Help setting up SAML for Apache Guacamole

Melvin Lasky melvin.lasky at manhattan.edu
Thu Aug 13 14:54:24 UTC 2020 

Hey guys,
	We are using Shibboleth v4 and have many services running, including incommon, some SAML based services, and some CAS services.

We are trying to configure Apache Guacamole but we are having a hell of a time. It doesn’t have a Meta Data generator, so we generated Metadata itself for it.

When we try to get to the login screen, we get an error presented from our Shibboleth Server:

The application you have accessed is not registered for use with this service.

———

I’m not seeing anything in our logs, nor do I have any idea what URL it’s trying to call or access.

———

This is what we have for the metadata and it loads

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><EntityDescriptor entityID="https://ourguacserver.ouruniversity.edu/guacamole" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ourguacserver.ouruniversity.edu/guacamole"/></SPSSODescriptor></EntityDescriptor>

In our relying-party.xml we have this

        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://ourguacserver.ouruniversity.edu/guacamole">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

And in our attribute-filter.xml we have this: (I tried two different ones)

<AttributeFilterPolicy id="releaseForGuacTEST" >
  <PolicyRequirementRule xsi:type="RequesterRegex" regex="https:\/\/ourguacserver\.ouruniversity\.edu\/.*" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
        <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
        <AttributeRule attributeID="surname" permitAny="true" />
        <AttributeRule attributeID="givenName" permitAny="true" />
        <AttributeRule attributeID="mail" permitAny="true" />
        <AttributeRule attributeID="uid" permitAny="true" />
</AttributeFilterPolicy>

<AttributeFilterPolicy id="releaseForGuacTEST-2" >
  <PolicyRequirementRule xsi:type="Requester" value="https://ourguacserver.ouruniversity.edu" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
        <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
        <AttributeRule attributeID="surname" permitAny="true" />
        <AttributeRule attributeID="givenName" permitAny="true" />
        <AttributeRule attributeID="mail" permitAny="true" />
</AttributeFilterPolicy>

Any suggestions would be greatly appreciated

Melvin Lasky
Associate Director of Enterprise Architecture





Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at manhattan.edu
www.manhattan.edu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200813/e40da0b5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.jpeg
Type: image/jpeg
Size: 3547 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20200813/e40da0b5/attachment.jpeg>

More information about the users mailing list