After successfully configuring OpenCTI to leverage ADFS via OpenID Connect for SSO, a user can successfully log in but then OpenCTI will fail to create a new user because it is not able to detect the email / name / etc from the userinfo.
When I inspected the data obtained inside of the userinfo object, it only contains an object like the following { sub: <BASE64 encoded data> }, so attempting to access a key of email, name, etc will yield an undefined value.
When looking at ADFS documentation, it seems that the userinfo endpoint will not return additional claims see link and screenshot below:
With that in mind, I inspected the decoded JWT for the id_token and it does include all the claims for email, name, etc.
With that in mind, I propose that a change should be made to support looking for these values within the id_token as well as the current userinfo so that authentication can be supported for ADFS
Environment
OS (where OpenCTI server runs): Docker
OpenCTI version: 6.1.12
OpenCTI client: Docker
Other environment details:
Reproducible Steps
Steps to create the smallest reproducible scenario:
Configure OpenCTI for OpenID Connect SSO provided by Microsoft ADFS
Successfully authenticate via ADFS
OpenCTI will fail to create user
Expected Output
OpenCTI should be able to detect successfully authenticated users
Actual Output
OpenCTI is not detecting successfully authenticated users
Description
After successfully configuring OpenCTI to leverage ADFS via OpenID Connect for SSO, a user can successfully log in but then OpenCTI will fail to create a new user because it is not able to detect the email / name / etc from the userinfo.
The relevant code block is here: https://github.com/OpenCTI-Platform/opencti/blob/6.1.12/opencti-platform/opencti-graphql/src/config/providers.js#L350-L367
When I inspected the data obtained inside of the
userinfo
object, it only contains an object like the following{ sub: <BASE64 encoded data> }
, so attempting to access a key ofemail
,name
, etc will yield an undefined value.When looking at ADFS documentation, it seems that the userinfo endpoint will not return additional claims see link and screenshot below:
Microsoft recommends that if you would like to access claims, that you should do so by including them into the
id_token
:With that in mind, I inspected the decoded JWT for the
id_token
and it does include all the claims foremail
,name
, etc.With that in mind, I propose that a change should be made to support looking for these values within the id_token as well as the current userinfo so that authentication can be supported for ADFS
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
OpenCTI should be able to detect successfully authenticated users
Actual Output
OpenCTI is not detecting successfully authenticated users
Additional information
Screenshots (optional)