SAML authentication working, but UX experience is not ideal

[Timothy Dilbert <td...@gmail.com>]

We use SAML to authenticate into Guacamole. For the most part, it has been
working flawlessly, and we have no complaints, except for one thing... it
is difficult to recognise our users.

When a user signs in for the first time, they get what appears to be a
random username (e.g. uuidb964e028-b2e0-XXXX-a725-XX834988ceXX). Moreover,
their *Full Name* and *Email Address* are not brought across from the IDP
to Guacamole.

Below is my guacamole.properties file:

[image: image.png]

Ideally, I would like for:

   1. Their *username* in Guacamole to be their email address;
   2. The *Full Name* and *Email Address* fields in Guacamole to be
   automatically populated (and kept up-to-date) using mapped fields from the
   IDP.

Is any of this possible?

Regards,

Tim

Re: SAML authentication working, but UX experience is not ideal

[Michael Jumper <mj...@apache.org>]

On Thu, Nov 24, 2022, 10:47 AM Timothy Dilbert <td...@gmail.com> wrote:

> We're using IBM Security Verify.
>

You need to configure your IdP to send the NameID in your desired format:
https://www.ibm.com/docs/en/security-verify?topic=provider-configuring-saml-subject-mapping-attributes

If you have already done this but the IdP is still sending its own UUIDs
instead, you'll need to reach out to your IdP for assistance. There really
isn't anything on the Guacamole side to be done here.

The SAML standard dictates identity with NameIDs. Guacamole will honor
whatever value your SAML IdP says is your identity (NameID). Your IdP is
currently sending a UUID, but appears to have options to change this
behavior.

Shouldn't there be a list of attribute names in the Guacamole documentation
> that the SAML IdP should be sending over? Do you have a list of attribute
> names I should be sending?
>

No, SAML is a standard that already dictates this. Your identity is
determined by the NameID. If your identity is not coming through as
expected, you need to configure your IdP to send what you expect for the
NameID.

- Mike

Re: SAML authentication working, but UX experience is not ideal

[Timothy Dilbert <td...@gmail.com>]

We're using IBM Security Verify.

Shouldn't there be a list of attribute names in the Guacamole documentation
that the SAML IdP should be sending over? Do you have a list of attribute
names I should be sending?

On Thu, Nov 24, 2022 at 1:40 PM Michael Jumper <mj...@apache.org> wrote:

> On Thu, Nov 24, 2022, 10:27 AM Timothy Dilbert <td...@gmail.com>
> wrote:
>
>> Hi Michael,
>>
>> I've checked everything I can within the IdP.
>>
>
> Which IdP are you using?
>
>
>>    - I'm already sending the email address as the Name ID.
>>
>> Perhaps so, but your IdP appears to not be honoring that setting, and is
> instead sending a UUID-like value. If it were sending the email address as
> the name ID, then that's what you'd see in Guacamole.
>
>>
>>    - I've even tried selecting "Send all known attributes" but I am
>>    getting the following error in Tomcat:
>>    ```
>>    Unexpected internal error: Duplicate key SAML_GIVEN_NAME
>>    ```
>>
>> It seems your IdP is now sending an invalid SAML assertion...
>
> It's just not clear what I should do next to troubleshoot further.
>>
>
> Try using a SAML tracing extension for your browser so you can see the
> assertion. That might reveal what your IdP is doing wrong, the the fact
> that it's sending duplicate keys and failing to honor your name ID settings
> is troubling.
>
> Once you have obtained the SAML assertion and can see where it differs vs.
> the way you have configured your IdP, you may need to reach out to your
> IdP's support to correct things.
>
> I feel like I'm missing documentation that tells me what attributes to
>> send and their names.
>>
>> Also, could setting `sqlserver-auto-create-accounts` to TRUE be the
>> reason because the uuid accounts being created?
>>
>
> No. The only reason there would be UUIDs anywhere for usernames is if that
> is what the IdP is sending. Guacamole does not generate usernames on its
> own; it simply uses the value received verbatim.
>
> - Mike
>
>

Re: SAML authentication working, but UX experience is not ideal

[Michael Jumper <mj...@apache.org>]

On Thu, Nov 24, 2022, 10:27 AM Timothy Dilbert <td...@gmail.com> wrote:

> Hi Michael,
>
> I've checked everything I can within the IdP.
>

Which IdP are you using?


>    - I'm already sending the email address as the Name ID.
>
> Perhaps so, but your IdP appears to not be honoring that setting, and is
instead sending a UUID-like value. If it were sending the email address as
the name ID, then that's what you'd see in Guacamole.

>
>    - I've even tried selecting "Send all known attributes" but I am
>    getting the following error in Tomcat:
>    ```
>    Unexpected internal error: Duplicate key SAML_GIVEN_NAME
>    ```
>
> It seems your IdP is now sending an invalid SAML assertion...

It's just not clear what I should do next to troubleshoot further.
>

Try using a SAML tracing extension for your browser so you can see the
assertion. That might reveal what your IdP is doing wrong, the the fact
that it's sending duplicate keys and failing to honor your name ID settings
is troubling.

Once you have obtained the SAML assertion and can see where it differs vs.
the way you have configured your IdP, you may need to reach out to your
IdP's support to correct things.

I feel like I'm missing documentation that tells me what attributes to send
> and their names.
>
> Also, could setting `sqlserver-auto-create-accounts` to TRUE be the reason
> because the uuid accounts being created?
>

No. The only reason there would be UUIDs anywhere for usernames is if that
is what the IdP is sending. Guacamole does not generate usernames on its
own; it simply uses the value received verbatim.

- Mike

Re: SAML authentication working, but UX experience is not ideal

[Timothy Dilbert <td...@gmail.com>]

Hi Michael,

I've checked everything I can within the IdP.

   - I'm already sending the email address as the Name ID.
   - I've even tried selecting "Send all known attributes" but I am getting
   the following error in Tomcat:
   ```
   Unexpected internal error: Duplicate key SAML_GIVEN_NAME
   ```

It's just not clear what I should do next to troubleshoot further. I feel
like I'm missing documentation that tells me what attributes to send and
their names.

Also, could setting `sqlserver-auto-create-accounts` to TRUE be the reason
because the uuid accounts being created?

On Thu, Nov 24, 2022 at 12:11 PM Michael Jumper <mj...@apache.org> wrote:

> On Thu, Nov 24, 2022, 9:08 AM Timothy Dilbert <
> tdilbert25+guacmole@gmail.com> wrote:
>
>> We use SAML to authenticate into Guacamole. For the most part, it has
>> been working flawlessly, and we have no complaints, except for one thing...
>> it is difficult to recognise our users.
>>
>> When a user signs in for the first time, they get what appears to be a
>> random username (e.g. uuidb964e028-b2e0-XXXX-a725-XX834988ceXX).
>>
>
> This is because of how your SAML IdP is configured, not Guacamole. You
> need to configure your IdP to send across the username, email, or similar
> as the name ID.
>
> - Mike
>
>

Re: SAML authentication working, but UX experience is not ideal

[Michael Jumper <mj...@apache.org>]

On Thu, Nov 24, 2022, 9:08 AM Timothy Dilbert <td...@gmail.com>
wrote:

> We use SAML to authenticate into Guacamole. For the most part, it has been
> working flawlessly, and we have no complaints, except for one thing... it
> is difficult to recognise our users.
>
> When a user signs in for the first time, they get what appears to be a
> random username (e.g. uuidb964e028-b2e0-XXXX-a725-XX834988ceXX).
>

This is because of how your SAML IdP is configured, not Guacamole. You need
to configure your IdP to send across the username, email, or similar as the
name ID.

- Mike