On Wed, Aug 30, 2023 at 6:22 PM <[email protected]> wrote: > > Hey, Mike, for that setup the docker-compose logs at least for this test > host seemed complete, but I don't have saved anymore... > Good news I hope though - after messing with it some more I think I may > have make SOME progress. > > Before guacamole wasn't receiving the SAML response / attestation, but > following this guide I'm at least getting that now: > https://github.com/sol1-ansible/sol1-guacamole-client/blob/main/README-SAML-Jumpcloud.md > (Note this guide is to setup a native guacamole 1.4.0 stack install > using ansible and I'm doing neither - using Docker images and version > 1.5.3) > > Changes to JumpCloud configuration: > Changed ACS URL from: https://grds.my.domain.net/ to > https://grds.my.domain.net/api/ext/saml/callback > Changed Login URL from: https://grds.my.domain.net/ to > https://grds.my.domain.net/api/ext/saml/login > > Changes to guacamole.properties: > I think I fixed the saml-idp-metadata-url: > file:///guacamole_home/guac-saml-metadata.xml - at least it's no longer > exploding when it loads now. > I removed the compression options > > After applying that config I was then getting the SAML response with > this error: 'Caused by: com.onelogin.saml2.exception.ValidationError: > The response was received at > http://grds.my.domain.net/guacamole/api/ext/saml/callback instead of > https://grds.my.domain.net/api/ext/saml/callback' > > I tried all sorts of changes to my Apache2 HTTP reverse proxy settings > but was unable to resolve the translation of the callback URL from > /guacamole to /. > (Note I'm using the Apache2 reverse proxy configuration as provided in > your Guacamole admin manual.)
You might take a look at this thread back in 2022: https://lists.apache.org/thread/hvd23yylm3lr9swkqxghvwlro8nlgg95 While this mentions steps specifically for Nginx, it shouldn't be too difficult to translate those over to Apache httpd - basically, make sure that httpd is forwarding those four headers through, and that Tomcat has the RemoteIpValve correctly configured to accept the headers. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
