[jira] [Commented] (GUACAMOLE-2128) Add query parameter to bypass automatic IdP redirect in Guacamole SAML extension

Fri, 17 Oct 2025 17:44:49 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-2128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18023889#comment-18023889
 ] 

Mike Jumper commented on GUACAMOLE-2128:
----------------------------------------

If there's a way to:

# Provide an automatic fallback mechanism within SAML, etc. (so that the 
redirect can simply not happen automatically if the IdP is having issues).
# Allow administrators to choose whether to enable this fallback behavior.

I think that'd be preferable.

> Add query parameter to bypass automatic IdP redirect in Guacamole SAML 
> extension
> --------------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-2128
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-2128
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-saml
>            Reporter: Gyula Szabó
>            Priority: Minor
>
> {*}Summary:{*}{*}{*}
> Currently, when the SAML extension is enabled in Apache Guacamole, the login 
> flow automatically redirects users to the IdP. This prevents access to the 
> built-in login form for administrative or fallback purposes. We propose 
> adding support for a query parameter that, when present, bypasses the 
> automatic redirect and instead shows the Guacamole login form.
> {*}Description:{*}{*}{*}
>  * Problem: With SAML enabled, Guacamole immediately redirects to the IdP, 
> blocking the default login UI.
>  * Workaround today: Temporarily remove the SAML extension or adjust 
> extension priority.
>  * Desired solution: Introduce a query parameter (e.g., ?nosaml=true) that 
> disables the SAML redirect for that session and displays the login form.
> {*}Acceptance Criteria:{*}{*}{*}
>  # When ?nosaml=true is appended to the Guacamole login URL, the login form 
> is shown instead of redirecting to the IdP.
>  # Default behavior (no parameter) remains unchanged: SAML users are 
> redirected automatically.
>  # Implementation should be secure, ensuring that the bypass only affects the 
> current request/session.
>  # Document the new parameter in Guacamole SAML extension docs.
> {*}Benefits:{*}{*}{*}
>  * Allows administrators to log in with local accounts while keeping SAML 
> enabled.
>  * Provides an emergency fallback when IdP is unavailable.
>  * Improves flexibility without requiring manual extension management.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to