greenpau
commented
1 year ago @maemigh , try using caddy-trace and output the body of the request.
Open maemigh opened 1 year ago
greenpau
commented
1 year ago @maemigh , try using caddy-trace and output the body of the request.
maemigh
commented
1 year ago I’m still looking into using trace, but due to how our systems are setup, I need to make sure my token doesn’t end up in searchable logs.
I’m having trouble with the group claims that should be coming from Azure. I’ve tried checking the box in Azure that sends groups as roles, but no luck there either. It seems the ‘groups { }’ block that works with an LDAP store doesn’t work in the azure provider block. So I am seeing in the logs that the only claim is ‘authp/guest’.
Any idea how I can translate the Azure groups to roles used by caddy security?
greenpau
commented
1 year ago @maemigh , did you have a chance to review the screenshots here https://authp.github.io/docs/authenticate/saml/azure
maemigh
commented
1 year ago I have it working now, I wasn't sure how much of the documentation was an example vs being necessary. But unless I'm misunderstanding SAML claims, it seems like it would be a good idea to allow group claims to be used similarly to LDAP groups? This would allow group transforms inside the Caddyfile the same way LDAP does. I'm sure many organizations have AzureAD setup as a sort of mirror to their pre-existing AD/LDAP server. See last line of this screenshot:
Another note on the documentation is that editing the Manifest manually is more difficult than using the App Roles option (which I guess wasn't there at the time of writing the document?):
Hello,
Is there a way to access the raw SAML token? I'm trying to troubleshoot the claims/attributes being sent, but I haven't been able to find a way to do this directly with Azure without being an Azure admin.
Thanks