You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users that are in a SAML group are not members of the OpenCTI group mapped to the SAML group. Users can authenticate but are only members of the "default" OpenCTI group.
I am running in Docker, here is my config.
- PROVIDERS__SAML__STRATEGY=SamlStrategy
- PROVIDERS__SAML__CONFIG__ISSUER=https://.com
- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://.com
- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://.com/auth/saml/callback
- "PROVIDERS__SAML__CONFIG__CERT="
- "PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUP_ATTRIBUTES=["Groups"]"
- "PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=["ADM:OpenCTIAdmin","GENERAL_USER:default"]"
- PROVIDERS__SAML__CONFIG__AUTO_CREATE_GROUP=true
I am testing with a user that is in the SAML group ADM and I have created an OpenCTI group named OpenCTIAdmin and this group has the "Administrator" role. This user is able to login but is not a member of the OpenCTIAdmin group when viewed from Settings -> Security -> Users.
Environment
OS (where OpenCTI server runs): Red Hat Enterprise Linux Server release 7.9
OpenCTI version: 5.9.2
OpenCTI client: frontend
Other environment details: I am running in Docker.
Reproducible Steps
Steps to create the smallest reproducible scenario:
Ensure test user is in a SAML group and ensure that SAML group is mapped to an OpenCTI group
Login to OpenCTI.
Logout the test user.
Login as admin to OpenCTI and navigate to Settings -> Security -> Users and select the user from Step 2. Note that the user is not a member of the mapped OpenCTI group.
Expected Output
Expected to see the user as a member of the mapped OpenCTI group.
Actual Output
User only has membership in default OpenCTI groups.
Additional information
I am new to the code so apologies in advance if I am totally wrong. :-)
I did a little debugging into the code and I think there are two files involved in this issue:
In providers.js at line 273, an object named opts is built and passed to providerLoginHandler()
const opts = {
groupOrganizations: groupsToAssociate,
providerOrganizations: organizationsToAssociate,
autoCreateGroup: mappedConfig.auto_create_group ?? false,
};
providerLoginHandler({ email, name: userName, firstname, lastname }, done, opts);
The variable groupsToAssociate contains the OpenCTI groups associated with the user. The opts object is passed to loginFromProvider in users.js. In line 691 of user.js the opts object is deconstructed
const { providerGroups = [], providerOrganizations = [], autoCreateGroup = false } = opts;
I think the providerGroups variable is set to the default value, an empty array, because the opts object does not have a matching "providerGroups" value.
As a quick fix, I changed "groupOrganizations" to "providerGroups" in providers.js and deployed an updated docker image and that seems to work. However, I am not sure if this is a valid fix.
Thanks in advance for all your hard work.
Screenshots (optional)
The text was updated successfully, but these errors were encountered:
Description
Users that are in a SAML group are not members of the OpenCTI group mapped to the SAML group. Users can authenticate but are only members of the "default" OpenCTI group.
I am running in Docker, here is my config.
- PROVIDERS__SAML__STRATEGY=SamlStrategy
- PROVIDERS__SAML__CONFIG__ISSUER=https://.com
- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://.com
- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://.com/auth/saml/callback
- "PROVIDERS__SAML__CONFIG__CERT="
- "PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUP_ATTRIBUTES=["Groups"]"
- "PROVIDERS__SAML__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=["ADM:OpenCTIAdmin","GENERAL_USER:default"]"
- PROVIDERS__SAML__CONFIG__AUTO_CREATE_GROUP=true
I am testing with a user that is in the SAML group ADM and I have created an OpenCTI group named OpenCTIAdmin and this group has the "Administrator" role. This user is able to login but is not a member of the OpenCTIAdmin group when viewed from Settings -> Security -> Users.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
Expected to see the user as a member of the mapped OpenCTI group.
Actual Output
User only has membership in default OpenCTI groups.
Additional information
I am new to the code so apologies in advance if I am totally wrong. :-)
I did a little debugging into the code and I think there are two files involved in this issue:
In providers.js at line 273, an object named opts is built and passed to providerLoginHandler()
const opts = {
groupOrganizations: groupsToAssociate,
providerOrganizations: organizationsToAssociate,
autoCreateGroup: mappedConfig.auto_create_group ?? false,
};
providerLoginHandler({ email, name: userName, firstname, lastname }, done, opts);
The variable groupsToAssociate contains the OpenCTI groups associated with the user. The opts object is passed to loginFromProvider in users.js. In line 691 of user.js the opts object is deconstructed
const { providerGroups = [], providerOrganizations = [], autoCreateGroup = false } = opts;
I think the providerGroups variable is set to the default value, an empty array, because the opts object does not have a matching "providerGroups" value.
As a quick fix, I changed "groupOrganizations" to "providerGroups" in providers.js and deployed an updated docker image and that seems to work. However, I am not sure if this is a valid fix.
Thanks in advance for all your hard work.
Screenshots (optional)
The text was updated successfully, but these errors were encountered: