from SAML to HTTP headers

Sat, 05 Apr 2025 10:22:47 -0700 

Hi,

I'm currently running Guacamole with SAML SSO (extension):

guacd-hostname: 127.0.0.1
guacd-port: 4822
api-session-timeout: 1

extension-priority: saml
saml-idp-metadata-url: https://domain.org/idp
saml-entity-id: https://my.domain.org/guac
saml-callback-url: https://my.domain.org/guac
saml-debug: true
saml-private-key-file: /etc/ssl/tomcat/server.key
saml-group-attribute: urn:oid:1.2.840.113556.1.2.102

postgresql-hostname: 127.0.0.1
postgresql-database: guac_db
postgresql-username: guacuser
postgresql-password: guacpwd
postgresql-auto-create-accounts: true


Users don't access Guacamole-client directly. First, they connect to an Apache 
HTTP reverse proxy / WAF (with mod_security).

Now, I'm trying to move the SAML SSO part to that Apache HTTP reverse proxy and 
remove it from Guacamole.

I think one way of doing it is by enabling and configuring Mod Mellon in Apache 
HTTP, and then removing SAML SSO from Guacamole using HTTP Header 
authentication instead (https://guacamole.apache.org/doc/gug/header-auth.html).
I think it would be safe enough because Guacamole would only be accessible via 
localhost. HTTP requests would only come from the Apache HTTP service.

However, the manual only gives the example for the "user" HTTP header 
(http-auth-header defaults to REMOTE_USER).

Now, from Apache HTTP with Mellon I can set headers such as:

            RequestHeader set X-guac-UserGroups 
%{MELLON_urn:oid:1.2.840.113556.1.2.102}e 
env=MELLON_urn:oid:1.2.840.113556.1.2.102
            RequestHeader set X-guac-UserName %{MELLON_urn:oid:2.5.4.3}e 
env=MELLON_urn:oid:2.5.4.3
            RequestHeader set X-guac-UserEmail 
%{MELLON_urn:oid:0.9.2342.19200300.100.1.3}e 
env=MELLON_urn:oid:0.9.2342.19200300.100.1.3
            RequestHeader set X-guac-Organization 
%{MELLON_urn:oid:1.2.840.113556.1.2.146}e 
env=MELLON_urn:oid:1.2.840.113556.1.2.146

How can I "fully" migrate my Guac-based SAML-SSO config above to a Guac-HTTP 
Header auth config (or any other if you have any suggestions) with the frontend 
being an Apache2 HTTP reverse proxy?

All I can think of for now is to set the user like this:

http-auth-header: X-guac-UserName

What about the groups?

Will the users and groups be available in the Guacamole client web UI as they 
are now in my SAML-SSO setup?
Will "postgresql-auto-create-accounts: true" be honored even if the auth 
provider has changed?

Thanks,

Vieri


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to