guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colin McGuigan <colin_guacam...@walkingshadows.org>
Subject Re: Handling a SAML POST response
Date Tue, 26 Sep 2017 18:56:15 GMT
Thanks for the answers; I certainly didn't expect it to be so quick!

> Do you have the code available somewhere - github or something like that?
> I'd be happy to download it and take a look at what's happening.

Unfortunately, no, it's just POC at this point.

> Out of curiosity, is this configurable with the IDP?  I know when I wrote
> the CAS extension there's an option when you request CAS authentication
> that
> allows you to specify how you get the ticket back - as a post or get
> response.  I'm curious if the IDP you're using has something similar?  I
> think I ran into similar issues when I was trying to make the CAS
> extension
> use a POST instead of GET, but I can't remember.

The SAML protocol does support redirect responses, yes, but the SAML
response that comes back, with all of the assertions, is too large for a
redirect URL (~9,200 bytes, max length for a URL is ~2,048).  Unlike OpenID,
it doesn't look like there's any "here's a token, call this service to look
it up" implementation, which is annoying.

So:

I did find the work that Mike Jumper did for allowing extensions to host
their own REST APIs.  I am using this to host a method that is receiving the
SAML POST form.

This works fine, and I can validate the response.  The problem I have now is
getting that information into guacamole's session.

My first thought was just to call the same code as /api/tokens, but the
authentication code (authenticationService, etc) do not seem to be in
guacamole-common or guacamole-ext.  So the options that I've come up with so
far are:

1) Manually call /api/tokens from my ext web service, take it's token,
redirect to the main page passing the token, which will get passed back to
/api/tokens when the main page calls it.  This seems so pretty klunky, but
involves the least duplication of code.

2) What Mike suggested: Validate SAML response, generate my own token (with
blackjack, and hookers!), store it somewhere, pass it back, and then look it
up when /api/tokens gets called.  This seems less klunky than #1, but
requires essentially duplicating the token management code that's already in
use.

3) Throw abstraction out the window and just add my code to
guacamole-client.  Horribly klunky, torpedoes future upgrades without
additional effort.

4) Mystery fourth option

Is there a #4 that I'm missing?



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Mime
View raw message