XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAML Auth with Azure AD

    Scheduled Pinned Locked Moved Xen Orchestra
    15 Posts 5 Posters 2.5k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dant123 @olivierlambert
      last edited by

      @olivierlambert thanks for the heads up, added a comment on there and linked back 🙂

      fanuelsenF 1 Reply Last reply Reply Quote 0
      • fanuelsenF Offline
        fanuelsen @dant123
        last edited by

        @dant123

        https://github.com/vatesfr/xen-orchestra/pull/6278

        fanuelsen opened this pull request in vatesfr/xen-orchestra

        closed feat(xo-server-auth-saml): allow customizing callback URL #6278

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dant123 @fanuelsen
          last edited by

          @fanuelsen thanks! Updated and confirmed I can now customize it.

          Trying to SAML auth now gives me a blank page with "Internal Server Error" on it instead, with the displayed URL being the (correct) callback one. Refreshing the page shows a quick Microsoft auth URL then the error.

          Not sure how to proceed here, would help if we could confirm what "Entry point" "Issuer" should be mapped to regarding Azure AD so I could at least rule out the config on XO being the issue. I tried checking Audit and Logs but there wasn't much info on why the auth failed.

          1 Reply Last reply Reply Quote 0
          • olivierlambertO Offline
            olivierlambert Vates 🪐 Co-Founder CEO
            last edited by

            Have you checked xo-server output?

            D 1 Reply Last reply Reply Quote 0
            • D Offline
              dant123 @olivierlambert
              last edited by

              @olivierlambert sorry for the delay there! Relevant portion of the logs (extracted via journalctl -u xo-server.service)

              Aug 08 14:33:24 xo-ce xo-server[517]: Error: error:0909006C:PEM routines:get_name:no start line
              Aug 08 14:33:24 xo-ce xo-server[517]:     at Verify.verify (node:internal/crypto/sig:230:24)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at RSASHA256.verifySignature (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/xml-crypto/lib/signed-xml.js:140:24)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at SignedXml.validateSignatureValue (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/xml-crypto/lib/signed-xml.js:460:20)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at SignedXml.checkSignature (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/xml-crypto/lib/signed-xml.js:397:15)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at validateXmlSignatureForCert (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/xml.ts:103:14)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at /opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/saml.ts:730:41
              Aug 08 14:33:24 xo-ce xo-server[517]:     at Array.some (<anonymous>)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at SAML.validateSignature (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/saml.ts:729:18)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/saml.ts:785:17)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at runMicrotasks (<anonymous>)
              Aug 08 14:33:24 xo-ce xo-server[517]:     at processTicksAndRejections (node:internal/process/task_queues:96:5)
              

              I looked up "Error: error:0909006C:PEM routines:get_name:no start line" in relation to passport-saml and read through a ton of discussions but couldn't find a conclusive solution. I am copying the contents of the Base64 .cer file in their entirety and triple checked they are correct. Tried converting from UTF-8 to ANSI and ASCII as well as replacing "CERTIFICATE" with "PRIVATE KEY".

              One thing to note: When copying the cert text back from the XO field, the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- are not in their own lines. I saw this mentioned in a couple discussions such as here. I did try manually replacing the spaces between the hyphens and the string with /n but it wasn't parsed correctly when entered via the web UI.

              1 Reply Last reply Reply Quote 0
              • olivierlambertO Offline
                olivierlambert Vates 🪐 Co-Founder CEO
                last edited by

                Does it ring a bell @julien-f ?

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dant123
                  last edited by

                  For what it's worth, most Web UIs I see that take in certs use a text box/area rather than a text field which (directly or indirectly, not sure) preserves the line breaks in the cert. Everywhere I'm seeing, a text field doesn't seem to preserve the needed line breaks when its value is stored in a string.

                  Not sure which file(s) I'd need to edit to test a fix for this as I'm not the strongest with web development, but would be willing to try and report back.

                  1 Reply Last reply Reply Quote 0
                  • olivierlambertO Offline
                    olivierlambert Vates 🪐 Co-Founder CEO
                    last edited by

                    Okay thanks for the feedback 🙂 Let's see if we can fix it with a text box/area instead of a simple text field!

                    Re-ping @julien-f

                    julien-fJ 1 Reply Last reply Reply Quote 0
                    • julien-fJ Offline
                      julien-f Vates 🪐 Co-Founder XO Team @olivierlambert
                      last edited by

                      It's now fixed, please let us know if you have other issues 🙂

                      https://github.com/vatesfr/xen-orchestra/pull/6403

                      MathieuRA opened this pull request in vatesfr/xen-orchestra

                      closed feat(xo-server-auth-saml): support multiline cert #6403

                      D 1 Reply Last reply Reply Quote 1
                      • D Offline
                        dant123 @julien-f
                        last edited by

                        @julien-f confirmed fixed, thank you! Copy/pasted the Azure AD enterprise app's base64 cert in again and saved to get it working. After updating XO of course.

                        1 Reply Last reply Reply Quote 2
                        • olivierlambertO Offline
                          olivierlambert Vates 🪐 Co-Founder CEO
                          last edited by

                          Yay! Great news, thanks for the feedback @dant123 !

                          MathieuM 1 Reply Last reply Reply Quote 0
                          • MathieuM Offline
                            Mathieu @olivierlambert
                            last edited by

                            @dant123
                            Old topic but thanks a lot for your first post, it was quite helpful for me to setup authentification with Microsoft Entra.

                            I just didn't get immediately that you also need to specify the callback URL in the XO plugin settings, not only in the enterprise application in the Microsoft portal.

                            My XO is behind a reverse proxy with a Let's Encrypt certificate, but it is also working with a self-signed certificate and a local DNS record.

                            @olivierlambert Might be worth an addendum in the official documentation with specific screenshots for Microsoft Entra?

                            1 Reply Last reply Reply Quote 1
                            • olivierlambertO Offline
                              olivierlambert Vates 🪐 Co-Founder CEO
                              last edited by

                              Sure, happy to have a PR on our doc!

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post