Forum Discussion

DanielStorey's avatar
DanielStorey
Icon for Nimbostratus rankNimbostratus
Aug 21, 2020

Getting SAML working from APM to Guacamole

Hi All,

 

I'm currently using an iRule to create a password for guacamole and using URL based login using a predetermined username and that password (which has been synchronised on the back-end to mysql).

 

But now with Guacamole 1.2, they've included SAML support which I've been able to get working with onelogin.com, but not with F5 APM. I see a request from APM to Guacamole and then a response back from Guacamole and then these entries in the APM logs:

 

Aug 21 09:56:05 f5-vpn notice tmm1[13465]: 014d1602:5: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: BIG-IP as IdP (/Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com_login.guacamole.rededucation.com_saml_sso) sent SAML response (Assertion) (size: 8573) with status (urn:oasis:names:tc:SAML:2.0:status:Success) to SP (/Common/saml_guacamole) for subject type (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) value (hn8cYnzVXUegJBO89ITyAA==)

Aug 21 09:56:17 f5-vpn err tmm1[13465]: 014d1005:3: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: Error: No SP Connector attached to SAML SSO from assigned SAML resources matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP connector

Aug 21 09:56:17 f5-vpn err tmm1[13465]: 014d1014:3: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request

Aug 21 09:56:17 f5-vpn err tmm1[13465]: 014d1011:3: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: Abort reason:  Error in decompression callback

Aug 21 09:56:24 f5-vpn notice tmm[13465]: 01490521:5: /Common/ap_labs.rededucation.com:Common:fda6f4c4: Session statistics - bytes in: 4962, bytes out: 4146

 

I'm wondering what these log messages mean? The SAML SSO/SP Connector that has a matching url in it, so I'm not sure why it's not able to be contacted when guacamole refers back to APM.

 

Any help would be much appreciated!

 

Cheers,

 

Daniel Storey

 

  • Got it working. I didn't have the ACS url correctly matching what was being passed back on the SAML request from guacamole - it's working!