Hi, I don’t know if this is the correct way to answer through this mailing list. I tried SAML with keycloak and managed to pass the groups through the token. However, on keycloak, it is the “roles” tab where you should put what group you want the user to have in guacamole, maybe it is something similar with Azure. Moreover, both the role name on keycloak and the group name on guacamole have to be the same (I haven’t searched for anything like a name-mapper if anyone has an answer to that). Hope this helps
Regards Raphaël CAUDRON– rcaud...@cirilgroup.com Ingénieur Système - Services Managés et Infogérance T. +33 (0)4 72 69 16 80 49 av. Albert Einstein - BP 12074 - 69603 Villeurbanne Cedex - France [cid:image002.png@01DBCF22.039B2AE0] <https://www.cirilgroup.cloud/> Ce message et les fichiers transmis par son biais sont confidentiels et destinés uniquement à l'usage de la personne ou de l'entité à laquelle ils sont adressés. Si vous avez reçu ce message par erreur, nous vous remercions de le détruire après en avoir informé son expéditeur. Les données collectées et traitées par Ciril GROUP dans le cadre de cet échange le sont à seule fin d’exécution d’une relation professionnelle. Davantage d’informations sur la gestion de vos données par Ciril GROUP et sur vos droits sont disponibles dans sa politique de protection des données<https://www.cirilgroup.com/fr/politique-de-protection-des-donnees>. ♻ Pensez à l’environnement, n’imprimez ce message et les documents qu’il contiendrait qu’en cas de nécessité. De : Nick Couchman <vn...@apache.org> Envoyé : mardi 27 mai 2025 16:02 À : user@guacamole.apache.org Objet : Re: Azure SSO/SAML group attribute for Guacamole group [ EXTERNE : Assurez-vous qu’il ne s’agit pas d’un message malveillant avant de cliquer sur tout lien ou pièce jointe. ] On Tue, May 27, 2025 at 5:24 AM Peter Camps <p.ca...@eshgro.nl.invalid<mailto:p.ca...@eshgro.nl.invalid>> wrote: Hi, I installed Guacamole 1.5.5 on Ubuntu 24.04.2 LTS, native install. Also using Tomcat 9.0.105, MySQL Ver 8.0.42-0ubuntu0.24.04.1 and NGINX Proxy Manager v2.12.3.(in docker). After this I also enabled SAML for Azure SSO and created the Enterprise application with SSO in Azure. This is working fine at the moment, but I am struggling with the final steps to configure adding the connectiongroups to the logged on user. I have a connectiongroup in Guacamole named Servers and I want all logged on user to be able to use the connections in this group. I have tried multiple suggestions on the web how to enable this. I have tried all kinds of settings in the guacamole.properties file. saml-group-attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups saml-group-attribute: groups saml-group-attribute: servers I believe "groups" is both the correct syntax and the default: https://guacamole.apache.org/doc/gug/saml-auth.html You may need to enable some debugging, in either the Guacamole web application as a whole and/or in the SAML extension to make sure you're getting the claims through and that they are formatted as you expect. The SAML debugging can be found in the above link to the SAML portion of the manual - the general logging can be found, here: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application But whatever I do in Azure, creating a new claim or a new group claim, using all kinds of settings I have not been able to log into Guacamole as user and get all the connections I need. I know that you can do this upfront, creating the (azure) user and assigning the group, but I would really like to be able to have this automated. We are going to have multiple users using this eventually. Is there somebody who can guide me through this process? Or can point me to a working tutorial? After configuring the group attribute in the SAML extension, have you created the matching group in the Guacamole admin interface and assigned permissions to that group? -Nick
