On Wed, Oct 23, 2024 at 11:41 AM MARCO ANTONIO RIVERA ORTEGA < mrive...@usmp.pe> wrote:
> HELLO EVERYONE > I'M DOING SOME TESTS WITH GUACAMOLE. THE TESTS WERE SATISFACTORY WHEN > INTEGRATING WITH SAML. I HAVE A MICROSOFT TENANT WITH MORE THAN 1000 USERS. > IS THERE A WAY TO BE ABLE TO CONFIGURE SO THAT USERS CAN LOG IN WITH THEIR > MICROSOFT ACCOUNT, WITHOUT HAVING TO ADD ONE BY ONE IN THE GUACAMOLE > SETTINGS SO THAT THEY CAN ACCESS THE VIRTUAL MACHINES IN MY GUACAMOLE. > Marco, First, please do not type your e-mail in ALL CAPS - this is considered the equivalent of yelling at someone :-). As for the actual issue you're facing, there are a couple of things to keep in mind: * You can enable automatic account creation in the Guacamole database module, so that accounts that are successfully authenticated through, for example, SAML, are automatically created in the database: https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users . * That alone, however, will likely not resolve your issues totally, because you'll still have to grant each user access to connections. I'd also suggest that you use groups in your configuration, as this will help you manage assigning permissions to users without having to individually assign each user the permissions. To do this, you'll need to make sure that your SAML IdP is set to send group membership in an attribute, and then make sure Guacamole is configured to receive it in the matching attribute, using the "saml-group-attribute" property in guacamole.properties. See: https://guacamole.apache.org/doc/gug/saml-auth.html#configuring-guacamole-for-saml-authentication. Once you have that configured, you can create the matching groups on the database side and assign permissions, and Guacamole will grant that access to SAML users who are part of those groups. -Nick
