Hi,

I don’t know if this is the correct way to answer through this mailing list. I 
tried SAML with keycloak and managed to pass the groups through the token. 
However, on keycloak, it is the “roles” tab where you should put what group you 
want the user to have in guacamole, maybe it is something similar with Azure. 
Moreover, both the role name on keycloak and the group name on guacamole have 
to be the same (I haven’t searched for anything like a name-mapper if anyone 
has an answer to that). Hope this helps

Regards

Raphaël CAUDRON– rcaud...@cirilgroup.com
Ingénieur  Système - Services Managés et Infogérance
T. +33 (0)4 72 69 16 80
49 av. Albert Einstein - BP 12074 - 69603 Villeurbanne Cedex - France

  [cid:image002.png@01DBCF22.039B2AE0] <https://www.cirilgroup.cloud/>



Ce message et les fichiers transmis par son biais sont confidentiels et 
destinés uniquement à l'usage de la personne ou de l'entité à laquelle ils sont 
adressés. Si vous avez reçu ce message par erreur, nous vous remercions de le 
détruire après en avoir informé son expéditeur. Les données collectées et 
traitées par Ciril GROUP dans le cadre de cet échange le sont à seule fin 
d’exécution d’une relation professionnelle. Davantage d’informations sur la 
gestion de vos données par Ciril GROUP et sur vos droits sont disponibles dans 
sa politique de protection des 
données<https://www.cirilgroup.com/fr/politique-de-protection-des-donnees>.

♻ Pensez à l’environnement, n’imprimez ce message et les documents qu’il 
contiendrait qu’en cas de nécessité.













De : Nick Couchman <vn...@apache.org>
Envoyé : mardi 27 mai 2025 16:02
À : user@guacamole.apache.org
Objet : Re: Azure SSO/SAML group attribute for Guacamole group

[ EXTERNE : Assurez-vous qu’il ne s’agit pas d’un  message malveillant avant de 
cliquer sur tout lien ou pièce jointe. ]


On Tue, May 27, 2025 at 5:24 AM Peter Camps 
<p.ca...@eshgro.nl.invalid<mailto:p.ca...@eshgro.nl.invalid>> wrote:
Hi,

I installed Guacamole 1.5.5 on Ubuntu 24.04.2 LTS, native install.

Also using Tomcat 9.0.105, MySQL Ver 8.0.42-0ubuntu0.24.04.1 and NGINX Proxy 
Manager v2.12.3.(in docker).
After this I also enabled SAML for Azure SSO and created the Enterprise 
application with SSO in Azure.

This is working fine at the moment, but I am struggling with the final steps to 
configure adding the connectiongroups to the logged on user.


I have a connectiongroup in Guacamole named Servers and I want all logged on 
user to be able to use the connections in this group.

I have tried multiple suggestions on the web how to enable this. I have tried 
all kinds of settings in the guacamole.properties file.

saml-group-attribute: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
saml-group-attribute: groups
saml-group-attribute: servers


I believe "groups" is both the correct syntax and the default:

https://guacamole.apache.org/doc/gug/saml-auth.html

You may need to enable some debugging, in either the Guacamole web application 
as a whole and/or in the SAML extension to make sure you're getting the claims 
through and that they are formatted as you expect. The SAML debugging can be 
found in the above link to the SAML portion of the manual - the general logging 
can be found, here:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application

But whatever I do in Azure, creating a new claim or a new group claim, using 
all kinds of settings I have not been able to log into Guacamole as user and 
get all the connections I need.
I know that you can do this upfront, creating the (azure) user and assigning 
the group, but I would really like to be able to have this automated.
We are going to have multiple users using this eventually.

Is there somebody who can guide me through this process? Or can point me to a 
working tutorial?


After configuring the group attribute in the SAML extension, have you created 
the matching group in the Guacamole admin interface and assigned permissions to 
that group?

-Nick

Reply via email to