On Thu, Nov 14, 2024 at 10:47 AM Barnhart, Steven <barnhart....@osu.edu.invalid> wrote:
> I have been using the updated Duo plugin, by back porting to 1.5.5. It has > been great, but I am wondering if it is possible to not need to specify the > DUO_REDIRECT_URI or if I am missing something. > > > > We use a load balancer in front of a multi-server Guacamole install, but > sometimes want to test specific servers, especially when making changes. > With the requirement for the DUO_REDIRECT_URI, we can’t because the > redirect is hard coded to the LB hostname. > > > The requirement to provide this is because it is difficult, if not impossible, to automatically, securely and accurately, determine the URL to redirect back to once you've redirected away for something like Duo (or SAML or OIDC, etc.). It's almost universally required across the applications that I've configured, anyway, that the URL of the application is provided by something in the application configuration, which is used to generate a URL that is then sent to the IdP as the URL that should be used to redirect back to once authentication is completed. In addition to Guacamole, NextCloud is probably the most frequent one that I've configured, and it uses the values in the config.php file to come up with this information. Overall, the point is, it has to be configured _somewhere_, and, in the case of Guacamole, it is done via this DUO_REDIRECT_URI parameter (or the matching parameter in guacamole,properties, if you're not using containers or environment variables for configuration). -Nick >
