search

dexidp / dex

OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
https://dexidp.io
Apache License 2.0
9.35k stars 1.68k forks source link

All users fail to authenticate - not member of groups #2083

Open tuptaker opened 3 years ago

tuptaker commented 3 years ago

Hi all, my team is trying to use groupsAttr and allowedGroups connector config properties to control which users from an organization can login in. Unfortunately, it seems like no one is allowed to login with this setup and we were trying to figure out what might be wrong with our connector config. Can someone have a look and let us know what we might be missing or if we've specified something incorrectly in the config? Here's the yaml for the connector config:

- type: saml
  id: fakecompany
  name: Fake Company
  config:
    ssoIssuer: urn:com:fakeco:federation:uat
    ssoURL: https://sso-uat.fakeco.com/idp/SSO.saml2
    ca: ./cert/fakeco/fakeco-saml-sso-uat.pem
    redirectURI: https://dex-idp.myidportal.com/callback
    entityIssuer: https://dex-idp.myidportal.com/callback
    emailAttr: email                 # required
    usernameAttr: displayName        # required - the displayed name of user
    nameIDPolicyFormat: unspecified  # optional - default if omitted: persistent
    groupsAttr: role                  # optional - only if provided
    #groupsDelim: ", "               # optional - only used if multiple groups in single attribute
    allowedGroups:                   # optional list of groups to filter by membership
      - COMPANY-ADMIN
    filterGroups: false              # true = reject users for being in any group not in allowedGroups

And here's the logging from dex when a user from this organization tries to login:

time="2021-04-12T12:58:14Z" level=info msg="parsed and verified saml response attributes \"role\" = \"COMPANY-ADMIN\", \"displayName\" = \"Fabrizio Machado\", \"email\" = \"fabrizio.machado@test.com\", \"employeeNumber\" = \"123123123\""
time="2021-04-12T12:58:14Z" level=error msg="Failed to authenticate: user not a member of allowed groups"
nabokihms commented 3 years ago

Hello @tuptaker. It looks like role is a string attribute. I'm not familiar with SAML, but I assume that in this case, you should specify some groupsDelim (, for example) to make role turn into an array. Could you try it?

tuptaker commented 3 years ago

Thanks @nabokihms I will give it a shot and report back. Much appreciated!

HEllRZA commented 3 years ago

@tuptaker

First, try the SAML-Tracer browser-plugin to figure out the correct groupsAttr. You might find something like this: groupsAttr: http://schemas.xmlsoap.org/claims/Group

Then you need to check, if multiple groups are sent by your SAML IdP as separate entries or as a comma-separated list. In the second case you have to define the groupSeparator.

If you don't see the groups in SAML-Tracer, try adding the groups scope to your initial OpenID Connect Auth request to dex.