On Tue, Feb 25, 2025 at 9:01 AM Johnson, Nachay [USA] <johnson_nac...@bah.com.invalid> wrote:
> Is it possible to have separate login paths for SAML and the Guacamole > login page? I’d like users to authenticate using SAML, while admins can log > in through a different path. One path would be external for users, and > another would be internal for admins. Can this be done in Guacamole without > having login and SAML on the same page? > Maybe - I'm not entirely sure that what you're asking can be done, but probably close. Here are the options that you have: * The manual page for SAML ( https://guacamole.apache.org/doc/gug/saml-auth.html#controlling-login-behavior) describes the possibility of controlling whether or not users are automatically redirected to the SAML provider from the login page. If you enable this, and go to the Guacamole page, you'll get the normal Guacamole login dialog with a link at the bottom for the SAML redirect. This doesn't allow you to automatically redirect external users, but it at least gives you the option. You could take the link that is provided on that page and give that to users for the external login, and have them use that instead of the default URL, but that's not so much an automatic redirect based on source IP. * SAML IdPs generally have a link that you can use that triggers authentication and then redirects them back to a certain application. You could give them this URL, to the IdP, instead of the one to Guacamole. * You could set up different Guacamole Client instances for internal vs. external, pointed at the same back-end database. This has some other consequences for things like connection sharing, connection limits, etc., so depending on what your Guacamole environment looks like, it may not be as simple as just setting that up. -Nick >
