jobritz
commented
8 months ago I figured out where I can find the Token, but currently only the Group ID is displayed and I would like to change this to a real word
Closed jobritz closed 7 months ago
jobritz
commented
8 months ago I figured out where I can find the Token, but currently only the Group ID is displayed and I would like to change this to a real word
Timshel
commented
8 months ago Hey, If I understand correctly Azure send you the Group ID which does not match the Organization name ?
I don't have access to an Azure provider so I can't really help you on how to to configure it to send the group name instead.
jobritz
commented
7 months ago Yes, it figured out how to do it, but right now my Organization in Vaultwarden is named after the Group ID from the Azure Group, which is just not sufficient for a productive environment. I will test it with different settings. Nevertheless thank you for your help.
Timshel
commented
7 months ago Some additional though:
Solution I could see would be to provide the mapping between ids as an additional conf parameter. This would alleviate the need to have an exact match on the Org name. On the Vaultwarden side the org id is displayed in the vault url.
Will test it and get back to you :).
Timshel
commented
7 months ago Added the SSO_ORGANIZATIONS_ID_MAPPING config to allow to define a mapping between provider Id and Vaultwarden org uuid : "ProviderId:VaultwardenId;".
Will be available in timshel:vaultwarden:1.30.5-5 (build should take around 1h)
Timshel
commented
7 months ago Hey did it help with your issue ?
jobritz
commented
7 months ago Hi, currently I don't have access to the environment, so I am not able to test it. I will give you feedback right away when I am back at my workplace.
jobritz
commented
7 months ago Hey, I tested it right now but did not manage to make it function. The mapping to a Organization with the same Name as die Azure Group ID also doesn't work anymore. I was quite confused because some Configurations are now in the Read-Only Config Section. (SSO_AUTHORITY, CLIENT_ID, CLIENT_SECRET etc.) I added my current Configuration:
jobritz
commented
7 months ago I just found the issue, due to the update the sso_organizations_invite turned back to false. It works perfectly now, thanks for your support :).
Timshel
commented
7 months ago Hey Yes sorry for the change in Configuration visibility in the admin panel. I made a pass recently and decided to keep only the ones which I believe made sense to change "live".
Another reason for the change was that there is not much space for description so wanted to encouraged people to interact with the .env which contains detailed description of each setting.
Hi, im currently trying to set up vaultwarden with Microsoft Azure SSO and im struggeling at the mapping of new users to Organizations. I added a group claim at the SSO Token and assigned a Group to the Application and to my Useraccount. Then i added an Organisation which has the same name as this Group, but I am still not being invited automatically to this Organization. I searched for the Token in my Log-Files but I couldn't find the right one even though I activated the sso_debug_tokens option. Do you have an Idea, how my Token Configuration in Azure should look like for this to work or could you tell me, where to find all the SSO Tokens?
Thanks a lot for your help
Your environment (Generated via diagnostics page)
Config
Show Running Config
**Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************************", "domain_origin": "*****://****************************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "HENSOLDT Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/log/vaultwarden.log", "log_level": "Info", "log_level_override": "", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "**********************", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": false, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "************,***********", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "Vaultwarden", "smtp_host": "*******************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "https://login.microsoftonline.com/xxx/v2.0", "sso_authorize_extra_params": "", "sso_callback_path": "https://vaultwarden.app.hensoldt.net/identity/connect/oidc-signin", "sso_client_id": "xxx", "sso_client_secret": "***", "sso_debug_tokens": true, "sso_enabled": true, "sso_experimental_no_master_pwd": false, "sso_master_password_policy": "{\"enforceOnLogin\":true,\"minComplexity\":4,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":true,\"requireUpper\":true}", "sso_only": false, "sso_organizations_invite": true, "sso_organizations_token_path": "/groups", "sso_roles_default_to_user": true, "sso_roles_enabled": false, "sso_roles_token_path": "/resource_access/xxx/roles", "sso_scopes": "email profile offline_access", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```