SAML Groups not mapped to OpenCTI Groups

[elouieibm]

Description

Users that are in a SAML group are not members of the OpenCTI group mapped to the SAML group. Users can authenticate but are only members of the "default" OpenCTI group.

I am running in Docker, here is my config.
- PROVIDERS__SAML__STRATEGY=SamlStrategy
- PROVIDERS__SAML__CONFIG__ISSUER=https://.com
- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://.com
- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://.com/auth/saml/callback
- "PROVIDERS__SAML__CONFIG__CERT="
- "PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUP_ATTRIBUTES=["Groups"]"
- "PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=["ADM:OpenCTIAdmin","GENERAL_USER:default"]"
- PROVIDERS__SAML__CONFIG__AUTO_CREATE_GROUP=true

I am testing with a user that is in the SAML group ADM and I have created an OpenCTI group named OpenCTIAdmin and this group has the "Administrator" role. This user is able to login but is not a member of the OpenCTIAdmin group when viewed from Settings -> Security -> Users.

Environment

1. OS (where OpenCTI server runs): Red Hat Enterprise Linux Server release 7.9
2. OpenCTI version: 5.9.2
3. OpenCTI client: frontend
4. Other environment details: I am running in Docker.

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Ensure test user is in a SAML group and ensure that SAML group is mapped to an OpenCTI group
2. Login to OpenCTI.
3. Logout the test user.
4. Login as admin to OpenCTI and navigate to Settings -> Security -> Users and select the user from Step 2. Note that the user is not a member of the mapped OpenCTI group.

Expected Output

Expected to see the user as a member of the mapped OpenCTI group.

Actual Output

User only has membership in default OpenCTI groups.

Additional information

I am new to the code so apologies in advance if I am totally wrong. :-)

I did a little debugging into the code and I think there are two files involved in this issue:

1. opencti/opencti-platform/opencti-graphql/src/config/providers.js
2. opencti/opencti-platform/opencti-graphql/src/domain/user.jsGroups

In providers.js at line 273, an object named opts is built and passed to providerLoginHandler()
const opts = {
groupOrganizations: groupsToAssociate,
providerOrganizations: organizationsToAssociate,
autoCreateGroup: mappedConfig.auto_create_group ?? false,
};
providerLoginHandler({ email, name: userName, firstname, lastname }, done, opts);

The variable groupsToAssociate contains the OpenCTI groups associated with the user. The opts object is passed to loginFromProvider in users.js. In line 691 of user.js the opts object is deconstructed
const { providerGroups = [], providerOrganizations = [], autoCreateGroup = false } = opts;

I think the providerGroups variable is set to the default value, an empty array, because the opts object does not have a matching "providerGroups" value.
As a quick fix, I changed "groupOrganizations" to "providerGroups" in providers.js and deployed an updated docker image and that seems to work. However, I am not sure if this is a valid fix.

Thanks in advance for all your hard work.

Screenshots (optional)

[CyberKaizen]

@elouieibm So your now able to auto-assign users of an SSO group to a OpenCTI group through your environment variable?

[CyberKaizen]

@elouieibm @SamuelHassine I can confirm this worked.

[j-wade]

Thank you @elouieibm ... this fixed my issues I was having!

[Archidoit]

@elouieibm your analysis and your fix are correct! Thanks for the issue. We're going to fix it.