mrrothe
commented
1 month ago Just to add, this was working without issue in 6.1 without the additional SAML configuration
Open mrrothe opened 1 month ago
mrrothe
commented
1 month ago Just to add, this was working without issue in 6.1 without the additional SAML configuration
SamuelHassine
commented
1 month ago Hello,
Here is the working configuration in our cloud env:
PROVIDERS__SAML__STRATEGY: "SamlStrategy"
PROVIDERS__SAML__CONFIG__LABEL: "Corporate login"
PROVIDERS__SAML__CONFIG__ISSUER: "opencti-filigran"
PROVIDERS__SAML__CONFIG__ENTRY_POINT: "https://login.microsoftonline.com/[REDACTED]/saml2"
PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL: "https://filigran.octi.filigran.io/auth/saml/callback"
PROVIDERS__SAML__CONFIG__DISABLE_REQUESTED_AUTHN_CONTEXT: "true"
PROVIDERS__SAML__CONFIG__CERT: "MIIC8DCCAdigAwIBAgIQfFMNtRPA5oxAfD5VLfjw9jANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQg[...]"
PROVIDERS__SAML__CONFIG__ACCOUNT_ATTRIBUTE: "http://schemas.microsoft.com/identity/claims/displayname"
PROVIDERS__SAML__CONFIG__FIRSTNAME_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
PROVIDERS__SAML__CONFIG__LASTNAME_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"I've tried adding the ACCOUNT/FIRSTNAME/LASTNAME ATTRIBUTE fields as per your config above - and tested with all combinations of WANT_AUTHN_RESPONSE_SIGNED and WANT_ASSERTIONS_SIGNED enabled/disabled.
Both -> "SAML assertion audience mismatch" Just 'WANT_ASSERTIONS_SIGNED=false' -> "Invalid document signature" Just 'WANT_AUTHN_RESPONSE_SIGNED=false' -> "SAML assertion audience mismatch" Neither -> "Invalid document signature"
Not sure if there's anything different that needs to be configured on the Entra ID side - no errors/issues in the Entra ID logs and I can't see any configuration options for signing etc on that end.
Does adding a private key to the SAML config allow the response/assertion to be signed and remove the need for these additional parameters? If so is there any documentation for generating this private key?
SamuelHassine
commented
1 month ago @pierremahot @sbocahu did we changed anything in our instances for the Microsoft Entra SAML2 configuration following the library upgrade?
MaxwellDPS
commented
1 month ago Seeing the same Issues with ADFS post upgrade to 6.2.6
mrrothe
commented
1 month ago I've done some testing with a newly created key-pair. Generated with OpenSSL, uploaded public to the SAML Verification Certificate section on Entra and the private into the OpenCTI config. Still had the same error about SAML assertion audience mismatch even with the requests being signed. I've found an option within Entra ID SAML settings to override the 'Audience claim value' - I've tried setting this to my OpenCTI URL with/without trailing slash but no change. https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization#advanced-saml-claims-options
Markus98
commented
1 month ago We faced the same issue but were able to fix it by explicitly setting the configuration variable PROVIDERS__SAML__CONFIG__AUDIENCE to the value that that is returned under <AudienceRestriction><Audience> in the SAML response.
mrrothe
commented
1 month ago @Markus98 That has solved it! Thanks very much for the tip
-- I don't think this configuration option is mentioned in the OpenCTI documentation at all, would it be worth adding a reference to it?
Description
As per release notes for 6.2.0, updated version of SAML library requires additional configuration to retain previous behavior with regards to assertion/response singing.
Despite adding the suggested configuration, authentication is still failing with the error
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
User is logged in
Actual Output
Browser returns to OpenCTI login page
Additional information
Logs from Docker container