From user-return-4313-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org  Sat Aug 11 15:50:36 2018
Return-Path: <user-return-4313-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id A914A180662
	for <archive-asf-public@cust-asf.ponee.io>; Sat, 11 Aug 2018 15:50:35 +0200 (CEST)
Received: (qmail 5241 invoked by uid 500); 11 Aug 2018 13:50:34 -0000
Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@guacamole.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@guacamole.apache.org>
List-Post: <mailto:user@guacamole.apache.org>
List-Id: <user.guacamole.apache.org>
Reply-To: user@guacamole.apache.org
Delivered-To: mailing list user@guacamole.apache.org
Received: (qmail 5232 invoked by uid 99); 11 Aug 2018 13:50:34 -0000
Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Aug 2018 13:50:34 +0000
Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180])
	by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id A9B3321A5
	for <user@guacamole.apache.org>; Sat, 11 Aug 2018 13:50:33 +0000 (UTC)
Received: by mail-lj1-f180.google.com with SMTP id p6-v6so9229548ljc.5
        for <user@guacamole.apache.org>; Sat, 11 Aug 2018 06:50:33 -0700 (PDT)
X-Gm-Message-State: AOUpUlHf2XD4vr+jhSFSzsv3nLtorRb1tea6euRD4vpjQvu6VHFZeRUD
	3Iol23AjiliOn1uUyWnKjYawf/P9m+Tk6saKEUQ=
X-Google-Smtp-Source: AA+uWPyb7/L7Q5Lb1kd1CWPsbvszX7B+0LEc+FVw5VaSree8vwAFbXPEQfezh2hEBsdLfOvuwA7IDLY9qe2HGDMyhWQ=
X-Received: by 2002:a2e:350b:: with SMTP id z11-v6mr7852170ljz.55.1533995432564;
 Sat, 11 Aug 2018 06:50:32 -0700 (PDT)
MIME-Version: 1.0
References: <1533993568280-0.post@n4.nabble.com>
In-Reply-To: <1533993568280-0.post@n4.nabble.com>
From: Nick Couchman <vnick@apache.org>
Date: Sat, 11 Aug 2018 09:50:21 -0400
X-Gmail-Original-Message-ID: <CAFjj602qsLvVCRPE__9aH-Zyk2ef1fZVSX1qJej6S6VTieVztg@mail.gmail.com>
Message-ID: <CAFjj602qsLvVCRPE__9aH-Zyk2ef1fZVSX1qJej6S6VTieVztg@mail.gmail.com>
Subject: Re: SAML 2.0 support for Apache Guacamole through CAS
To: user@guacamole.apache.org
Content-Type: multipart/alternative; boundary="000000000000d86066057329241f"

--000000000000d86066057329241f
Content-Type: text/plain; charset="UTF-8"

On Sat, Aug 11, 2018 at 9:19 AM stoda06 <daniel.storey@rededucation.com>
wrote:

> Hi Guacamole Gurus!
>
> I'm trying to figure out if I should attempt to get Guacamole working with
> CAS as a SAML 2.0 SP allowing SSO into Guacamole?
>
> Because I've read here (
> https://issues.apache.org/jira/browse/GUACAMOLE-103)
> that SAML 2.0 isn't currently supported for Guacamole, but I wouldn't have
> thought this would mean that SAML 2.0 isn't supported through CAS?
>
>
Support for authentication via the SAML protocol is a work in progress, but
currently not available in Guacamole.  If you must use the SAML 2.0
authentication protocol with CAS, then you will not be able to authenticate
Guacamole with CAS as the SAML protocol is not supported.

That said, Guacamole has a CAS authentication module which supports the
native CAS SSO protocol.  If you're already running a CAS server, you
should be able to use the guacamole-auth-cas extension and authenticate
against your CAS server.

Is there some reason you're required to use SAML 2.0 instead of the native
CAS protocol?


> Would someone who's gotten Guacamole working with SAML 2.0 please let me
> know the components they used in their architecture?  Because I've been
> through the last 4000 messages emailed to this list and there's a thread
> with the title: "Handling a SAML POST response" which talks about SAML
> (version unknown) and getting it working with Mike Jumper's extension and
> used it to authenticate via OpenID.  From which I gather it's possible to
> get it working with SAML of an unknown version.
>

OpenID and SAML are not identical.  There is an OpenID authentication
extension that you can use, but you must use it against any
OpenID-compatible SSO server.  CAS can also do this, but, again, why are
you trying to do this instead of just using the CAS protocol?


>
> Basically, I'm trying to authenticate from an F5 BIG-IP APM to Guacamole
> using SSO and one of the guys who's in my team suggested that SAML would be
> the easiest way to get this working.
>
>
Sorry to sound like a broken record, but if your SSO server is CAS, just
use the CAS protocol - it's the most straight-forward to get configured,
and it's already supported.

-Nick

--000000000000d86066057329241f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Sat=
, Aug 11, 2018 at 9:19 AM stoda06 &lt;<a href=3D"mailto:daniel.storey@reded=
ucation.com">daniel.storey@rededucation.com</a>&gt; wrote:<br></div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">Hi Guacamole Gurus!<br>
<br>
I&#39;m trying to figure out if I should attempt to get Guacamole working w=
ith<br>
CAS as a SAML 2.0 SP allowing SSO into Guacamole?<br>
<br>
Because I&#39;ve read here (<a href=3D"https://issues.apache.org/jira/brows=
e/GUACAMOLE-103" rel=3D"noreferrer" target=3D"_blank">https://issues.apache=
.org/jira/browse/GUACAMOLE-103</a>)<br>
that SAML 2.0 isn&#39;t currently supported for Guacamole, but I wouldn&#39=
;t have<br>
thought this would mean that SAML 2.0 isn&#39;t supported through CAS?<br>
<br></blockquote><div><br></div><div>Support for authentication via the SAM=
L protocol is a work in progress, but currently not available in Guacamole.=
=C2=A0 If you must use the SAML 2.0 authentication protocol with CAS, then =
you will not be able to authenticate Guacamole with CAS as the SAML protoco=
l is not supported.</div><div><br></div><div>That said, Guacamole has a CAS=
 authentication module which supports the native CAS SSO protocol.=C2=A0 If=
 you&#39;re already running a CAS server, you should be able to use the gua=
camole-auth-cas extension and authenticate against your CAS server.</div><d=
iv><br></div><div>Is there some reason you&#39;re required to use SAML 2.0 =
instead of the native CAS protocol?</div><div>=C2=A0</div><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex">
Would someone who&#39;s gotten Guacamole working with SAML 2.0 please let m=
e<br>
know the components they used in their architecture?=C2=A0 Because I&#39;ve=
 been<br>
through the last 4000 messages emailed to this list and there&#39;s a threa=
d<br>
with the title: &quot;Handling a SAML POST response&quot; which talks about=
 SAML<br>
(version unknown) and getting it working with Mike Jumper&#39;s extension a=
nd<br>
used it to authenticate via OpenID.=C2=A0 From which I gather it&#39;s poss=
ible to<br>
get it working with SAML of an unknown version.<br></blockquote><div><br></=
div><div>OpenID and SAML are not identical.=C2=A0 There is an OpenID authen=
tication extension that you can use, but you must use it against any OpenID=
-compatible SSO server.=C2=A0 CAS can also do this, but, again, why are you=
 trying to do this instead of just using the CAS protocol?</div><div>=C2=A0=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex">
<br>
Basically, I&#39;m trying to authenticate from an F5 BIG-IP APM to Guacamol=
e<br>
using SSO and one of the guys who&#39;s in my team suggested that SAML woul=
d be<br>
the easiest way to get this working.<br><br></blockquote><div><br></div><di=
v>Sorry to sound like a broken record, but if your SSO server is CAS, just =
use the CAS protocol - it&#39;s the most straight-forward to get configured=
, and it&#39;s already supported.</div><div><br></div><div>-Nick</div></div=
></div>

--000000000000d86066057329241f--