GUACAMOLE-1364: Allow both traditional username/password and SSO.

2025-09-06 21:27:40 +00:00 · 2021-11-25 19:35:46 -08:00
parent 7dc0b3b509
commit 0e9860ecf7
26 changed files with 360 additions and 208 deletions
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.saml;

 import com.google.inject.Inject;
 import com.google.inject.Provider;
+import com.google.inject.Singleton;
 import java.net.URI;
 import java.util.Arrays;
 import javax.servlet.http.HttpServletRequest;
@@ -35,12 +36,13 @@ import org.apache.guacamole.form.RedirectField;
 import org.apache.guacamole.language.TranslatableMessage;
 import org.apache.guacamole.net.auth.Credentials;
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
-import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;

 /**
 * Service that authenticates Guacamole users by processing the responses of
 * SAML identity providers.
 */
+@Singleton
 public class AuthenticationProviderService implements SSOAuthenticationProviderService {

    /**
@@ -94,7 +96,7 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
        // Redirect to SAML IdP if no SAML identity is associated with the
        // Guacamole authentication request
        URI authUri = saml.createRequest();
-        throw new GuacamoleInsufficientCredentialsException("Redirecting to SAML IdP.",
+        throw new GuacamoleInvalidCredentialsException("Redirecting to SAML IdP.",
                new CredentialsInfo(Arrays.asList(new Field[] {
                    new RedirectField(AUTH_SESSION_QUERY_PARAM, authUri,
                            new TranslatableMessage("LOGIN.INFO_IDP_REDIRECT_PENDING"))
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProvider.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProvider.java
@@ -19,7 +19,6 @@

 package org.apache.guacamole.auth.saml;

-import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.saml.acs.AssertionConsumerServiceResource;
 import org.apache.guacamole.auth.sso.SSOAuthenticationProvider;

@@ -36,7 +35,9 @@ public class SAMLAuthenticationProvider extends SSOAuthenticationProvider {
     * against a SAML IdP.
     */
    public SAMLAuthenticationProvider() {
-        super(AuthenticationProviderService.class, new SAMLAuthenticationProviderModule());
+        super(AuthenticationProviderService.class,
+                AssertionConsumerServiceResource.class,
+                new SAMLAuthenticationProviderModule());
    }

    @Override
@@ -44,9 +45,4 @@ public class SAMLAuthenticationProvider extends SSOAuthenticationProvider {
        return "saml";
    }

-    @Override
-    public Object getResource() throws GuacamoleException {
-        return getInjector().getInstance(AssertionConsumerServiceResource.class);
-    }
-
 }
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AssertionConsumerServiceResource.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/AssertionConsumerServiceResource.java
@@ -30,6 +30,7 @@ import javax.ws.rs.core.UriBuilder;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.saml.AuthenticationProviderService;
 import org.apache.guacamole.auth.saml.conf.ConfigurationService;
+import org.apache.guacamole.auth.sso.SSOResource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@@ -38,7 +39,7 @@ import org.slf4j.LoggerFactory;
 * endpoint. SAML identity providers will issue an HTTP POST to this endpoint
 * asserting the user's identity when the user has successfully authenticated.
 */
-public class AssertionConsumerServiceResource {
+public class AssertionConsumerServiceResource implements SSOResource {

    /**
     * Logger for this class.
@@ -63,6 +64,11 @@ public class AssertionConsumerServiceResource {
    @Inject
    private SAMLService saml;

+    @Override
+    public Response redirectToIdentityProvider() throws GuacamoleException {
+        return Response.seeOther(saml.createRequest()).build();
+    }
+
    /**
     * Processes the SAML response submitted by the SAML IdP via an HTTP POST.
     * If SSO has been successful, the user is redirected back to Guacamole to
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/resources/guac-manifest.json
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/resources/guac-manifest.json
@@ -9,6 +9,15 @@
        "org.apache.guacamole.auth.saml.SAMLAuthenticationProvider"
    ],

+    "css" : [
+        "styles/sso-providers.css"
+    ],
+
+    "html" : [
+        "html/sso-providers.html",
+        "html/sso-provider-saml.html"
+    ],
+
    "translations" : [
        "translations/ca.json",
        "translations/de.json",
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/resources/html/sso-provider-saml.html
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/resources/html/sso-provider-saml.html
@@ -0,0 +1,4 @@
+<meta name="after-children" content=".login-ui .sso-provider-list:last-child">
+<li class="sso-provider sso-provider-saml"><a href="api/ext/saml/login">{{
+    'LOGIN.NAME_IDP_SAML' | translate
+}}</a></li>