You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After performing the steps fix SAML group mapping described in #3589, users are able to map groups from SAML to OpenCTI, but Organization mapping is not passing variables. According to Authentication Documentation the environment variables don't match documentation needed for Organization mapping
260: const isOrgaMapping = isNotEmptyField(mappedConfig.organizations_default) || isNotEmptyField(mappedConfig.organizations_management);
261: const computeOrganizationsMapping = () => {
262: const orgaDefault = mappedConfig.organizations_default ?? [];
// Default org configuration
263: const orgasMapping = mappedConfig.organizations_management?.organizations_mapping || [];
// Org mapping Variable
264: const orgaPath = mappedConfig.organizations_management?.organizations_path || ['organizations'];
/*
SAML to Org mapping may need to change var names to match documentation on https://docs.opencti.io/latest/deployment/authentication/
Working environment variable for mapping is PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__ORGANIZATIONS_PATH
"organizations_management": { // To map SAML Groups to OpenCTI Organizations
"group_attributes": ["Group"],
"groups_mapping": ["SAML_Group_1:OpenCTI_Organization_1", "SAML_Group_2:OpenCTI_Organization_2", ...]
},
"organizations_management": { // To map SAML Roles to OpenCTI Organizations
"group_attributes": ["Role"],
"groups_mapping": ["SAML_Role_1:OpenCTI_Organization_1", "SAML_Role_2:OpenCTI_Organization_2", ...]
}
*/
265: const availableOrgas = R.flatten(orgaPath.map((path) => R.path(path.split('.'), profile) || []));
// Flatten and mapping of orgaPath which appears to be for OpenID, after adding debug commands this variable is empty
266: const orgasMapper = genConfigMapper(orgasMapping);
// Mapping function
267: return [...orgaDefault, ...availableOrgas.map((a) => orgasMapper[a]).filter((r) => isNotEmptyField(r))];
// Return of default org mapping or mapping results
268: };
269: const organizationsToAssociate = isOrgaMapping ? computeOrganizationsMapping() : [];
Working Fix
Using the working code from computeGroupsMapping in the SAML auth flow process, made the following changes for a work around
added line and new const attrOrgas between 264 and 265 - const attrOrgas = orgaPath.map((a) => (Array.isArray(profile[a]) ? profile[a] : [profile[a]]));
Changed line 265 (now 266) -
Old const availableOrgas = R.flatten(orgaPath.map((path) => R.path(path.split('.'), profile) || []));
New const availableOrgas = R.flatten(attrOrgas).filter((v) => isNotEmptyField(v));
After making the changes and building a dev docker build, authentication with Group Mapping and Org Mapping working successfully.
In my dev build I left the lines 263 and 264 mapping variable names alone, but I'd also suggest updating the names to match schema and updating docs to reflect.
The text was updated successfully, but these errors were encountered:
j-wade
added
the
bug
use for describing something not working as expected
label
Aug 8, 2023
@Archidoit - I tested the code changes here via the rolling release and providers.js L273 is not parsing/passing the variables to organizationsToAssociate
Description
After performing the steps fix SAML group mapping described in #3589, users are able to map groups from SAML to OpenCTI, but Organization mapping is not passing variables. According to Authentication Documentation the environment variables don't match documentation needed for Organization mapping
I am testing using the groups attribute of groups and matching with the same SAML mapping used to auto map for groups (working after fix #3589 fix)
The issue seems to be around the availableOrgas constant in providers.js line 265 see notes at the bottom.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
User is assigned to organization based on mapping
Actual Output
DBG [SAML] orgaDefault mapping | category=APP orgaDefault=[] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] orgasMapping mapping | category=APP orgasMapping=["SAML-Group:OpenCTI-Group"] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] OrgAPath mapping | category=APP orgaPath=["http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] Available orgs | availableOrgas=[] category=APP timestamp=2023-08-08T00:39:38.019Z version=5.9.0
DBG [SAML] Orgs to Associate | category=APP organizationsToAssociate=[] timestamp=2023-08-08T00:39:38.019Z version=5.9.0
{"category":"APP","level":"debug","message":"[SAML] Provider Groups and Orgs collected","opts":{"autoCreateGroup":true,"providerGroups":["OpenCTI-Group"],"providerOrganizations":[]},"timestamp":"2023-08-08T00:39:38.020Z","version":"5.9.0"}
Additional information
Personal comment lines from providers.js
260: const isOrgaMapping = isNotEmptyField(mappedConfig.organizations_default) || isNotEmptyField(mappedConfig.organizations_management);
261: const computeOrganizationsMapping = () => {
262: const orgaDefault = mappedConfig.organizations_default ?? [];
// Default org configuration
263: const orgasMapping = mappedConfig.organizations_management?.organizations_mapping || [];
// Org mapping Variable
264: const orgaPath = mappedConfig.organizations_management?.organizations_path || ['organizations'];
/*
SAML to Org mapping may need to change var names to match documentation on https://docs.opencti.io/latest/deployment/authentication/
Working environment variable for mapping is PROVIDERS__SAML__CONFIG__ORGANIZATIONS_MANAGEMENT__ORGANIZATIONS_PATH
"organizations_management": { // To map SAML Groups to OpenCTI Organizations
"group_attributes": ["Group"],
"groups_mapping": ["SAML_Group_1:OpenCTI_Organization_1", "SAML_Group_2:OpenCTI_Organization_2", ...]
},
"organizations_management": { // To map SAML Roles to OpenCTI Organizations
"group_attributes": ["Role"],
"groups_mapping": ["SAML_Role_1:OpenCTI_Organization_1", "SAML_Role_2:OpenCTI_Organization_2", ...]
}
*/
265: const availableOrgas = R.flatten(orgaPath.map((path) => R.path(path.split('.'), profile) || []));
// Flatten and mapping of orgaPath which appears to be for OpenID, after adding debug commands this variable is empty
266: const orgasMapper = genConfigMapper(orgasMapping);
// Mapping function
267: return [...orgaDefault, ...availableOrgas.map((a) => orgasMapper[a]).filter((r) => isNotEmptyField(r))];
// Return of default org mapping or mapping results
268: };
269: const organizationsToAssociate = isOrgaMapping ? computeOrganizationsMapping() : [];
Working Fix
Using the working code from computeGroupsMapping in the SAML auth flow process, made the following changes for a work around
attrOrgas
between 264 and 265 -const attrOrgas = orgaPath.map((a) => (Array.isArray(profile[a]) ? profile[a] : [profile[a]]));
Old
const availableOrgas = R.flatten(orgaPath.map((path) => R.path(path.split('.'), profile) || []));
New
const availableOrgas = R.flatten(attrOrgas).filter((v) => isNotEmptyField(v));
After making the changes and building a dev docker build, authentication with Group Mapping and Org Mapping working successfully.
In my dev build I left the lines 263 and 264 mapping variable names alone, but I'd also suggest updating the names to match schema and updating docs to reflect.
The text was updated successfully, but these errors were encountered: