You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by Kaushik Srinivasan <ka...@iu.edu> on 2018/03/24 02:41:22 UTC
Moving Guacamole Authentication to Reverse Proxy
Hi Everyone,
I'm currently working on a NSF funded project and using Guacamole as part
of the university infrastructure.
I have few design oriented questions.
Currently our Guacamole setup uses the CAS auth module for authentication.
But we would like to support SAML too.
We believe that the best way to do this is by implementing both the
authentication modules in the reverse proxy. But there are two issues with
this.
1. Once our reverse proxy authenticates, we are planning to use No-Auth
module in Guacamole to allow the user to pass through. This would not be
possible in future as the recent version 0.9.14 states that "The "NoAuth"
extension is **DEPRECATED**" and will be removed in future releases. *How
can we allow users to 'pass-through' once they authenticate with our
reverse proxy?*
2. Currently the guacamole maintains an authorized list in the database,
which the CAS module uses to verify for authorization. But in the case of
reverse proxy this would not be possible. *Is there any way a reverse proxy
can pass the authenticated user to the database module in the CAS for
authorization to a connection?*
Thanks in advance.
--
Regards,
Kaushik Srinivasan
Indiana University Bloomington
Re: Moving Guacamole Authentication to Reverse Proxy
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Apr 17, 2018 at 2:25 PM, Kaushik Srinivasan <ka...@iu.edu> wrote:
> Hi All,
>
> I tried testing saml-auth developed in https://github.com/
> necouchman/guacamole-client/tree/723b15dcae4ea72593d9c5adc0be37
> ab1b010047/extensions/guacamole-auth-saml.
>
> The authentication module is behaving strangely and I'm not sure if I have
> improper configuration.
>
> When I visit my guacamole page, I'm redirected to IDP and the
> authentication process proceeds as expected. But once the authentication is
> complete, I'm redirected to the default guacamole login page instead of
> being redirected to the connections page.
>
> On going through the tomcat log files the following was present.
>
> *Extension "guacamole-auth-saml-0.9.14.jar" could not be loaded:
> Authentication provider class cannot be loaded (wrong version of API?)*
>
> I'm running 0.9.14, so it's not an issue with API version. (The
> guac_manifest for saml is also 0.9.14).
> Moreover, if the extension was not loaded, how was I redirected to the IDP?
>
>
Yeah, but the SAML authentication extension is actually developed against
the git master, so the versions, even though the same, are actually
slightly different. If you're trying out the SAML extension, please build
the entire Guacamole Client from that version of the git repo and load the
version of Guacamole that matches the SAML extension.
-Nick
Re: Moving Guacamole Authentication to Reverse Proxy
Posted by Kaushik Srinivasan <ka...@iu.edu>.
Hi All,
I tried testing saml-auth developed in https://github.com/
necouchman/guacamole-client/tree/723b15dcae4ea72593d9c5adc0be37
ab1b010047/extensions/guacamole-auth-saml.
The authentication module is behaving strangely and I'm not sure if I have
improper configuration.
When I visit my guacamole page, I'm redirected to IDP and the
authentication process proceeds as expected. But once the authentication is
complete, I'm redirected to the default guacamole login page instead of
being redirected to the connections page.
On going through the tomcat log files the following was present.
*Extension "guacamole-auth-saml-0.9.14.jar" could not be loaded:
Authentication provider class cannot be loaded (wrong version of API?)*
I'm running 0.9.14, so it's not an issue with API version. (The
guac_manifest for saml is also 0.9.14).
Moreover, if the extension was not loaded, how was I redirected to the IDP?
My guacamole.properties files is as follows.
guacd-hostname: localhost
guacd-port: 4822
mysql-hostname: sql_container
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: XXXXXXXXXX
mysql-password: XXXXXXXXXXXXXXXXXXX
saml-idp-metadata: https://XXXXXXXXXXX/shibboleth-idp/shibboleth
saml-idp-url: https://XXXXXXXXXX/shibboleth-idp/shibboleth
saml-entity-id: https://XXXXXXXXXXXXX/shibboleth
saml-callback-url: https://XXXXXXX/guacamole/
saml-logout-url: https://XXXXXXXXXX/logout
Regards,
Kaushik Srinivasan
On Sat, Mar 24, 2018 at 12:33 AM, Mike Jumper <mi...@guac-dev.org>
wrote:
> On Fri, Mar 23, 2018 at 8:26 PM, Kaushik Srinivasan <ka...@iu.edu>
> wrote:
>
> > Hi Mike,
> >
> > Thanks a lot. HTTP header authentication would better suit our needs.
> >
> >
> OK.
>
> We are trying to move away from Guacamole authentication modules as we want
> > to get SAML working asap and apache can be "easily" configured for that
> > instead of waiting for the module development ...
>
>
> Understood, but you might also consider leveraging your need to help this
> community with theirs. There's an outstanding pull request for the SAML
> module which is in need of code review and testing. If you have a SAML
> service already deployed and working on your end, you may be able to help
> by testing the new module and providing feedback.
>
> https://github.com/apache/guacamole-client/pull/254
>
> ... by your team.
> >
>
> Apache Guacamole is developed by a community, not by any individual's team.
>
> - Mike
>
--
Regards,
Kaushik Srinivasan
Re: Moving Guacamole Authentication to Reverse Proxy
Posted by Kaushik Srinivasan <ka...@iu.edu>.
Awesome. I would love to test it. I'm waiting for our university
authorization to connect to the idp.
I'll definitely get back to this thread in two weeks.
Regards,
Kaushik
On Sat, Mar 24, 2018, 12:34 AM Mike Jumper <mi...@guac-dev.org> wrote:
> On Fri, Mar 23, 2018 at 8:26 PM, Kaushik Srinivasan <ka...@iu.edu>
> wrote:
>
> > Hi Mike,
> >
> > Thanks a lot. HTTP header authentication would better suit our needs.
> >
> >
> OK.
>
> We are trying to move away from Guacamole authentication modules as we want
> > to get SAML working asap and apache can be "easily" configured for that
> > instead of waiting for the module development ...
>
>
> Understood, but you might also consider leveraging your need to help this
> community with theirs. There's an outstanding pull request for the SAML
> module which is in need of code review and testing. If you have a SAML
> service already deployed and working on your end, you may be able to help
> by testing the new module and providing feedback.
>
> https://github.com/apache/guacamole-client/pull/254
>
> ... by your team.
> >
>
> Apache Guacamole is developed by a community, not by any individual's team.
>
> - Mike
>
Re: Moving Guacamole Authentication to Reverse Proxy
Posted by Mike Jumper <mi...@guac-dev.org>.
On Fri, Mar 23, 2018 at 8:26 PM, Kaushik Srinivasan <ka...@iu.edu> wrote:
> Hi Mike,
>
> Thanks a lot. HTTP header authentication would better suit our needs.
>
>
OK.
We are trying to move away from Guacamole authentication modules as we want
> to get SAML working asap and apache can be "easily" configured for that
> instead of waiting for the module development ...
Understood, but you might also consider leveraging your need to help this
community with theirs. There's an outstanding pull request for the SAML
module which is in need of code review and testing. If you have a SAML
service already deployed and working on your end, you may be able to help
by testing the new module and providing feedback.
https://github.com/apache/guacamole-client/pull/254
... by your team.
>
Apache Guacamole is developed by a community, not by any individual's team.
- Mike
Re: Moving Guacamole Authentication to Reverse Proxy
Posted by Kaushik Srinivasan <ka...@iu.edu>.
Hi Mike,
Thanks a lot. HTTP header authentication would better suit our needs.
We are trying to move away from Guacamole authentication modules as we want
to get SAML working asap and apache can be "easily" configured for that
instead of waiting for the module development by your team.
Thanks again.
Regards,
Kaushik Srinivasan
On Fri, Mar 23, 2018 at 11:13 PM, Mike Jumper <mi...@guac-dev.org>
wrote:
> On Fri, Mar 23, 2018 at 7:41 PM, Kaushik Srinivasan <ka...@iu.edu>
> wrote:
>
> > Hi Everyone,
> >
> > I'm currently working on a NSF funded project and using Guacamole as part
> > of the university infrastructure.
> >
> > I have few design oriented questions.
> >
> > Currently our Guacamole setup uses the CAS auth module for
> authentication.
> > But we would like to support SAML too.
>
>
> There is a SAML extension under development:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-103
>
> Have you take a look at whether that would fit your needs?
>
> We believe that the best way to do this is by implementing both the
> > authentication modules in the reverse proxy. But there are two issues
> with
> > this.
> >
> > 1. Once our reverse proxy authenticates, we are planning to use No-Auth
> > module in Guacamole to allow the user to pass through. This would not be
> > possible in future as the recent version 0.9.14 states that "The "NoAuth"
> > extension is **DEPRECATED**" and will be removed in future releases. *How
> > can we allow users to 'pass-through' once they authenticate with our
> > reverse proxy?*
> >
> >
> The old "NoAuth" extension would not pass through anything; it would give
> everyone the same access to everything. Even if that extension were not
> deprecated, it would not be a good solution for the case you describe.
>
> 2. Currently the guacamole maintains an authorized list in the database,
> > which the CAS module uses to verify for authorization. But in the case of
> > reverse proxy this would not be possible. *Is there any way a reverse
> proxy
> > can pass the authenticated user to the database module in the CAS for
> > authorization to a connection?*
> >
> >
> Configure your reverse proxy to set an HTTP header of your choice for
> authenticated users, and ensure that header is removed from the external
> HTTP request before adding it via the auth process (ensure that ONLY your
> auth mechanisms can provide this header, not a malicious user that manually
> sets the header). You can then use Guacamole's header authentication
> extension:
>
> http://guacamole.apache.org/doc/gug/header-auth.html
>
> - Mike
>
--
Regards,
Kaushik Srinivasan
Re: Moving Guacamole Authentication to Reverse Proxy
Posted by Mike Jumper <mi...@guac-dev.org>.
On Fri, Mar 23, 2018 at 7:41 PM, Kaushik Srinivasan <ka...@iu.edu> wrote:
> Hi Everyone,
>
> I'm currently working on a NSF funded project and using Guacamole as part
> of the university infrastructure.
>
> I have few design oriented questions.
>
> Currently our Guacamole setup uses the CAS auth module for authentication.
> But we would like to support SAML too.
There is a SAML extension under development:
https://issues.apache.org/jira/browse/GUACAMOLE-103
Have you take a look at whether that would fit your needs?
We believe that the best way to do this is by implementing both the
> authentication modules in the reverse proxy. But there are two issues with
> this.
>
> 1. Once our reverse proxy authenticates, we are planning to use No-Auth
> module in Guacamole to allow the user to pass through. This would not be
> possible in future as the recent version 0.9.14 states that "The "NoAuth"
> extension is **DEPRECATED**" and will be removed in future releases. *How
> can we allow users to 'pass-through' once they authenticate with our
> reverse proxy?*
>
>
The old "NoAuth" extension would not pass through anything; it would give
everyone the same access to everything. Even if that extension were not
deprecated, it would not be a good solution for the case you describe.
2. Currently the guacamole maintains an authorized list in the database,
> which the CAS module uses to verify for authorization. But in the case of
> reverse proxy this would not be possible. *Is there any way a reverse proxy
> can pass the authenticated user to the database module in the CAS for
> authorization to a connection?*
>
>
Configure your reverse proxy to set an HTTP header of your choice for
authenticated users, and ensure that header is removed from the external
HTTP request before adding it via the auth process (ensure that ONLY your
auth mechanisms can provide this header, not a malicious user that manually
sets the header). You can then use Guacamole's header authentication
extension:
http://guacamole.apache.org/doc/gug/header-auth.html
- Mike