[Feature Request] Possible to add user to multi-org using SSO

[azgaviperr]

Hello,

Currently it is not possible to create a multi-Org user using SSO.

That's could be an handy feature for MSSP or multi tenant Organisation.

Using a Workaround with Shuffle for now.

Use to be A bug report because I was lacking insight on how Keycloak Works

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Docker SWARM
OS version (client)	Viperr,
Virtualized Env.	True
Dedicated RAM	16 GB
vCPU	8
TheHive version / git hash	4.x, hash of the commit
Package Type	RPM, DEB, Docker, Binary, From source
Database	Cassandra
Index type	Elasticsearch
Attachments storage	Local (GlusterFS)
Browser type & version	If applicable

Problem Description

After setting up SSO I am able to connect with an new user on thehive and create it's profile and Org. I got a multiple Org instance. Only the default Org is taken into consideration.

However the user.organisationFieldName: organisation is ignored while the user.profileFieldName: profile is working properly .

I am using Keycloak and added those info as attribute.

I was also unable to create a multi org account. (like an user who could be in 2 Org as Org-admin and Admin on the admin org)

Steps to Reproduce

1. setup SSO with keycloak
2. configure the autocreation
3. Try to login using a user defined in Keycloak with a secondary ORG (different than the default)

Possible Solutions

No idea

Complementary information

user.autoCreateOnSso: true
user.profileFieldName: profile
user.organisationFieldName: organisation
user.defaults.profile: read-only
user.defaults.organisation: Org1
auth {
  providers: [
    {name: session}
    {name: basic, realm: thehive}
    {name: local}
    {name: key}
    {
      name: oauth2
      clientId: "thehive"
      clientSecret: "supersecret"
      redirectUri: "http://127.0.0.1:9000/api/v1/ssoLogin"
      responseType: "code"
      grantType: "authorization_code"
      authorizationUrl: "http://sso/auth/realms/demo/protocol/openid-connect/auth"
      authorizationHeader: "Bearer"
      tokenUrl: "http://sso/auth/realms/demo/protocol/openid-connect/token"
      userUrl: "http://sso/auth/realms/demo/protocol/openid-connect/userinfo"
      scope: ["openid", "email"]
      userIdField: "email"
      userOrganisationFieldName: "organisation"
      profileFieldName: "profile"
    }
  ]
}

[azgaviperr]

I am wondering if it's not because user use the api/v1 and not organisations

[vdebergue]

With the default configuration of keycloak, the custom user attribute organisation is not sent by keycloak server to thehive server.

I managed to have the auto user creation to work with keycloak by adding a mapper to the client and using your configuration:

Note that thehive user autocreate only adds the user to one organisation

[azgaviperr]

Thanks that helped, however this can't be use to create multi org account

[vdebergue]

Yes you are right, the creation of multi org users is not yet supported when using the sso autocreate feature

[azgaviperr]

Ok thanks, that's fine, gonna changed the ticket to Feature Request. As it wasn't a bug, just me being dumb. Thanks @vdebergue

[marcoordonez0703]

Hey guys, @azgaviperr I have a question about your setup.

I am also using Keycloak for this and the field user.profileFieldName: profile on Keycloak side can be either "org-admin", "analyst" or "read-only". However, user auto-creation fails because keycloak sends a list with one sting and the Hive expects a string.... ["analyst"] --> "analyst"

How did you get around this? or are you sending only "analyst" as the profile to be created?

thanks in advance.

[azgaviperr]

It should be now possible to do that without tweak from last update of thehive. I was using a mapper as string as workaround

[cunhaac]

Any updates about this feature? @nadouani