[
https://issues.apache.org/jira/browse/GUACAMOLE-2128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18023886#comment-18023886
]
Mike Jumper commented on GUACAMOLE-2128:
----------------------------------------
I don't think this would have security concerns necessarily (the automatic
redirect to the IdP is not part of the security model and is cosmetic - any
installed auth mechanism can be used). We don't currently provide an option to
_require_ SAML.
I'm not a huge fan of adding a bypass parameter - it feels a bit hackish as a
control knob, and I'm not sure this is the sort of thing we should expose to
users (even if not for security reasons). I'm also not sure what the
alternative would be, though, if we want to service the use case that an
administrator wishes to be able to avoid SAML temporarily.
> Add query parameter to bypass automatic IdP redirect in Guacamole SAML
> extension
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2128
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2128
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-saml
> Reporter: Gyula Szabó
> Priority: Minor
>
> {*}Summary:{*}{*}{*}
> Currently, when the SAML extension is enabled in Apache Guacamole, the login
> flow automatically redirects users to the IdP. This prevents access to the
> built-in login form for administrative or fallback purposes. We propose
> adding support for a query parameter that, when present, bypasses the
> automatic redirect and instead shows the Guacamole login form.
> {*}Description:{*}{*}{*}
> * Problem: With SAML enabled, Guacamole immediately redirects to the IdP,
> blocking the default login UI.
> * Workaround today: Temporarily remove the SAML extension or adjust
> extension priority.
> * Desired solution: Introduce a query parameter (e.g., ?nosaml=true) that
> disables the SAML redirect for that session and displays the login form.
> {*}Acceptance Criteria:{*}{*}{*}
> # When ?nosaml=true is appended to the Guacamole login URL, the login form
> is shown instead of redirecting to the IdP.
> # Default behavior (no parameter) remains unchanged: SAML users are
> redirected automatically.
> # Implementation should be secure, ensuring that the bypass only affects the
> current request/session.
> # Document the new parameter in Guacamole SAML extension docs.
> {*}Benefits:{*}{*}{*}
> * Allows administrators to log in with local accounts while keeping SAML
> enabled.
> * Provides an emergency fallback when IdP is unavailable.
> * Improves flexibility without requiring manual extension management.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
