Re: Issues with SSO - SAML

Mon, 28 Oct 2024 08:43:50 -0700 

On Sun, Oct 27, 2024 at 10:46 AM TianRong Ong <tianrong....@gmail.com>
wrote:

> Hi,
>
> Have been trying to setup SSO SAML on Guacamole with Microsoft ADFS.
>
> have downloaded the file
> https://downloads.apache.org/guacamole/1.5.5/binary/guacamole-auth-sso-1.5.5.tar.gz
> .
>
> and have copied the guacamole-auth-sso-saml-1.5.5.jar to the folder
> /etc/guacamole/extensions
> as well as the below into guacamole.properties.
>
> #for saml
> saml.service.provider.entity.id: https://guacserver01/guacamole
> saml-entity-id: https://guacserver01/guacamole
> saml-callback-url: https://guacserver01/guacamole
> saml-debug: true
> saml.idp.metadata-url=
> https://ADFS.contoso.dom/adfs/federationmetadata/2007-06/federationmetadata.xml
> <https://adfs.contoso.dom/adfs/federationmetadata/2007-06/federationmetadata.xml>
> saml.idp.entity-id=http://ADFS.contoso.dom/adfs/services/trust
> <http://adfs.contoso.dom/adfs/services/trust>
> saml.idp.sso-url=https://ADFS.contoso.dom/adfs/ls/
> <https://adfs.contoso.dom/adfs/ls/>
> saml.idp.logout-url=https://ADFS.contoso.dom/adfs/logout
> <https://adfs.contoso.dom/adfs/logout>
>
> however with each click into the SAML there is this error on the SAML page
> https://guacserver01.contoso.dom/guacamole/api/ext/saml/login
>
> {
>   "message": "Unexpected internal error",
>   "translatableMessage": {
>     "key": "APP.TEXT_UNTRANSLATED",
>     "variables": {
>       "MESSAGE": "Unexpected internal error"
>     }
>   },
>   "statusCode": null,
>   "expected": null,
>   "type": "INTERNAL_ERROR"
> }
>
> What have I not done or done wrong here ? any advice ?
>
>
Well, you'll likely need to examine the logs for Guacamole and possibly the
IdP to see exactly what's happening, but I think the most frequent issue
we've encountered on the list with this occurs when you're using Guacamole
behind a reverse proxy, and that reverse proxy does not maintain the
"https" protocol/scheme on the URL and switches it back to "http". Make
sure your reverse proxy, if you're using one, is configured set the scheme
header - here's a sample Nginx one:

       location / {
                proxy_pass http://127.0.0.1:8080;
                proxy_buffering off;
                proxy_http_version 1.1;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                access_log off;
        }

-Nick

>

Reply via email to