On Wed, Apr 9, 2025 at 7:57 AM Vieri <rentor...@yahoo.com.invalid> wrote:
> On Tuesday, April 8, 2025 at 04:35:35 PM GMT+2, Nick Couchman < > vn...@apache.org> wrote: > > > I'm not sure I understand why, if you're using mod_auth_mellon (SAML > authentication for httpd) you'd need to move Guacamole away from SAML to > > header-based authentication? Why not keep the SAML authentication in > Guacamole, and use mod_auth_mellon, or some other SAML-based > > authentication mechanism, for the reverse proxy components? You should > be able to exclude Guacamole from the mod_auth_mellon authentication > > portion using either location-based rules in httpd configuration, or > different vhosts, and that way you'd still get the group membership > information out of > > SAML. > > > I need to auth just once with the IdP and both <Location /> and <Location > /websocket-tunnel> must point to the Guacamole backend. > I could then define <Location /backend2>, <Location /backendN>... for any > other backend, but they all require SAML SSO via the same mod_mellon config. > User authenticates once via IdP and accesses Guacamole and other backend > services. > > That's why I thought I could define mod_auth_mellon for <Location />, then > use HTTP Headers for Guacamole just like I use HTTP headers in other > backend servers to retrieve the values from the variables Mellon has set. > You, could, yes; however, you could also configure the <Location/> directives such that it does not perform mod_auth_mellon authentication for the Guacamole location(s), and allow Guacamole to continue to manage that using the SAML extension. Either way should work; however, as you're finding out, if you switch over to the header module you're going to either lose some functionality or have to extend/write it yourself. > > > And, yes, you're correct, the HTTP header module does not handle group > membership - it is a very, very simple module. I'm sure it could be > extended to > > support group membership via a header of some sort, just needs a little > bit of code to do that. > > Maybe by using the code in the SAML SSO extension regarding groups and > adapting it to the HTTP Headers extension. > > Yes, you could do this. My only caution would be that I suspect that the length of the HTTP headers is limited, and that you may run into problems if, for example, the list of groups your user(s) are associated with gets too long, or the format is unexpected (LDIF vs. group name), etc. In addition to implementing it, you'll want to do some testing of limits on those headers to see where that might break down. You'll also have to figure out a way to 1) generate the header with the group names on the mod_auth_mellon side, 2) find a uniform and deterministic way to separate multiple groups (assuming you intend to support multiple groups), and 3) parse out the multiple groups on the Guacamole header side. -Nick
