XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAML Auth with Azure AD

    Scheduled Pinned Locked Moved Xen Orchestra
    25 Posts 7 Posters 3.4k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dant123
      last edited by

      For what it's worth, most Web UIs I see that take in certs use a text box/area rather than a text field which (directly or indirectly, not sure) preserves the line breaks in the cert. Everywhere I'm seeing, a text field doesn't seem to preserve the needed line breaks when its value is stored in a string.

      Not sure which file(s) I'd need to edit to test a fix for this as I'm not the strongest with web development, but would be willing to try and report back.

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Online
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Okay thanks for the feedback 🙂 Let's see if we can fix it with a text box/area instead of a simple text field!

        Re-ping @julien-f

        julien-fJ 1 Reply Last reply Reply Quote 0
        • julien-fJ Offline
          julien-f Vates 🪐 Co-Founder XO Team @olivierlambert
          last edited by

          It's now fixed, please let us know if you have other issues 🙂

          https://github.com/vatesfr/xen-orchestra/pull/6403

          MathieuRA opened this pull request in vatesfr/xen-orchestra

          closed feat(xo-server-auth-saml): support multiline cert #6403

          D 1 Reply Last reply Reply Quote 1
          • D Offline
            dant123 @julien-f
            last edited by

            @julien-f confirmed fixed, thank you! Copy/pasted the Azure AD enterprise app's base64 cert in again and saved to get it working. After updating XO of course.

            1 Reply Last reply Reply Quote 2
            • olivierlambertO Online
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              Yay! Great news, thanks for the feedback @dant123 !

              MathieuM 1 Reply Last reply Reply Quote 0
              • MathieuM Offline
                Mathieu @olivierlambert
                last edited by

                @dant123
                Old topic but thanks a lot for your first post, it was quite helpful for me to setup authentification with Microsoft Entra.

                I just didn't get immediately that you also need to specify the callback URL in the XO plugin settings, not only in the enterprise application in the Microsoft portal.

                My XO is behind a reverse proxy with a Let's Encrypt certificate, but it is also working with a self-signed certificate and a local DNS record.

                @olivierlambert Might be worth an addendum in the official documentation with specific screenshots for Microsoft Entra?

                1 Reply Last reply Reply Quote 1
                • olivierlambertO Online
                  olivierlambert Vates 🪐 Co-Founder CEO
                  last edited by

                  Sure, happy to have a PR on our doc!

                  MathieuM 1 Reply Last reply Reply Quote 1
                  • MathieuM Offline
                    Mathieu @olivierlambert
                    last edited by

                    Hello,

                    Has the saml-auth plugin updated recently ?

                    Using XOCE, commit c0065, it was working fine. Updating today to latest release, SAML authentication (Microsoft Entra ID), is not working anymore, I land on a page with a
                    'Internal server error' message.

                    Thanks,

                    nathanael-hN 1 Reply Last reply Reply Quote 0
                    • olivierlambertO Online
                      olivierlambert Vates 🪐 Co-Founder CEO
                      last edited by olivierlambert

                      Hi,

                      Yes it was. You need to be sure that your SAML provider used the signed SAML assertion.

                      Examples in Keycloak then Azure respectively:

                      saml2.png

                      saml1.png

                      1 Reply Last reply Reply Quote 0
                      • nathanael-hN Offline
                        nathanael-h Vates 🪐 DevOps Team @Mathieu
                        last edited by

                        @Mathieu yes indeed, I worked on this with @pierrebrunet PR https://github.com/vatesfr/xen-orchestra/pull/9042
                        Do you have any logs in xo-server service?

                        pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

                        closed chore: update packages #9042

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          pierrebrunet Vates 🪐 XO Team
                          last edited by pierrebrunet

                          @Mathieu Hi, you need to be sure to have signed assertion and signed response because only one won't be enough.

                          We have updated the doc when you saw the impact. Sorry for the inconvenience:
                          https://github.com/vatesfr/xen-orchestra/pull/9084/files#diff-6319d6b750c3bdbca61a9d9a1577a8aa4fa3a8a37764b91aef4672f69403baa4R221

                          pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

                          closed chore: update doc for SAML due to breaking changes in config #9084

                          MathieuM 1 Reply Last reply Reply Quote 0
                          • MathieuM Offline
                            Mathieu @pierrebrunet
                            last edited by Mathieu

                            @pierrebrunet

                            Hello,

                            I've updated the cert with signed assertion and response

                            a2bbfd50-40ff-4db8-9947-32d0a7902bc7-image.png

                            I also tried with a brand new certificate.

                            Unfortunately, login is still failing.

                            From xo-server:

                            Oct 09 08:11:17 xo-ce xo-server[272092]: Error: SAML assertion audience mismatch. Expected: 1671ff50-10e1-4a02-a0c5-4ed298898281 Received: https://XO_DNS_RECORD/
                            Oct 09 08:11:17 xo-ce xo-server[272092]:     at /opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1264:18
                            Oct 09 08:11:17 xo-ce xo-server[272092]:     at Array.map (<anonymous>)
                            Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.checkAudienceValidityError (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1259:8)
                            Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.processValidlySignedAssertionAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1151:32)
                            Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:808:16)
                            

                            And here is the plug-in configuration:
                            c2970287-4c00-4c36-817b-89195e2ce116-image.png

                            I'm not expert at all in SAML, sorry not being able to debug deeper.

                            P 1 Reply Last reply Reply Quote 0
                            • P Offline
                              pierrebrunet Vates 🪐 XO Team @Mathieu
                              last edited by pierrebrunet

                              @Mathieu Hello, can you show us your plugin configuration (without the certificate for security purpose) please?

                              Edit: thank you!

                              MathieuM 1 Reply Last reply Reply Quote 0
                              • MathieuM Offline
                                Mathieu @pierrebrunet
                                last edited by

                                @pierrebrunet Just posted it above

                                P 1 Reply Last reply Reply Quote 0
                                • P Offline
                                  pierrebrunet Vates 🪐 XO Team @Mathieu
                                  last edited by pierrebrunet

                                  @Mathieu Hi, do you use XO from source or do you have an XOA license? Just to know how to help you more confortably

                                  MathieuM 1 Reply Last reply Reply Quote 0
                                  • MathieuM Offline
                                    Mathieu @pierrebrunet
                                    last edited by

                                    @pierrebrunet
                                    XO from source, commit 1ee07 from today.

                                    P 1 Reply Last reply Reply Quote 0
                                    • P Offline
                                      pierrebrunet Vates 🪐 XO Team @Mathieu
                                      last edited by

                                      @Mathieu Thanks to your help, we are deploying a patch with config update and control over document and assertion signatures
                                      https://github.com/vatesfr/xen-orchestra/pull/9093

                                      pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

                                      open fix(plugin/auth-saml): add default config in SAML #9093

                                      1 Reply Last reply Reply Quote 1
                                      • First post
                                        Last post