On 6/11/24 4:18 PM, Samuel Chen wrote:
Hi All,
I'm having an issue where users who log in using the SAML authentication
extension are not able to see the connections assigned to their user
group's parent group. I have set up parent user groups that contain
certain sets of connections that I want to be able to assign to
different user groups. For example, I have parent group A with windows
RDP connections and parent group B with linux SSH connections. I then
assigned user group C as a child group to both user groups A and B. The
SAML user is assigned to user group C and is able to see connections
that have been directly assigned to user group C, but not the
connections assigned to group A or B. However, when I create a local
user assigned to the same user group C, I am able to see the connections
from all 3 groups. Additionally, if I create a local user with the same
username as my SAML user and manually assign group C, the user is able
to see connections from all 3 groups even while signing in with SAML.
What you describe _should_ work. Given that you've already confirmed
that permissions granted directly to the main group of interest work as
expected, it doesn't sound like there's anything wrong with how groups
are mapped between your IdP and Guacamole, nor does it sound like there
are any issues with the content of the SAML assertion. By testing the
same groups with a local user, you've also confirmed that there isn't
any issue with the group hierarchy vs. permission inheritance.
I'll try to reproduce the behavior and see what I can see...
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
