SAML 2.0 support for Apache Guacamole through CAS

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML 2.0 support for Apache Guacamole through CAS

stoda06
Hi Guacamole Gurus!

I'm trying to figure out if I should attempt to get Guacamole working with
CAS as a SAML 2.0 SP allowing SSO into Guacamole?

Because I've read here (https://issues.apache.org/jira/browse/GUACAMOLE-103)
that SAML 2.0 isn't currently supported for Guacamole, but I wouldn't have
thought this would mean that SAML 2.0 isn't supported through CAS?

Would someone who's gotten Guacamole working with SAML 2.0 please let me
know the components they used in their architecture?  Because I've been
through the last 4000 messages emailed to this list and there's a thread
with the title: "Handling a SAML POST response" which talks about SAML
(version unknown) and getting it working with Mike Jumper's extension and
used it to authenticate via OpenID.  From which I gather it's possible to
get it working with SAML of an unknown version.

Basically, I'm trying to authenticate from an F5 BIG-IP APM to Guacamole
using SSO and one of the guys who's in my team suggested that SAML would be
the easiest way to get this working.

Cheers,

Daniel Storey
0413025912



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

vnick


On Sat, Aug 11, 2018 at 9:19 AM stoda06 <[hidden email]> wrote:
Hi Guacamole Gurus!

I'm trying to figure out if I should attempt to get Guacamole working with
CAS as a SAML 2.0 SP allowing SSO into Guacamole?

Because I've read here (https://issues.apache.org/jira/browse/GUACAMOLE-103)
that SAML 2.0 isn't currently supported for Guacamole, but I wouldn't have
thought this would mean that SAML 2.0 isn't supported through CAS?


Support for authentication via the SAML protocol is a work in progress, but currently not available in Guacamole.  If you must use the SAML 2.0 authentication protocol with CAS, then you will not be able to authenticate Guacamole with CAS as the SAML protocol is not supported.

That said, Guacamole has a CAS authentication module which supports the native CAS SSO protocol.  If you're already running a CAS server, you should be able to use the guacamole-auth-cas extension and authenticate against your CAS server.

Is there some reason you're required to use SAML 2.0 instead of the native CAS protocol?
 
Would someone who's gotten Guacamole working with SAML 2.0 please let me
know the components they used in their architecture?  Because I've been
through the last 4000 messages emailed to this list and there's a thread
with the title: "Handling a SAML POST response" which talks about SAML
(version unknown) and getting it working with Mike Jumper's extension and
used it to authenticate via OpenID.  From which I gather it's possible to
get it working with SAML of an unknown version.

OpenID and SAML are not identical.  There is an OpenID authentication extension that you can use, but you must use it against any OpenID-compatible SSO server.  CAS can also do this, but, again, why are you trying to do this instead of just using the CAS protocol?
 

Basically, I'm trying to authenticate from an F5 BIG-IP APM to Guacamole
using SSO and one of the guys who's in my team suggested that SAML would be
the easiest way to get this working.


Sorry to sound like a broken record, but if your SSO server is CAS, just use the CAS protocol - it's the most straight-forward to get configured, and it's already supported.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

stoda06

Hi Nick,


Thanks for the speedy reply.

 

I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole through CAS, so I thought SAML was the best solution.  To my knowledge, F5 doesn’t support CAS natively (and I’ve done some searching, so I’m pretty confident this is true).

 

CAS has come in to the solution as middleware of sorts – converting the authentication from SAML into something Guacamole can understand (native CAS authentication through the CAS protocol.). My company isn’t using CAS at the moment – we’d be deploying it for this project only, which uses usernames and passwords to authenticate that are stored in the internal F5 database.  Hence the guy in my team recommending SAML2.0 between F5 and CAS and then Native CAS authentication for Guacamole, if that’s possible.

 

But you’re saying it’s not?

 

Cheers,

 

Daniel Storey

 

From: Nick Couchman <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Saturday, 11 August 2018 at 11:50 pm
To: "[hidden email]" <[hidden email]>
Subject: Re: SAML 2.0 support for Apache Guacamole through CAS

 

 

On Sat, Aug 11, 2018 at 9:19 AM stoda06 <[hidden email]> wrote:

Hi Guacamole Gurus!

I'm trying to figure out if I should attempt to get Guacamole working with
CAS as a SAML 2.0 SP allowing SSO into Guacamole?

Because I've read here (https://issues.apache.org/jira/browse/GUACAMOLE-103)
that SAML 2.0 isn't currently supported for Guacamole, but I wouldn't have
thought this would mean that SAML 2.0 isn't supported through CAS?

 

Support for authentication via the SAML protocol is a work in progress, but currently not available in Guacamole.  If you must use the SAML 2.0 authentication protocol with CAS, then you will not be able to authenticate Guacamole with CAS as the SAML protocol is not supported.

 

That said, Guacamole has a CAS authentication module which supports the native CAS SSO protocol.  If you're already running a CAS server, you should be able to use the guacamole-auth-cas extension and authenticate against your CAS server.

 

Is there some reason you're required to use SAML 2.0 instead of the native CAS protocol?

 

Would someone who's gotten Guacamole working with SAML 2.0 please let me
know the components they used in their architecture?  Because I've been
through the last 4000 messages emailed to this list and there's a thread
with the title: "Handling a SAML POST response" which talks about SAML
(version unknown) and getting it working with Mike Jumper's extension and
used it to authenticate via OpenID.  From which I gather it's possible to
get it working with SAML of an unknown version.

 

OpenID and SAML are not identical.  There is an OpenID authentication extension that you can use, but you must use it against any OpenID-compatible SSO server.  CAS can also do this, but, again, why are you trying to do this instead of just using the CAS protocol?

 


Basically, I'm trying to authenticate from an F5 BIG-IP APM to Guacamole
using SSO and one of the guys who's in my team suggested that SAML would be
the easiest way to get this working.

 

Sorry to sound like a broken record, but if your SSO server is CAS, just use the CAS protocol - it's the most straight-forward to get configured, and it's already supported.

 

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

vnick
On Sat, Aug 11, 2018 at 10:20 AM Daniel Storey <[hidden email]> wrote:

Hi Nick,


Thanks for the speedy reply.


Sorry, not so speed the second time around :-/.
 

 

I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole through CAS, so I thought SAML was the best solution.  To my knowledge, F5 doesn’t support CAS natively (and I’ve done some searching, so I’m pretty confident this is true).


Yeah, CAS isn't really all that universally supported, unfortunately, so I wouldn't be surprised if F5 doesn't support it.
 

 

CAS has come in to the solution as middleware of sorts – converting the authentication from SAML into something Guacamole can understand (native CAS authentication through the CAS protocol.). My company isn’t using CAS at the moment – we’d be deploying it for this project only, which uses usernames and passwords to authenticate that are stored in the internal F5 database.  Hence the guy in my team recommending SAML2.0 between F5 and CAS and then Native CAS authentication for Guacamole, if that’s possible.



So, let me make sure I understand what you're trying to do.  You'd like to have users authenticate through the F5 appliance (to CAS, via SAML), and then be able to hit Guacamole and have the authentication into Guacamole happen "automagically" because you've already authenticated to the SSO server from the F5?

I don't know if this will work or not.  It's possible it will, if CAS is "smart enough" to pick up on the fact that you've already authenticated based on session or cookie information in the browser.  But, because it's using a different client procotocol (SAML vs. CAS), it may not work.  I actually don't really know how that works out with CAS - every time I've used it I've been focused on either one protocol or another and not been trying it across protocols.  I would think the CAS server would be smart enough to figure this out, but I'm not sure.

I'm also not familiar with the F5 Big-IP APM, so I'm not entirely sure how it's doing the SSO through SAML.

If I have a chance to spin stuff up to try it out, I will, I just don't know how quickly I'd be able to make that happen.  I don't have a F5 APM, but it looks like it might be something that I can download and try out.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

stoda06

Hi Nick,

 

Thanks for following this up for me! If you’d like a temporary key for F5 APM, please let me know and I’ll get you a 45 day temp key.

 

Mine is [hidden email].  Please email me if you’d like a temp key.

 

Cheers,

 

Daniel Storey 

 

 

From: Nick Couchman <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Monday, 13 August 2018 at 4:32 am
To: "[hidden email]" <[hidden email]>
Subject: Re: SAML 2.0 support for Apache Guacamole through CAS

 

On Sat, Aug 11, 2018 at 10:20 AM Daniel Storey <[hidden email]> wrote:

Hi Nick,


Thanks for the speedy reply.

 

Sorry, not so speed the second time around :-/.

 

 

I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole through CAS, so I thought SAML was the best solution.  To my knowledge, F5 doesn’t support CAS natively (and I’ve done some searching, so I’m pretty confident this is true).

 

Yeah, CAS isn't really all that universally supported, unfortunately, so I wouldn't be surprised if F5 doesn't support it.

 

 

CAS has come in to the solution as middleware of sorts – converting the authentication from SAML into something Guacamole can understand (native CAS authentication through the CAS protocol.). My company isn’t using CAS at the moment – we’d be deploying it for this project only, which uses usernames and passwords to authenticate that are stored in the internal F5 database.  Hence the guy in my team recommending SAML2.0 between F5 and CAS and then Native CAS authentication for Guacamole, if that’s possible.

 

 

So, let me make sure I understand what you're trying to do.  You'd like to have users authenticate through the F5 appliance (to CAS, via SAML), and then be able to hit Guacamole and have the authentication into Guacamole happen "automagically" because you've already authenticated to the SSO server from the F5?

 

I don't know if this will work or not.  It's possible it will, if CAS is "smart enough" to pick up on the fact that you've already authenticated based on session or cookie information in the browser.  But, because it's using a different client procotocol (SAML vs. CAS), it may not work.  I actually don't really know how that works out with CAS - every time I've used it I've been focused on either one protocol or another and not been trying it across protocols.  I would think the CAS server would be smart enough to figure this out, but I'm not sure.

 

I'm also not familiar with the F5 Big-IP APM, so I'm not entirely sure how it's doing the SSO through SAML.

 

If I have a chance to spin stuff up to try it out, I will, I just don't know how quickly I'd be able to make that happen.  I don't have a F5 APM, but it looks like it might be something that I can download and try out.

 

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

Gomez
In reply to this post by stoda06
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

stoda06
I actually ended up using an iRule to generate a set of passwords (using a hashing algorthim on the IP address of the endpoint) which I store statically in MySQL and put into the user request to guacamole.  The password is sent in clear text in the URL, but for my purposes that doesn’t matter.

Daniel Storey
 

On 13/11/19, 6:56 am, "Gomez" <[hidden email]> wrote:

    Hi Daniel,
   
    Did you ever get the F5 APM working with guacamole. I have a similar
    requirement.
    What did you end up using?
   
    Kind regards,
   
    Frederik.
   
   
   
   
    --
    Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
   
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: [hidden email]
    For additional commands, e-mail: [hidden email]
   
   


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 support for Apache Guacamole through CAS

vnick
On Tue, Nov 12, 2019 at 3:12 PM Daniel Storey <[hidden email]> wrote:
I actually ended up using an iRule to generate a set of passwords (using a hashing algorthim on the IP address of the endpoint) which I store statically in MySQL and put into the user request to guacamole.  The password is sent in clear text in the URL, but for my purposes that doesn’t matter.

Daniel Storey


On 13/11/19, 6:56 am, "Gomez" <[hidden email]> wrote:

    Hi Daniel,

    Did you ever get the F5 APM working with guacamole. I have a similar
    requirement.
    What did you end up using?


I'm not familiar with the F5 APM, but it's also worth nothing that there is a guacamole-auth-header module available that may work for you.  You have to be careful with this - you want to make sure it's configured in such a way as to not allow someone to arbitrarily spoof usernames and get access to your Guacamole Client environment, but it can be used in a pinch.

-Nick