On Mon, Apr 7, 2025 at 6:51 PM Vieri <rentor...@yahoo.com.invalid> wrote:
> The reason I'm trying to move from SAML to HTTP Headers is also related to > > https://issues.apache.org/jira/browse/GUACAMOLE-1659 > > I need to add HTTP/S connections, and one way (albeit tedious) is with > Apache HTTP reverse proxy. > I also need federated auth, so I am using mod_auth_mellon for that. > > Now I'm a bit stuck mid-way. I was hoping to work around the missing HTTP > feature in Guacamole by using the HTTP header auth provider while at the > same time configuring HTTP backend services via WAF. The problem I see is > that the HTTP Header extension is missing code for handling groups. > > I'm not sure I understand why, if you're using mod_auth_mellon (SAML authentication for httpd) you'd need to move Guacamole away from SAML to header-based authentication? Why not keep the SAML authentication in Guacamole, and use mod_auth_mellon, or some other SAML-based authentication mechanism, for the reverse proxy components? You should be able to exclude Guacamole from the mod_auth_mellon authentication portion using either location-based rules in httpd configuration, or different vhosts, and that way you'd still get the group membership information out of SAML. And, yes, you're correct, the HTTP header module does not handle group membership - it is a very, very simple module. I'm sure it could be extended to support group membership via a header of some sort, just needs a little bit of code to do that. -Nick
