[GUACAMOLE-1364] Allow login with standard username/password when SSO is enabled - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Done
Affects Version/s: None
Fix Version/s: 1.4.0
Component/s: guacamole-auth-cas, guacamole-auth-openid, guacamole-auth-saml
Labels:
None

Description

When SSO is in use, Guacamole automatically redirects all users to the IdP for sign-in. This works well if all necessary user accounts are available through that IdP, but effectively prevents logging in using any account unknown to the IdP and prevents using multiple SSO implementations.

For example:

If SAML is enabled, but the common "guacadmin" administrative account has no counterpart in the SAML IdP, it will not be possible to sign in as "guacadmin" until a SAML user that maps to the "guacadmin" identity exists.
If multiple SSO solutions are enabled, only the solution that sorts first by filename will be usable, with others not getting their chance to redirect to their IdPs.

This can be solved by:

Defining explicit behavior for the SSO implementations when they are not sorted first (automatically adding a "Sign in with _____" button to the login prompt produced extension that sort before the SSO implementation).
Providing an easier mechanism for adjusting extension order (rather than requiring renaming of files).

Attachments

Activity

People

Assignee:: Mike Jumper

Reporter:: Mike Jumper

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 14/Jun/21 20:11

Updated:: 27/Dec/21 01:56

Resolved:: 27/Dec/21 01:56