OpenCTI fails to detect successfully authenticated OpenID Connect SSO via ADFS #7477
Labels
authentication
Linked to authentication, log in, log out, SSO, etc.
feature
use for describing a new feature to develop
solved
use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Description
After successfully configuring OpenCTI to leverage ADFS via OpenID Connect for SSO, a user can successfully log in but then OpenCTI will fail to create a new user because it is not able to detect the email / name / etc from the userinfo.
The relevant code block is here:
https://github.com/OpenCTI-Platform/opencti/blob/6.1.12/opencti-platform/opencti-graphql/src/config/providers.js#L350-L367
When I inspected the data obtained inside of the
userinfo
object, it only contains an object like the following{ sub: <BASE64 encoded data> }
, so attempting to access a key ofemail
,name
, etc will yield an undefined value.When looking at ADFS documentation, it seems that the userinfo endpoint will not return additional claims see link and screenshot below:
Microsoft recommends that if you would like to access claims, that you should do so by including them into the
id_token
:With that in mind, I inspected the decoded JWT for the
id_token
and it does include all the claims foremail
,name
, etc.With that in mind, I propose that a change should be made to support looking for these values within the id_token as well as the current userinfo so that authentication can be supported for ADFS
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
OpenCTI should be able to detect successfully authenticated users
Actual Output
OpenCTI is not detecting successfully authenticated users
Additional information
Screenshots (optional)
The text was updated successfully, but these errors were encountered: