On Tuesday, April 8, 2025 at 04:35:35 PM GMT+2, Nick Couchman <vn...@apache.org> wrote:
> I'm not sure I understand why, if you're using mod_auth_mellon (SAML > authentication for httpd) you'd need to move Guacamole away from SAML to > header-based authentication? Why not keep the SAML authentication in > Guacamole, and use mod_auth_mellon, or some other SAML-based > authentication mechanism, for the reverse proxy components? You should be > able to exclude Guacamole from the mod_auth_mellon authentication > portion using either location-based rules in httpd configuration, or > different vhosts, and that way you'd still get the group membership > information out of > SAML. I need to auth just once with the IdP and both <Location /> and <Location /websocket-tunnel> must point to the Guacamole backend. I could then define <Location /backend2>, <Location /backendN>... for any other backend, but they all require SAML SSO via the same mod_mellon config. User authenticates once via IdP and accesses Guacamole and other backend services. That's why I thought I could define mod_auth_mellon for <Location />, then use HTTP Headers for Guacamole just like I use HTTP headers in other backend servers to retrieve the values from the variables Mellon has set. > And, yes, you're correct, the HTTP header module does not handle group > membership - it is a very, very simple module. I'm sure it could be extended > to > support group membership via a header of some sort, just needs a little bit > of code to do that. Maybe by using the code in the SAML SSO extension regarding groups and adapting it to the HTTP Headers extension. Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
