Skip to content

GUACAMOLE-2224: Fix effective user group expansion for SAML/SSO groups #1170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tkuhlengel wants to merge 2 commits into
base: main
Choose a base branch
from
Open

GUACAMOLE-2224: Fix effective user group expansion for SAML/SSO groups #1170

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e45508e
GUACAMOLE-2224: Fix effective user group expansion for SAML/SSO group…
tkuhlengel-xnav Feb 20, 2026
c693a4f
Typo fix.
tkuhlengel Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions ...-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
package org.apache.guacamole.auth.jdbc.base;

import com.google.inject.Inject;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.apache.guacamole.auth.jdbc.permission.SystemPermissionService;
Expand Down Expand Up @@ -212,6 +213,26 @@ public Set<String> getEffectiveUserGroups() {
Collections.<String>emptySet());
}

/**
* Returns the identifiers of all user groups that apply to this entity,
* including groups defined within the database (inherited through
* membership) and any additional groups provided externally (such as from
* an SSO provider like SAML or LDAP). The external groups are used as
* additional seeds for recursive DB group expansion, so any parent groups
* of external groups in the database are also included in the result.
*
* @param externalEffectiveGroups
* The identifiers of any externally-asserted group memberships (e.g.
* SAML claims) that should be used as seeds for DB group expansion.
*
* @return
* The identifiers of all user groups that apply to this entity,
* including DB-inherited parent groups of the external groups.
*/
public Set<String> expandEffectiveGroups(Collection<String> externalEffectiveGroups) {
return entityService.retrieveEffectiveGroups(this, externalEffectiveGroups);
}

/**
* Returns a Permissions object which represents all permissions granted to
* this entity, including any permissions inherited through group
Expand Down
17 changes: 13 additions & 4 deletions ...jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@

package org.apache.guacamole.auth.jdbc.user;

import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
Expand Down Expand Up @@ -170,11 +169,21 @@ public String getIdentifier() {
public void setIdentifier(String identifier) {
user.setIdentifier(identifier);
}



/**
* Expands a user's groups through the parents in database group hierarchy
* so that parent groups of external groups (e.g. SAML/SSO group claims)
* are included. This also covers the user's own direct
* DB memberships (via entity_id) and skeleton users with null entity_id.
*
* @return
* The set of effective groups for this user, whether inherited or
* direct.
*/
@Override
public Set<String> getEffectiveUserGroups() {
return Sets.union(user.getEffectiveUserGroups(),
super.getEffectiveUserGroups());
return user.expandEffectiveGroups(super.getEffectiveUserGroups());
}

/**
Expand Down