Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenCTI fails to detect successfully authenticated OpenID Connect SSO via ADFS #7477

Closed
animedbz16 opened this issue Jun 25, 2024 · 1 comment
Closed

OpenCTI fails to detect successfully authenticated OpenID Connect SSO via ADFS #7477

animedbz16 opened this issue Jun 25, 2024 · 1 comment
Labels
authentication Linked to authentication, log in, log out, SSO, etc. feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 6.3.4

Comments

@animedbz16
Copy link
Contributor

animedbz16 commented Jun 25, 2024
edited
Loading

Description

After successfully configuring OpenCTI to leverage ADFS via OpenID Connect for SSO, a user can successfully log in but then OpenCTI will fail to create a new user because it is not able to detect the email / name / etc from the userinfo.

The relevant code block is here:
https://github.com/OpenCTI-Platform/opencti/blob/6.1.12/opencti-platform/opencti-graphql/src/config/providers.js#L350-L367

When I inspected the data obtained inside of the userinfo object, it only contains an object like the following { sub: <BASE64 encoded data> }, so attempting to access a key of email, name, etc will yield an undefined value.

When looking at ADFS documentation, it seems that the userinfo endpoint will not return additional claims see link and screenshot below:

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#i-m-trying-to-get-more-claims-on-the-userinfo-endpoint--but-it-s-only-returning-subject--how-can-i-get-more-claims-

image

Microsoft recommends that if you would like to access claims, that you should do so by including them into the id_token:

https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#consider-using-an-id-token-instead

image

With that in mind, I inspected the decoded JWT for the id_token and it does include all the claims for email, name, etc.

With that in mind, I propose that a change should be made to support looking for these values within the id_token as well as the current userinfo so that authentication can be supported for ADFS

Environment

  1. OS (where OpenCTI server runs): Docker
  2. OpenCTI version: 6.1.12
  3. OpenCTI client: Docker
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Configure OpenCTI for OpenID Connect SSO provided by Microsoft ADFS
  2. Successfully authenticate via ADFS
  3. OpenCTI will fail to create user

Expected Output

OpenCTI should be able to detect successfully authenticated users

Actual Output

OpenCTI is not detecting successfully authenticated users

Additional information

Screenshots (optional)
@animedbz16 animedbz16 added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Jun 25, 2024
@animedbz16 animedbz16 mentioned this issue Jun 25, 2024
Merged
5 tasks
@Jipegien Jipegien removed the needs triage use to identify issue needing triage from Filigran Product team label Jun 28, 2024
@Jipegien Jipegien added this to the Bugs backlog milestone Jun 28, 2024
@Jipegien Jipegien added the authentication Linked to authentication, log in, log out, SSO, etc. label Jul 1, 2024
@CountyWorker
Copy link

CountyWorker commented Aug 28, 2024
edited
Loading

We have the same problem. As described above it just picks up the "sub" field which is a base64 encrypted field. Need this fixed. Thanks to the OP of this issue.

richard-julien pushed a commit that referenced this issue Sep 29, 2024
@animedbz16
[Backend] Add OpenID Connect SSO support for Microsoft ADFS to get us…
0d497f8 
…er claims from the id_token (#7477)
@richard-julien richard-julien added feature use for describing a new feature to develop and removed bug use for describing something not working as expected labels Sep 29, 2024
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Sep 29, 2024
Gwendoline-FAVRE-FELIX pushed a commit that referenced this issue Oct 1, 2024
@animedbz16 @Gwendoline-FAVRE-FELIX
[Backend] Add OpenID Connect SSO support for Microsoft ADFS to get us…
5f21ae5 
…er claims from the id_token (#7477)
Gwendoline-FAVRE-FELIX pushed a commit that referenced this issue Oct 1, 2024
@animedbz16 @Gwendoline-FAVRE-FELIX
[Backend] Add OpenID Connect SSO support for Microsoft ADFS to get us…
507dc04 
…er claims from the id_token (#7477)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication Linked to authentication, log in, log out, SSO, etc. feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 6.3.4
Development

No branches or pull requests
5 participants
@richard-julien @SamuelHassine @animedbz16 @Jipegien @CountyWorker