SAML Auth with Azure AD
-
Sure, happy to have a PR on our doc!
-
Hello,
Has the saml-auth plugin updated recently ?
Using XOCE, commit c0065, it was working fine. Updating today to latest release, SAML authentication (Microsoft Entra ID), is not working anymore, I land on a page with a
'Internal server error' message.Thanks,
-
Hi,
Yes it was. You need to be sure that your SAML provider used the signed SAML assertion.
Examples in Keycloak then Azure respectively:
-
@Mathieu yes indeed, I worked on this with @pierrebrunet PR https://github.com/vatesfr/xen-orchestra/pull/9042
Do you have any logs inxo-serverservice?closed chore: update packages #9042
-
@Mathieu Hi, you need to be sure to have signed assertion and signed response because only one won't be enough.
We have updated the doc when you saw the impact. Sorry for the inconvenience:
https://github.com/vatesfr/xen-orchestra/pull/9084/files#diff-6319d6b750c3bdbca61a9d9a1577a8aa4fa3a8a37764b91aef4672f69403baa4R221 -
Hello,
I've updated the cert with signed assertion and response
I also tried with a brand new certificate.
Unfortunately, login is still failing.
From xo-server:
Oct 09 08:11:17 xo-ce xo-server[272092]: Error: SAML assertion audience mismatch. Expected: 1671ff50-10e1-4a02-a0c5-4ed298898281 Received: https://XO_DNS_RECORD/ Oct 09 08:11:17 xo-ce xo-server[272092]: at /opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1264:18 Oct 09 08:11:17 xo-ce xo-server[272092]: at Array.map (<anonymous>) Oct 09 08:11:17 xo-ce xo-server[272092]: at SAML.checkAudienceValidityError (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1259:8) Oct 09 08:11:17 xo-ce xo-server[272092]: at SAML.processValidlySignedAssertionAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1151:32) Oct 09 08:11:17 xo-ce xo-server[272092]: at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:808:16)And here is the plug-in configuration:
I'm not expert at all in SAML, sorry not being able to debug deeper.
-
@Mathieu Hello, can you show us your plugin configuration (without the certificate for security purpose) please?
Edit: thank you!
-
@pierrebrunet Just posted it above
-
@Mathieu Hi, do you use XO from source or do you have an XOA license? Just to know how to help you more confortably
-
@pierrebrunet
XO from source, commit 1ee07 from today. -
@Mathieu Thanks to your help, we are deploying a patch with config update and control over document and assertion signatures
https://github.com/vatesfr/xen-orchestra/pull/9093closed fix(plugin/auth-saml): add default config in SAML #9093
-
@Mathieu Hi,
We merged the PR linked above with new options. If you have time, can you confirm it is working for you?
It will fix the audience error and let you choose if you want to sign responses and assertions. -
@pierrebrunet
I'm jumping in here as well. Reporting that the PR fixes it for Google Workspace as well!
However, the checkbox in GW is called "Signed response".
No further adjustments of the plugin itself was needed. -
@probain Hi,
Great!! Can you confirm the checkbox is in the Service Provider Details window? It is to enhance the doc part about SAML. -
@pierrebrunet
For Google Workspace:
Yes it is in the "Service Provider details"-section: See screenshot for example
Edit: Removed doubled screenshot
-
@probain Thank you!
-
O olivierlambert marked this topic as a question
-
O olivierlambert has marked this topic as solved
-
@pierrebrunet
Hello Pierre,Sorry for that late response, but yes, latest version is working fine and has solved the issue.
Thanks for the fix.
-
@pierrebrunet Are you aware if there is an official guide on how to use this with AzureAD ?
