guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Storey <>
Subject Re: SAML 2.0 support for Apache Guacamole through CAS
Date Sun, 12 Aug 2018 22:50:40 GMT
Hi Nick,

Thanks for following this up for me! If you’d like a temporary key for F5 APM, please let
me know and I’ll get you a 45 day temp key.

Mine is<>.  Please
email me if you’d like a temp key.


Daniel Storey

From: Nick Couchman <>
Reply-To: "" <>
Date: Monday, 13 August 2018 at 4:32 am
To: "" <>
Subject: Re: SAML 2.0 support for Apache Guacamole through CAS

On Sat, Aug 11, 2018 at 10:20 AM Daniel Storey <<>>
Hi Nick,

Thanks for the speedy reply.

Sorry, not so speed the second time around :-/.

I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole through CAS, so I
thought SAML was the best solution.  To my knowledge, F5 doesn’t support CAS natively (and
I’ve done some searching, so I’m pretty confident this is true).

Yeah, CAS isn't really all that universally supported, unfortunately, so I wouldn't be surprised
if F5 doesn't support it.

CAS has come in to the solution as middleware of sorts – converting the authentication from
SAML into something Guacamole can understand (native CAS authentication through the CAS protocol.).
My company isn’t using CAS at the moment – we’d be deploying it for this project only,
which uses usernames and passwords to authenticate that are stored in the internal F5 database.
 Hence the guy in my team recommending SAML2.0 between F5 and CAS and then Native CAS authentication
for Guacamole, if that’s possible.

So, let me make sure I understand what you're trying to do.  You'd like to have users authenticate
through the F5 appliance (to CAS, via SAML), and then be able to hit Guacamole and have the
authentication into Guacamole happen "automagically" because you've already authenticated
to the SSO server from the F5?

I don't know if this will work or not.  It's possible it will, if CAS is "smart enough" to
pick up on the fact that you've already authenticated based on session or cookie information
in the browser.  But, because it's using a different client procotocol (SAML vs. CAS), it
may not work.  I actually don't really know how that works out with CAS - every time I've
used it I've been focused on either one protocol or another and not been trying it across
protocols.  I would think the CAS server would be smart enough to figure this out, but I'm
not sure.

I'm also not familiar with the F5 Big-IP APM, so I'm not entirely sure how it's doing the
SSO through SAML.

If I have a chance to spin stuff up to try it out, I will, I just don't know how quickly I'd
be able to make that happen.  I don't have a F5 APM, but it looks like it might be something
that I can download and try out.

View raw message