Hi! Note: I posted a similar topic some time ago, but that one was to use Guacamole behind a Proxy Server. This time, the issue is behind a Reverse Proxy.
I am using the Guacamole DockerHub image, behind an Nginx proxy, as documented in https://guacamole.apache.org/doc/gug/reverse-proxy.html#nginx. Guacamole is set up with the "saml" extension, as documented in https://guacamole.apache.org/doc/gug/saml-auth.html. Everything was working fine until I set SAML_STRICT=true. The reason is in this log line: "Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback";. So, when strict mode is set, Guacamole is expecting the reply to be made to the "internal" host (http://web:8080/guacamole in my case) instead of the "real" host (https://localhost/guacamole). The result in the UI is a infinite loop: the first time you put your credentials, guacamole will fail, and redirect you back to the identity provider, which will reply to Guacamole saying that you are already authenticated, making Guacamole fail again and redirect you to the identity provider again. I had a very similar problem (almost the same problem to be honest) in a Tornado server that is a companion to my Guacamole instance. In that case, the solution was to use the Assertion Consumer Service URL setting to figure out the "real" host and use that to create the SAML request in the first place. My question is: which will be the way in Guacamole to do the equivalent, and tell the SAML extension to make the SAML request with the "real" host instead of the "internal" host when you are behind a reverse proxy? Thank you! The full log: 2024-01-29 21:09:08 Using default Tomcat allowed IPs regex 2024-01-29 21:09:08 Using default Tomcat proxy IP header 2024-01-29 21:09:08 Using default Tomcat proxy protocol header 2024-01-29 21:09:08 Using default Tomcat proxy forwarded by header 2024-01-29 21:09:09 30-Jan-2024 05:09:09.363 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/8.5.98 2024-01-29 21:09:09 30-Jan-2024 05:09:09.367 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Jan 5 2024 15:56:27 UTC 2024-01-29 21:09:09 30-Jan-2024 05:09:09.367 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 8.5.98.0 2024-01-29 21:09:09 30-Jan-2024 05:09:09.368 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 2024-01-29 21:09:09 30-Jan-2024 05:09:09.370 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 6.5.11-linuxkit 2024-01-29 21:09:09 30-Jan-2024 05:09:09.371 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 2024-01-29 21:09:09 30-Jan-2024 05:09:09.372 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /opt/java/openjdk/jre 2024-01-29 21:09:09 30-Jan-2024 05:09:09.373 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_392-b08 2024-01-29 21:09:09 30-Jan-2024 05:09:09.374 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Temurin 2024-01-29 21:09:09 30-Jan-2024 05:09:09.375 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /home/guacamole/tomcat 2024-01-29 21:09:09 30-Jan-2024 05:09:09.376 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/tomcat 2024-01-29 21:09:09 30-Jan-2024 05:09:09.377 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/home/guacamole/tomcat/conf/logging.properties 2024-01-29 21:09:09 30-Jan-2024 05:09:09.377 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 2024-01-29 21:09:09 30-Jan-2024 05:09:09.377 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 2024-01-29 21:09:09 30-Jan-2024 05:09:09.378 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 2024-01-29 21:09:09 30-Jan-2024 05:09:09.378 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 2024-01-29 21:09:09 30-Jan-2024 05:09:09.378 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 2024-01-29 21:09:09 30-Jan-2024 05:09:09.379 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/home/guacamole/tomcat 2024-01-29 21:09:09 30-Jan-2024 05:09:09.379 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat 2024-01-29 21:09:09 30-Jan-2024 05:09:09.379 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/home/guacamole/tomcat/temp 2024-01-29 21:09:09 30-Jan-2024 05:09:09.379 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.39] using APR version [1.7.0]. 2024-01-29 21:09:09 30-Jan-2024 05:09:09.379 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [{4}]. 2024-01-29 21:09:09 30-Jan-2024 05:09:09.380 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 2024-01-29 21:09:09 30-Jan-2024 05:09:09.393 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.2 15 Mar 2022] 2024-01-29 21:09:09 30-Jan-2024 05:09:09.527 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"] 2024-01-29 21:09:09 30-Jan-2024 05:09:09.563 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 998 ms 2024-01-29 21:09:09 30-Jan-2024 05:09:09.623 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 2024-01-29 21:09:09 30-Jan-2024 05:09:09.627 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/8.5.98] 2024-01-29 21:09:09 30-Jan-2024 05:09:09.675 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/home/guacamole/tomcat/webapps/guacamole.war] 2024-01-29 21:09:11 30-Jan-2024 05:09:11.756 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 2024-01-29 21:09:17 30-Jan-2024 05:09:17.603 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/home/guacamole/tomcat/webapps/guacamole.war] has finished in [7,927] ms 2024-01-29 21:09:17 30-Jan-2024 05:09:17.606 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 2024-01-29 21:09:17 30-Jan-2024 05:09:17.627 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 8063 ms 2024-01-29 21:09:12 05:09:12.457 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/home/guacamole/.guacamole". 2024-01-29 21:09:12 05:09:12.687 [localhost-startStop-1] INFO o.a.g.GuacamoleServletContextListener - Read configuration parameters from "/home/guacamole/.guacamole/guacamole.properties". 2024-01-29 21:09:12 05:09:12.692 [localhost-startStop-1] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity. 2024-01-29 21:09:13 05:09:13.371 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Multiple extensions are installed and will be loaded in order of decreasing priority: 2024-01-29 21:09:13 05:09:13.371 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - - [saml] "SAML Authentication Extension" (/home/guacamole/.guacamole/extensions/1-guacamole-auth-sso-saml-1.5.4.jar) 2024-01-29 21:09:13 05:09:13.372 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - - [postgresql] "PostgreSQL Authentication" (/home/guacamole/.guacamole/extensions/guacamole-auth-jdbc-postgresql-1.5.4.jar) 2024-01-29 21:09:13 05:09:13.372 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - To change this order, set the "extension-priority" property or rename the extension files. The default priority of extensions is dictated by the sort order of their filenames. 2024-01-29 21:09:13 05:09:13.716 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "SAML Authentication Extension" (saml) loaded. 2024-01-29 21:09:15 05:09:15.382 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "PostgreSQL Authentication" (postgresql) loaded. 2024-01-29 21:09:15 05:09:15.594 [localhost-startStop-1] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support... 2024-01-29 21:09:49 05:09:49.771 [http-nio-8080-exec-9] ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:49 05:09:49.771 [http-nio-8080-exec-9] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:53 05:09:53.447 [http-nio-8080-exec-2] ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:53 05:09:53.447 [http-nio-8080-exec-2] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:56 05:09:56.520 [http-nio-8080-exec-7] ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:56 05:09:56.520 [http-nio-8080-exec-7] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:59 05:09:59.930 [http-nio-8080-exec-8] ERROR c.onelogin.saml2.authn.SamlResponse - The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback 2024-01-29 21:09:59 05:09:59.930 [http-nio-8080-exec-8] WARN o.a.g.a.s.a.AssertionConsumerServiceResource - Authentication attempted with an invalid SAML response: SAML response did not pass validation: The response was received at http://web:8080/guacamole/api/ext/saml/callback instead of https://localhost/guacamole/api/ext/saml/callback
