guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Handling a SAML POST response
Date Fri, 16 Feb 2018 16:18:58 GMT
On Thu, Sep 28, 2017 at 12:20 PM, Colin McGuigan <
colin_guacamole@walkingshadows.org> wrote:

> Nick;
>
> Thanks for all your help.  Let me elaborate.
>
> When I say I have a REST service, it's just as you described -- a WS
> annotated class that is returned from the authentication provider's
> getResource method.  I can call this REST service just fine, and know that
> it works.
>
> This service takes in as POST (from the SAML identity provider), calls the
> existing /api/tokens endpoint, passing all of the same content, and
> receives
> a Guacamole authentication token -- ie, the user is know authenticated by
> Guacamole (specifically by my authentication provider), and is stored in
> the
> session.  This also works.  I receive the token just fine.
>
> The problem is I need to pass this token, somehow, to the Guacamole UI so
> that when it calls /api/tokens itself, it can pass in the same token.  The
> essentials of the REST method:
>
>     @POST
>     @Path("/postredirect")
>     public Response redirectSamlPostToGet(@Context HttpServletRequest
> request, String content) throws GuacamoleException, URISyntaxException {
>         try {
>                 String token = callTokenService(request, content);
>                 return Response.seeOther(new URI("http://
> <site>/guacamole/#/token=" +
> token)).build();
>         } catch (Exception e) {
>                 logger.error("Error occurred in postredirect", e);
>                 throw new RuntimeException(e);
>         }
>     }
>
> There is no errors in the logs.  In network traffic I see the redirect
> happen correctly.  However, Guacamole is ignoring the token=<token> portion
> of the URL.  I've tried using id_token instead, but that is also ignored.
>
>
Hey, Colin,
I have a couple of follow-up questions for you regarding this.  I'm in the
midst of trying to implement a SAML authentication extension for Guacamole,
as well, and am probably 95% of the way there, but am running into a couple
of issues and curious if you had any insight from your experiences.

First, I decided, instead of generating my own token, to just try to pass
the SAMLResponse through as a parameter to the main Guacamole URL and then
process it that way.  I don't know if you tried this track at all, but I
ran into some errors with the headers being too large.  I bumped up the
header size on both Tomcat and Nginx, which got rid of the warnings, but
now the page just aborts loading - no apparent log errors, it just quits.
Does this match anything you experienced when trying to get this to work?
I don't really want the end users to have to adjust default configurations
just to get this to work, so that's less than ideal, anyway.  It looks to
me like the main source of this is that the "Referer" header that it passes
on is humongous - it contains the SAML response, plus several other items
embedded in it, that aren't really going to be useful or necessary for
this, but combining those with the actual SAMLResponse makes it larger than
the default 8k header size.

Second, when you did your token service (callTokenService above) to
generate the token you pass back to the main Guacamole URL, is that
something you're generating manually, embedding username (and whatever
other attributes) in that token, or are you actually calling the Guacamole
token generating service, so that it's already a valid Guacamole token?

Thanks,
Nick

Mime
View raw message