCOUNTS=true \
>> -e SAML_IDP_METADATA_URL=https://<okta_url>/app/<id>/sso/saml/metadata
>> \
>> -e SAML_ENTITY_ID=https://<entity_id> \
>> -e SAML_CALLBACK_URL=https://<entity_id>/guacamole/ -e
>> SAML_DEBUG=true -e REMOTE_IP_VALVE_ENABLED=true -p 8080:8080 \
>> -e SAML_STRICT=false -e EXTENSION_PRIORITY="saml" -e
>> SAML_GROUP_ATTRIBUTE="groups" \
>> -d guacamole/guacamole
>>
>> The OKTA SAML Application is configured with basic configuration.
>> The Authentication works but the permissions of OKTA groups are not being
>> mapped to guacamole and thus the user logged in has no access to the
>> administration settings.
>>
>
> Can you confirm how the groups are being delivered from SAML, and they
> match _exactly_ (including case sensitivity) the ones you/ve created in
> JDBC?
>
> -Nick
>
>>
--
SHANTANU PANDA
Sr. Security Devops Engineer
MOBILE +91 7387087672
EMAIL shantanu.panda@snowflake.com
Snowflake Inc.
Pune, India
Re: OKTA SAML Integration for Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Jun 6, 2023 at 2:39 AM Shantanu Panda
<sh...@snowflake.com.invalid> wrote:
> Hi Team,
>
> I am trying to integrate OKTA with Guacamole for SAML based sso : SAML
> <https://guacamole.apache.org/doc/gug/guacamole-docker.html#saml-authentication>
>
> I have a docker based setup for guacamole and using the below setup :
>
> docker run --name sso-guacamole \
> --link some-guacd:guacd \
> --link some-postgres:postgres \
> -e GUACD_HOSTNAME=guacd \
> -e POSTGRES_HOSTNAME=postgres \
> -e POSTGRES_PORT=5432 \
> -e POSTGRES_USER=guacamole \
> -e POSTGRES_PASSWORD=mysecretpassword \
> -e POSTGRES_DATABASE=guacamole_db \
> -e POSTGRESQL_AUTO_CREATE_ACCOUNTS=true \
> -e SAML_IDP_METADATA_URL=https://<okta_url>/app/<id>/sso/saml/metadata
> \
> -e SAML_ENTITY_ID=https://<entity_id> \
> -e SAML_CALLBACK_URL=https://<entity_id>/guacamole/ -e
> SAML_DEBUG=true -e REMOTE_IP_VALVE_ENABLED=true -p 8080:8080 \
> -e SAML_STRICT=false -e EXTENSION_PRIORITY="saml" -e
> SAML_GROUP_ATTRIBUTE="groups" \
> -d guacamole/guacamole
>
> The OKTA SAML Application is configured with basic configuration.
> The Authentication works but the permissions of OKTA groups are not being
> mapped to guacamole and thus the user logged in has no access to the
> administration settings.
>
Can you confirm how the groups are being delivered from SAML, and they
match _exactly_ (including case sensitivity) the ones you/ve created in
JDBC?
-Nick
>