On 12/18/24 12:20 PM, Devine, Harry (FAA) wrote:
OK, our Okta team had to make some changes on their end to send the data
back properly. So now I can get in using our smart card
authentication. But this leads to 2 questions/issues that I still need
help with:
1. How can I by-pass the SAML authentication to be able to log in as
the guacadmin user?
You can configure things to present a login UI, with SAML being an option:
https://guacamole.apache.org/doc/gug/saml-auth.html#presenting-unauthenticated-users-with-a-login-screen
The default is otherwise to redirect all users to the SAML IdP.
2. I had a user try to log in, and he did successfully. But he doesn’t
have a user account in the internal MySQL database, so why wouldn’t
that be rejected? He has no permissions and can’t assign his user
to any connections, but I was thinking that there should’ve been
some sort of block.
Nope, it's perfectly legitimate for a user to come purely through SSO,
LDAP, or similar and have no associated record in the database at all.
It's common to configure such users to inherit connection access rights
through group memberships.
If you want to require all users to have an account in your database,
there is an option for that:
https://guacamole.apache.org/doc/gug/jdbc-auth.html#restricting-authentication-to-database-users-only
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
