Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id CA05B200CFC for ; Thu, 28 Sep 2017 18:24:03 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C89151609ED; Thu, 28 Sep 2017 16:24:03 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id F0F8B1609C2 for ; Thu, 28 Sep 2017 18:24:02 +0200 (CEST) Received: (qmail 8900 invoked by uid 500); 28 Sep 2017 16:24:02 -0000 Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.incubator.apache.org Delivered-To: mailing list user@guacamole.incubator.apache.org Received: (qmail 8891 invoked by uid 99); 28 Sep 2017 16:24:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Sep 2017 16:24:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9A5AA180F0C for ; Thu, 28 Sep 2017 16:24:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.521 X-Spam-Level: X-Spam-Status: No, score=-2.521 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id O3_Gv7KtuZeF for ; Thu, 28 Sep 2017 16:24:00 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 4A6DA61057 for ; Thu, 28 Sep 2017 16:23:59 +0000 (UTC) Received: (qmail 8223 invoked by uid 99); 28 Sep 2017 16:23:58 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Sep 2017 16:23:58 +0000 Received: from mail-yw0-f175.google.com (mail-yw0-f175.google.com [209.85.161.175]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 0BCB31A0044 for ; Thu, 28 Sep 2017 16:23:57 +0000 (UTC) Received: by mail-yw0-f175.google.com with SMTP id w22so1376580ywa.13 for ; Thu, 28 Sep 2017 09:23:57 -0700 (PDT) X-Gm-Message-State: AHPjjUh5aDPH9fF8rdSgwPJj8NmM+D+ql9Bjzb+1QjBLfgj1OYTpDGVF Ac8I5KEIhFEs3qHnPkuoUvhQHY2+2m3VF+y/oXs= X-Google-Smtp-Source: AOwi7QDnH8+harK3I2RElBoggaLAeYi1YRDE7NdDAfJ3dkB6YwY8qDpHJh+TMZ/u1ObSF1IyBwdFD8t7kllJM195Inw= X-Received: by 10.129.145.214 with SMTP id i205mr4013191ywg.73.1506615836581; Thu, 28 Sep 2017 09:23:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.48.213 with HTTP; Thu, 28 Sep 2017 09:23:55 -0700 (PDT) In-Reply-To: <1506615618837-0.post@n4.nabble.com> References: <1506116383746-0.post@n4.nabble.com> <1506452175565-0.post@n4.nabble.com> <1506548113921-0.post@n4.nabble.com> <1506615618837-0.post@n4.nabble.com> From: Nick Couchman Date: Thu, 28 Sep 2017 12:23:55 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Handling a SAML POST response To: user@guacamole.incubator.apache.org Content-Type: multipart/alternative; boundary="94eb2c0941c2c0a968055a42556c" archived-at: Thu, 28 Sep 2017 16:24:04 -0000 --94eb2c0941c2c0a968055a42556c Content-Type: text/plain; charset="UTF-8" On Thu, Sep 28, 2017 at 12:20 PM, Colin McGuigan < colin_guacamole@walkingshadows.org> wrote: > Nick; > > Thanks for all your help. Let me elaborate. > > When I say I have a REST service, it's just as you described -- a WS > annotated class that is returned from the authentication provider's > getResource method. I can call this REST service just fine, and know that > it works. > > Very nice. > This service takes in as POST (from the SAML identity provider), calls the > existing /api/tokens endpoint, passing all of the same content, and > receives > a Guacamole authentication token -- ie, the user is know authenticated by > Guacamole (specifically by my authentication provider), and is stored in > the > session. This also works. I receive the token just fine. > > The problem is I need to pass this token, somehow, to the Guacamole UI so > that when it calls /api/tokens itself, it can pass in the same token. The > essentials of the REST method: > > @POST > @Path("/postredirect") > public Response redirectSamlPostToGet(@Context HttpServletRequest > request, String content) throws GuacamoleException, URISyntaxException { > try { > String token = callTokenService(request, content); > return Response.seeOther(new URI("http:// > /guacamole/#/token=" + > token)).build(); > } catch (Exception e) { > logger.error("Error occurred in postredirect", e); > throw new RuntimeException(e); > } > } > > There is no errors in the logs. In network traffic I see the redirect > happen correctly. However, Guacamole is ignoring the token= portion > of the URL. I've tried using id_token instead, but that is also ignored. > > What if you try: return Response.seeOther(new URI("http:///guacamole/#/?token=" + token)).build(); (Add the ? between the token parameter and the Guacamole URL). Does that work? -Nick --94eb2c0941c2c0a968055a42556c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Sep 28, 2017 at 12:20 PM, Colin McGuigan <= col= in_guacamole@walkingshadows.org> wrote:
Nick;

Thanks for all your help.=C2=A0 Let me elaborate.

When I say I have a REST service, it's just as you described -- a WS annotated class that is returned from the authentication provider's
getResource method.=C2=A0 I can call this REST service just fine, and know = that
it works.


Very nice.
=C2=A0
This service takes in as POST (from the SAML identity provider), calls the<= br> existing /api/tokens endpoint, passing all of the same content, and receive= s
a Guacamole authentication token -- ie, the user is know authenticated by Guacamole (specifically by my authentication provider), and is stored in th= e
session.=C2=A0 This also works.=C2=A0 I receive the token just fine.

The problem is I need to pass this token, somehow, to the Guacamole UI so that when it calls /api/tokens itself, it can pass in the same token.=C2=A0= The
essentials of the REST method:

=C2=A0 =C2=A0 @POST
=C2=A0 =C2=A0 @Path("/postredirect")
=C2=A0 =C2=A0 public Response redirectSamlPostToGet(@Context HttpServletReq= uest
request, String content) throws GuacamoleException, URISyntaxException { =C2=A0 =C2=A0 =C2=A0 =C2=A0 try {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 String token =3D ca= llTokenService(request, content);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return Response.see= Other(new URI("http://<site>/guacamole/#/token=3D" + token)).build();
=C2=A0 =C2=A0 =C2=A0 =C2=A0 } catch (Exception e) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 logger.error("= Error occurred in postredirect", e);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 throw new RuntimeEx= ception(e);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }
=C2=A0 =C2=A0 }

There is no errors in the logs.=C2=A0 In network traffic I see the redirect=
happen correctly.=C2=A0 However, Guacamole is ignoring the token=3D<toke= n> portion
of the URL.=C2=A0 I've tried using id_token instead, but that is also i= gnored.


What if you try:

=C2=A0r= eturn Response.seeOther(new URI("http://<site>/guacamole/#/?toke= n=3D" +
token)).build();

(Add the ?= between the token parameter and the Guacamole URL).=C2=A0 Does that work?<= /div>

-Nick
--94eb2c0941c2c0a968055a42556c--