Help setting up SAML for Apache Guacamole

melvin.lasky melvin.lasky at manhattan.edu
Fri Aug 14 01:02:14 UTC 2020 

Ok Peter. You were right... The guacamole administrator had the wrong entity
ID set.

However, we now have a different problem.

We are able to get in... But in order to get UID sent as a none random
generated string, I changed the metadata, and I added something to
saml-nameid.xml

However, none of the other attributes are being sent now. For instance, we
want to send ou, but it's not showing in my shib logs.

Any suggestions would be great. I'm at a loss right now

New Metadata

<EntityDescriptor
entityID="https://ourguacserver.ouruniversity.edu/guacamole"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
       <SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
           <AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
          
Location="https://ourguacserver.ouruniversity.edu/guacamole/api/ext/saml/callback"
/>
       </SPSSODescriptor>
</EntityDescriptor>

Attribute Filter now

<AttributeFilterPolicy id="releaseForGuacTEST" >
  <PolicyRequirementRule xsi:type="Requester"
value="https://ourguacserver.ouruniversity.edu/guacamole" />
        <AttributeRule attributeID="uid" permitAny="true" />
        <AttributeRule attributeID="ou" permitAny="true" />
</AttributeFilterPolicy>

saml-nameid.xml

      <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
           p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
           p:attributeSourceIds="#{ {'uid'} }" >
           <property name="activationCondition" >
                <bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="https://ourguacserver.ouruniversity.edu/guacamole" />
           </property>
       </bean> 

relying-party.xml

        <bean parent="RelyingPartyByName"
c:relyingPartyIds="https://ourguacserver.ouruniversity.edu/guacamole">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

----

This is what I see in my logs:

shib-idp;idp-process.log;dev;nothing; - [149.61.2.59]2020-08-14 00:56:01,608
- INFO [Shibboleth-Audit.SSO:282] -
2020-08-14T00:56:01.608348Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ONELOGIN_bd7fc111-d4d8-427a-a4bc-60d2c370be08|https://ourguacserver.ouruniversity.edu/guacamole|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ourshibserver.ouruniversity.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_4051e5c17b3469c3fb99c5c477b2dc2d|melvin.lasky|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid|melvin.lasky|_b3b208aded524b06ad5ccd0d2c3a49da|

Not sure why I can't see the other attributes. What am I doing wrong?

Thanks for all your help!

Mel



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list