search

itworkedinthelab / MISP_Okta_OpenID_Connect

Gathering information about how to configure MISP and Okta using OpenID Connect
0 stars 0 forks source link

Okta application configuration #1

Open itworkedinthelab opened 1 year ago

itworkedinthelab commented 1 year ago

Hey there @nachorpaez, I apologize for this round about way of contacting you. I was looking at your recent comment in issue https://github.com/MISP/MISP/issues/8598. I didn't want to jump into that issue directly so as to not clutter the comments but I still wanted to ask about how you setup Okta to get the integration working. I'm trying to set this up as well and have so far found no documentation on how to configure the Okta application server side specific to MISP. Would you be willing to pass on some details on what you did on the Okta side to get the integration working?

nachorpaez commented 1 year ago

Hey @itworkedinthelab, I followed mainly this guide

The most important bits are:

Configuring client authentication to be with client secret The grant type has to be client credentials, authorisation code and refresh token

For sign-in redirect URI use hxxts://MISP_DOMAIN/users/login For sign out redirect use hxxts:///MISP_DOMAIN For Initiate login URI use hxxts:///MISP_DOMAIN/users/login

Login flow has to be redirect to app to initiate login (OIDC Compliant)

The hardest part was getting Okta to send the groups claim which is the way misp identifies which role to assign to the user. Once you create the Okta OIDC app you need to go to the Sign On tab and on the OpenID Connect ID Token box configure:

If you face any issues what helped me was reading the debug.log from MISP (/var/www/MISP/app/tmp/logs/debug.log) and the Okta logs

itworkedinthelab commented 1 year ago

Oh man, this is great. Thanks @nachorpaez! I was stuck on the claim part and this is exactly what I need to get over that hump. I also missed setting the login URI and the grant type correctly. Thanks again for the willingness to share your insight on putting this all together. I really appreciate it!

nachorpaez commented 1 year ago

No problem! Glad you could sort it out :D

Katz-Tal commented 1 year ago

@nachorpaez Thanks for your great comments here and in MISP repo, it helped me a lot!

I wonder if you could help me understand one more thing. I did everything you mentioned above in Okta side and in MISP side but still I'm seeing the following log when I try to connect MISP (after Okta authentication)

2023-03-07 08:04:57 Info: OIDC: User `xxx@xxx.com` – Trying login.
2023-03-07 08:04:57 Info: OIDC: User `xxx@xxx.com` – Trying to find user org by name `xxx`.
2023-03-07 08:04:57 Info: OIDC: User `xxx@xxx.com` – User organisation `xxx` found with ID 1.
2023-03-07 08:04:57 Info: OIDC: User `xxx@xxx.com` – Role property `roles` is missing in claims.

Do you know maybe what can I do after getting this error? The Okta side is configured exactly as mentioned above.

image

nachorpaez commented 1 year ago

Hey @AxoniusTK, I think you are missing a config in app/Config/config.php With Okta the claims come in the groups property not the role property as MISP code expects.

I think you might be missing this parameter 'roles_property' => 'groups' My config looks something like this:

$config = array(
    ...
    'OidcAuth' = [
        'provider_url' => '{{ OIDC_PROVIDER }}',
        'client_id' => '{{ OIDC_CLIENT_ID }}',
        'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
        'roles_property' => 'groups',
        'role_mapper' => [ 
            'misp-user' => 3, 
            'misp-admin' => 1,
        ],
        'default_org' => '{{ MISP_ORG }}',
        'offline_access' => true,
        'check_user_validity' => 300,
    ],

Hopefully that does the trick

Katz-Tal commented 1 year ago

Thanks a lot @nachorpaez !!!

I was missing roles_property' => 'groups' in my config file :)