[
https://issues.apache.org/jira/browse/GUACAMOLE-2128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18017072#comment-18017072
]
Nick Couchman commented on GUACAMOLE-2128:
------------------------------------------
I'm a bit on the fence about doing this:
* I think the way we've structured the current interface, where you can either
accept the automatic redirect or change the extension priority and have the
login dialog box come up both works well and is consistent with other systems
that I've seen that support a combination of SSO login and/or internal
credentials.
* The current method of loading the SAML extension after other extensions does
have a URL that you can provide and use directly if you want to automatically
redirect to the SAML IdP, even when the login dialog is presented by default -
e.g. [https://guacamole.example.com/api/ext/saml/login]
* I wonder if such an option causes any security concerns - maybe not, there
isn't anything specific I can think of off the top of my head, but it seems
like, in situations where you truly do want users to be forced to go through
SSO, having an option available as a URL parameter that could be used by
someone to bypass that requirement on any installation of Guacamole seems like
a bad idea. The current method of doing it, where the SAML extension has to be
loaded either first (to always force the redirect) or after others (to present
the login dialog and the option) puts the power to control that squarely into
the hands of the administrators of the system. Adding a URL parameter for it
makes it a bit more arbitrary and up to users - or attackers - as to which one
they'd like to force/prefer.
> Add query parameter to bypass automatic IdP redirect in Guacamole SAML
> extension
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2128
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2128
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-saml
> Reporter: Gyula Szabó
> Priority: Minor
>
> {*}Summary:{*}{*}{*}
> Currently, when the SAML extension is enabled in Apache Guacamole, the login
> flow automatically redirects users to the IdP. This prevents access to the
> built-in login form for administrative or fallback purposes. We propose
> adding support for a query parameter that, when present, bypasses the
> automatic redirect and instead shows the Guacamole login form.
> {*}Description:{*}{*}{*}
> * Problem: With SAML enabled, Guacamole immediately redirects to the IdP,
> blocking the default login UI.
> * Workaround today: Temporarily remove the SAML extension or adjust
> extension priority.
> * Desired solution: Introduce a query parameter (e.g., ?nosaml=true) that
> disables the SAML redirect for that session and displays the login form.
> {*}Acceptance Criteria:{*}{*}{*}
> # When ?nosaml=true is appended to the Guacamole login URL, the login form
> is shown instead of redirecting to the IdP.
> # Default behavior (no parameter) remains unchanged: SAML users are
> redirected automatically.
> # Implementation should be secure, ensuring that the bypass only affects the
> current request/session.
> # Document the new parameter in Guacamole SAML extension docs.
> {*}Benefits:{*}{*}{*}
> * Allows administrators to log in with local accounts while keeping SAML
> enabled.
> * Provides an emergency fallback when IdP is unavailable.
> * Improves flexibility without requiring manual extension management.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
