Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML Organizations not mapped to OpenCTI organizations #4004

Closed
j-wade opened this issue Aug 8, 2023 · 2 comments · Fixed by #4025
Closed

SAML Organizations not mapped to OpenCTI organizations #4004

j-wade opened this issue Aug 8, 2023 · 2 comments · Fixed by #4025
Assignees
@Archidoit
Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 5.10.0

Comments

@j-wade
Copy link

j-wade commented Aug 8, 2023

Description

After performing the steps fix SAML group mapping described in #3589, users are able to map groups from SAML to OpenCTI, but Organization mapping is not passing variables. According to Authentication Documentation the environment variables don't match documentation needed for Organization mapping

  • "PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__GROUPS_ATTRIBUTES=["Group"]"
  • "PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__GROUPS_MAPPING=["SAML_Group_1:OpenCTI_Group_1", "SAML_Group_2:OpenCTI_Group_2", ...]"

I am testing using the groups attribute of groups and matching with the same SAML mapping used to auto map for groups (working after fix #3589 fix)

The issue seems to be around the availableOrgas constant in providers.js line 265 see notes at the bottom.

Environment

  1. Core OS is Ubuntu, but running in docker
  2. OpenCTI version: 5.9.0
  3. OpenCTI client: frontend
  4. Modified environment variables to match code
  • "PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__ORGANIZATIONS_PATH=["http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]"
  • "PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__ORGANIZATIONS_MAPPING=["SAML_Group_1:OpenCTI_Group_1"]"

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Make changes per SAML SSO Group Mapping not functioning #3589
  2. User logs in and checks profile
  3. User is not assigned to any organization

Expected Output

User is assigned to organization based on mapping

Actual Output

DBG [SAML] orgaDefault mapping | category=APP orgaDefault=[] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] orgasMapping mapping | category=APP orgasMapping=["SAML-Group:OpenCTI-Group"] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] OrgAPath mapping | category=APP orgaPath=["http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] Available orgs | availableOrgas=[] category=APP timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] Orgs to Associate | category=APP organizationsToAssociate=[] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
{"category":"APP","level":"debug","message":"[SAML] Provider Groups and Orgs collected","opts":{"autoCreateGroup":true,"providerGroups":["OpenCTI-Group"],"providerOrganizations":[]},"timestamp":"2023-08-08T00:39:38.020Z","version":"5.9.0"}

Additional information

Personal comment lines from providers.js

260: const isOrgaMapping = isNotEmptyField(mappedConfig.organizations_default) || isNotEmptyField(mappedConfig.organizations_management);
261: const computeOrganizationsMapping = () => {
262: const orgaDefault = mappedConfig.organizations_default ?? [];
// Default org configuration
263: const orgasMapping = mappedConfig.organizations_management?.organizations_mapping || [];
// Org mapping Variable
264: const orgaPath = mappedConfig.organizations_management?.organizations_path || ['organizations'];
/*
SAML to Org mapping may need to change var names to match documentation on https://docs.opencti.io/latest/deployment/authentication/
Working environment variable for mapping is PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__ORGANIZATIONS_PATH

"organizations_management": { // To map SAML Groups to OpenCTI Organizations
"group_attributes": ["Group"],
"groups_mapping": ["SAML_Group_1:OpenCTI_Organization_1", "SAML_Group_2:OpenCTI_Organization_2", ...]
},
"organizations_management": { // To map SAML Roles to OpenCTI Organizations
"group_attributes": ["Role"],
"groups_mapping": ["SAML_Role_1:OpenCTI_Organization_1", "SAML_Role_2:OpenCTI_Organization_2", ...]
}
*/
265: const availableOrgas = R.flatten(orgaPath.map((path) => R.path(path.split('.'), profile) || []));
// Flatten and mapping of orgaPath which appears to be for OpenID, after adding debug commands this variable is empty
266: const orgasMapper = genConfigMapper(orgasMapping);
// Mapping function
267: return [...orgaDefault, ...availableOrgas.map((a) => orgasMapper[a]).filter((r) => isNotEmptyField(r))];
// Return of default org mapping or mapping results
268: };
269: const organizationsToAssociate = isOrgaMapping ? computeOrganizationsMapping() : [];

Working Fix

Using the working code from computeGroupsMapping in the SAML auth flow process, made the following changes for a work around

  1. added line and new const attrOrgas between 264 and 265 -
    const attrOrgas = orgaPath.map((a) => (Array.isArray(profile[a]) ? profile[a] : [profile[a]]));
  2. Changed line 265 (now 266) -
    Old
    const availableOrgas = R.flatten(orgaPath.map((path) => R.path(path.split('.'), profile) || []));
    New
    const availableOrgas = R.flatten(attrOrgas).filter((v) => isNotEmptyField(v));

After making the changes and building a dev docker build, authentication with Group Mapping and Org Mapping working successfully.

In my dev build I left the lines 263 and 264 mapping variable names alone, but I'd also suggest updating the names to match schema and updating docs to reflect.
@j-wade j-wade added the bug use for describing something not working as expected label Aug 8, 2023
@Archidoit Archidoit self-assigned this Aug 9, 2023
@Archidoit
Copy link
Member

Thanks a lot for the issue and the analysis, we're going to fix this!

@Archidoit Archidoit mentioned this issue Aug 9, 2023
Closed
Archidoit added a commit that referenced this issue Aug 9, 2023
@Archidoit
[backend] organization mapping: support paths that are not arrays (#4004
a7d2b7d 
)
@Archidoit Archidoit linked a pull request Aug 9, 2023 that will close this issue
[backend] organization mapping: support paths that are not arrays (#4004) #4025
Merged
This was referenced Aug 9, 2023
Merged
Closed
SamuelHassine pushed a commit that referenced this issue Aug 9, 2023
@Archidoit
[backend] organization mapping: support paths that are not arrays (#4004
a465567 
)
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Aug 9, 2023
@SamuelHassine SamuelHassine added this to the Release 5.10.0 milestone Aug 9, 2023
@j-wade
Copy link
Author

j-wade commented Aug 14, 2023

@Archidoit - I tested the code changes here via the rolling release and providers.js L273 is not parsing/passing the variables to organizationsToAssociate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Archidoit Archidoit

Labels
bug use for describing something not working as expected solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 5.10.0
Development

Successfully merging a pull request may close this issue.

[backend] organization mapping: support paths that are not arrays (#4004) OpenCTI-Platform/opencti
3 participants
@SamuelHassine @j-wade @Archidoit