Help setting up SAML for Apache Guacamole

Peter Schober peter.schober at
Thu Aug 13 19:26:03 UTC 2020

* Melvin Lasky <melvin.lasky at> [2020-08-13 16:54]:
> When we try to get to the login screen, we get an error presented from our Shibboleth Server:
> The application you have accessed is not registered for use with this service.
> I’m not seeing anything in our logs, nor do I have any idea what URL it’s trying to call or access.

I don't think that's possible (unless the IDP were broken and couldn't
write any logs) -- if the IDP renders an error message to the browser
the IDP will also produce logs with that error.

The error message sounds like the IDP doesn't have metadata for the SP
but even for the Shib IDP I wouldn't want to be guessing what this
means from "user friendly" error messages. You need the logs.

> <EntityDescriptor entityID=""

Well, then there'd be no guesswork necessary in your attribute
filter -- even though you current problem is NOT with the filter.

> And in our attribute-filter.xml we have this: (I tried two different ones)

Why? In the relying-party.xml you have the entityID set as a simple
(and hopefully correct string) -- your first one is needlessly complex
(regex) and your second one is simply wrong (doesn't match the
entityID in metadata).

> <AttributeFilterPolicy id="releaseForGuacTEST" >
>   <PolicyRequirementRule xsi:type="RequesterRegex" regex="https:\/\/ourguacserver\.ouruniversity\.edu\/.*" />
> <AttributeFilterPolicy id="releaseForGuacTEST-2" >
>   <PolicyRequirementRule xsi:type="Requester" value="" />

But the filter is not the problem -- if only the filter were wrong you
wouldn't be getting the error message you're seeing, the IDP would
send you on to the SP with whatever attributes he's allowed to send,
even none at all.


More information about the users mailing list