Using SAML for single sign-on

Using SAML for single sign-on#

SAML is a widely implemented and used Single Sign On (SSO) provider that allows applications and services to authenticate in a standard way, and brokers those authentication requests to one or more back-end authentication providers. The SAML authentication extension allows Guacamole to redirect to a SAML Identity Provider (IdP) for authentication and user services. This module does not provide any capability for storing or retrieving connections, and must be layered with other authentication extensions that provide connection management.

Warning

You will need to restart the Guacamole web application in order to complete configuration. Doing this will disconnect all active users, so please:

  • Do this only at a time that you can tolerate service unavailability, such as a scheduled maintenance window.

  • Keep in mind that configuration errors may prevent Guacamole from starting back up.

Installing/Enabling the SAML authentication extension#

Guacamole is configured differently depending on whether Guacamole was installed natively or using the provided Docker images. The documentation here covers both methods.

Native installations of Guacamole under Apache Tomcat or similar are configured by modifying the contents of GUACAMOLE_HOME (Guacamole’s configuration directory), which is located at /etc/guacamole by default and may need to be created first:

  1. Download guacamole-auth-sso-1.6.0.tar.gz from the release page for Apache Guacamole 1.6.0 and extract it.

  2. Create the GUACAMOLE_HOME/extensions directory, if it does not already exist.

  3. Copy the saml/guacamole-auth-sso-saml-1.6.0.jar file from the contents of the archive to GUACAMOLE_HOME/extensions/.

  4. Proceed with the configuring Guacamole for the newly installed extension as described below. The extension will be loaded after Guacamole has been restarted.

Note

Download and documentation links for all officially supported extensions for a particular version of Guacamole are always provided in the release notes for that version. The copy of the documentation you are reading now is from Apache Guacamole 1.6.0.

If you are using a different version of Guacamole, please locate that version within the release archives and consult the documentation for that release instead.

Docker installations of Guacamole include a bundled copy of Apache Tomcat and are configured using environment variables. The startup process of the Docker image automatically populates GUACAMOLE_HOME (Guacamole’s configuration directory) based on the values of these variables.

If deploying Guacamole using Docker Compose:

You will need to add at least one relevant environment variable to the environment section of your guacamole/guacamole container, such as the SAML_ENABLED environment variable:

SAML_ENABLED: "true"
If instead deploying Guacamole by running docker run manually:

The same environment variable(s) will need to be provided using the -e option. For example:

$ docker run --name some-guacamole \
    -e SAML_ENABLED="true" \
    -d -p 8080:8080 guacamole/guacamole

If SAML_ENABLED is set to false, the extension will NOT be installed, even if other related environment variables have been set. This can be used to temporarily disable usage of an extension without needing to remove all other related configuration.

You don’t strictly need to set SAML_ENABLED if other related environment variables are provided, but the extension will be installed only if at least one related environment variable is set.

Configuration#

The SAML authentication extension provides several configuration properties to set it up to talk to the IdP. The SAML IdP also must be configured with Guacamole as a Service Provider (SP). Configuration of the SAML IdP is beyond the scope of this document, and will vary widely based on the IdP in use.

saml-idp-metadata-url

The URI of the XML metadata file from the SAML Identity Provider that contains all of the information the SAML extension needs in order to know how to authenticate with the IdP. This URI can either be a remote server (e.g. https://) or a local file on the filesystem (e.g. file://). Often the metadata file contains most of the required properties for SAML authentication and the other parameters are not required.

saml-idp-url

The base URL of the SAML IdP. This is the URL that the SAML authentication extension will use to redirect when requesting SAML authentication. If the saml-idp-metadata-url property is provided, this parameter will be ignored. If the metadata file is not provided this property is required.

saml-entity-id

The entity ID of the Guacamole SAML client, which is generally the URL of the Guacamole server, but is not required to be so. This property is required if either the saml-idp-metadata-url property is not specified, or if the provided metadata file does not contain the SAML SP Entity ID for the Guacamole Client.

saml-callback-url

The URL that the IdP will use once authentication has succeeded to return to the Guacamole web application and provide the authentication details to the SAML extension. The SAML extension currently only supports callback as a POST operation to this callback URL. This property is required.

saml-strict

Require strict security checks during SAML logins. This will insure that valid certificates are present for all interactions with SAML servers and fail SAML authentication if security restrictions are violated. This property is optional, and will default to true, requiring strict security checks. This property should only be set to false in non-production environments during testing of SAML authentication.

saml-debug

Enable additional logging within the supporting SAML library that can assist in tracking down issues during SAML logins. This property is optional, and will default to false (no debugging).

saml-compress-request

Enable compression of the HTTP requests sent to the SAML IdP. This property is optional and will default to true (compression enabled).

saml-compress-response

Request that the SAML response returned by the IdP be compressed. This property is optional and will default to true (compression will be requested).

saml-group-attribute

The name of the attribute provided by the SAML IdP that contains group membership of the user. These groups will be parsed and used to map group membership of the user logging in, which can be used for permissions management within Guacamole Client, particularly when layered with other authentication modules. This property is optional, and defaults to “groups”.

saml-x509-cert-path

The path to a certificate that will be used to sign SAML requests before they are sent to the IdP, enhancing the integrity of the SAML authentication process. This property is optional, and, if not present, SAML requests will not be signed.

saml-private-key-path

The path to a private key file to use to encrypt SAML requests sent to the IdP, enhancing the confidentiality and integrity of the authentication process. This property is optional, and, if not present, SAML requests will not be encrypted before they are sent to the IdP.

The SAML authentication extension provides several configuration properties to set it up to talk to the IdP. The SAML IdP also must be configured with Guacamole as a Service Provider (SP). Configuration of the SAML IdP is beyond the scope of this document, and will vary widely based on the IdP in use.

SAML_IDP_METADATA_URL

The URI of the XML metadata file from the SAML Identity Provider that contains all of the information the SAML extension needs in order to know how to authenticate with the IdP. This URI can either be a remote server (e.g. https://) or a local file on the filesystem (e.g. file://). Often the metadata file contains most of the required properties for SAML authentication and the other parameters are not required.

SAML_IDP_URL

The base URL of the SAML IdP. This is the URL that the SAML authentication extension will use to redirect when requesting SAML authentication. If the saml-idp-metadata-url property is provided, this parameter will be ignored. If the metadata file is not provided this property is required.

SAML_ENTITY_ID

The entity ID of the Guacamole SAML client, which is generally the URL of the Guacamole server, but is not required to be so. This property is required if either the saml-idp-metadata-url property is not specified, or if the provided metadata file does not contain the SAML SP Entity ID for the Guacamole Client.

SAML_CALLBACK_URL

The URL that the IdP will use once authentication has succeeded to return to the Guacamole web application and provide the authentication details to the SAML extension. The SAML extension currently only supports callback as a POST operation to this callback URL. This property is required.

SAML_STRICT

Require strict security checks during SAML logins. This will insure that valid certificates are present for all interactions with SAML servers and fail SAML authentication if security restrictions are violated. This property is optional, and will default to true, requiring strict security checks. This property should only be set to false in non-production environments during testing of SAML authentication.

SAML_DEBUG

Enable additional logging within the supporting SAML library that can assist in tracking down issues during SAML logins. This property is optional, and will default to false (no debugging).

SAML_COMPRESS_REQUEST

Enable compression of the HTTP requests sent to the SAML IdP. This property is optional and will default to true (compression enabled).

SAML_COMPRESS_RESPONSE

Request that the SAML response returned by the IdP be compressed. This property is optional and will default to true (compression will be requested).

SAML_GROUP_ATTRIBUTE

The name of the attribute provided by the SAML IdP that contains group membership of the user. These groups will be parsed and used to map group membership of the user logging in, which can be used for permissions management within Guacamole Client, particularly when layered with other authentication modules. This property is optional, and defaults to “groups”.

SAML_X509_CERT_PATH

The path to a certificate that will be used to sign SAML requests before they are sent to the IdP, enhancing the integrity of the SAML authentication process. This property is optional, and, if not present, SAML requests will not be signed.

SAML_PRIVATE_KEY_PATH

The path to a private key file to use to encrypt SAML requests sent to the IdP, enhancing the confidentiality and integrity of the authentication process. This property is optional, and, if not present, SAML requests will not be encrypted before they are sent to the IdP.

Controlling login behavior#

Guacamole loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the Guacamole login process behaves when an SSO extension is present:

If the SSO extension has priority:

Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Guacamole login screen.

If a non-SSO extension has priority:

Users that are not yet authenticated will be presented with a Guacamole login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.

The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by explicitly setting the extension priority.

Automatically redirecting all unauthenticated users#

To ensure users are redirected to the SAML identity provider immediately (without a Guacamole login screen), ensure the SAML extension has priority over all others:

extension-priority: saml

Presenting unauthenticated users with a login screen#

To ensure users are given a normal Guacamole login screen and have the option to log in with traditional credentials or with SAML, ensure the SAML extension does not have priority:

extension-priority: *, saml

Completing installation#

Guacamole will only reread its configuration and load newly-installed extensions during startup, so Tomcat will need to be restarted before these changes can take effect. Restart Tomcat and give the new functionality a try.

You do not need to restart guacd.

Hint

If Guacamole does not come back online after restarting Tomcat, check the logs. Configuration problems may prevent Guacamole from starting up, and any such errors will be recorded in Tomcat’s logs.

The environment variables that configure the behavior of Docker can only be set at the time the Docker container is created. To apply these configuration changes, you will need to recreate the container.

If your Guacamole container was deployed using Docker Compose:

Simply making the desired changes to your docker-compose.yml and running docker compose up is sufficient. Docker Compose will automatically recognize that the environment variables of the container have changed and recreate it.

If your Guacamole container was deployed manually (using docker run):

You wll need to manually use docker rm to remove the old container and then manually recreate it with docker run and the new environment variables.

Hint

If Guacamole does not come back online after recreating the container, check the Docker logs. Configuration problems may prevent Guacamole from starting up, and any such errors will be recorded in the Docker logs for the Guacamole container.

Contents