guacamole-client icon indicating copy to clipboard operation
guacamole-client copied to clipboard
verified publisher icon apache

extensions: auth-sso-saml: Add option to get username from attribute

Open scpcom opened this issue 1 year ago • 1 comments

The auth-sso-saml plugin always uses NameID as username. Some SAML providers like simplesamlphp use NameID format "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", this is a temporary ID associated with the user. I added the option "saml-user-attribute" which allows to get the username from one of the attributes.

For example if simplesamlphp uses Active Directory LDAP as backend you can add one of this lines to guacamole.properties: saml-user-attribute: mail saml-user-attribute: sAMAccountName saml-user-attribute: userPrincipalName

If saml-user-attribute is not set or empty the NameID wil be used.

scpcom avatar May 28 '24 20:05 scpcom

I did not get the configuration service to work in AssertedIdentity. This is what I added:

import com.google.inject.Inject;
import org.apache.guacamole.auth.saml.conf.ConfigurationService;

public class AssertedIdentity {
    /**
     * Service for retrieving SAML configuration information.
     */
    @Inject
    private ConfigurationService confService;

    // .....
}

In the line that calls "confService.getUserAttribute();" I get "Unexpected error in REST endpoint." followed by "java.lang.NullPointerException: null"

scpcom avatar May 30 '24 16:05 scpcom