Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Done
-
None
-
None
Description
When SSO is in use, Guacamole automatically redirects all users to the IdP for sign-in. This works well if all necessary user accounts are available through that IdP, but effectively prevents logging in using any account unknown to the IdP and prevents using multiple SSO implementations.
For example:
- If SAML is enabled, but the common "guacadmin" administrative account has no counterpart in the SAML IdP, it will not be possible to sign in as "guacadmin" until a SAML user that maps to the "guacadmin" identity exists.
- If multiple SSO solutions are enabled, only the solution that sorts first by filename will be usable, with others not getting their chance to redirect to their IdPs.
This can be solved by:
- Defining explicit behavior for the SSO implementations when they are not sorted first (automatically adding a "Sign in with _____" button to the login prompt produced extension that sort before the SSO implementation).
- Providing an easier mechanism for adjusting extension order (rather than requiring renaming of files).