SAML Auth with Azure AD

dant123

@fanuelsen thanks! Updated and confirmed I can now customize it.

Trying to SAML auth now gives me a blank page with "Internal Server Error" on it instead, with the displayed URL being the (correct) callback one. Refreshing the page shows a quick Microsoft auth URL then the error.

Not sure how to proceed here, would help if we could confirm what "Entry point" "Issuer" should be mapped to regarding Azure AD so I could at least rule out the config on XO being the issue. I tried checking Audit and Logs but there wasn't much info on why the auth failed.

olivierlambert

Have you checked xo-server output?

dant123

@olivierlambert sorry for the delay there! Relevant portion of the logs (extracted via journalctl -u xo-server.service)

Aug 08 14:33:24 xo-ce xo-server[517]: Error: error:0909006C:PEM routines:get_name:no start line
Aug 08 14:33:24 xo-ce xo-server[517]:     at Verify.verify (node:internal/crypto/sig:230:24)
Aug 08 14:33:24 xo-ce xo-server[517]:     at RSASHA256.verifySignature (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/xml-crypto/lib/signed-xml.js:140:24)
Aug 08 14:33:24 xo-ce xo-server[517]:     at SignedXml.validateSignatureValue (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/xml-crypto/lib/signed-xml.js:460:20)
Aug 08 14:33:24 xo-ce xo-server[517]:     at SignedXml.checkSignature (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/xml-crypto/lib/signed-xml.js:397:15)
Aug 08 14:33:24 xo-ce xo-server[517]:     at validateXmlSignatureForCert (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/xml.ts:103:14)
Aug 08 14:33:24 xo-ce xo-server[517]:     at /opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/saml.ts:730:41
Aug 08 14:33:24 xo-ce xo-server[517]:     at Array.some (<anonymous>)
Aug 08 14:33:24 xo-ce xo-server[517]:     at SAML.validateSignature (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/saml.ts:729:18)
Aug 08 14:33:24 xo-ce xo-server[517]:     at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202208032035/node_modules/passport-saml/src/node-saml/saml.ts:785:17)
Aug 08 14:33:24 xo-ce xo-server[517]:     at runMicrotasks (<anonymous>)
Aug 08 14:33:24 xo-ce xo-server[517]:     at processTicksAndRejections (node:internal/process/task_queues:96:5)

I looked up "Error: error:0909006C:PEM routines:get_name:no start line" in relation to passport-saml and read through a ton of discussions but couldn't find a conclusive solution. I am copying the contents of the Base64 .cer file in their entirety and triple checked they are correct. Tried converting from UTF-8 to ANSI and ASCII as well as replacing "CERTIFICATE" with "PRIVATE KEY".

One thing to note: When copying the cert text back from the XO field, the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- are not in their own lines. I saw this mentioned in a couple discussions such as here. I did try manually replacing the spaces between the hyphens and the string with /n but it wasn't parsed correctly when entered via the web UI.

olivierlambert

Does it ring a bell @julien-f ?

dant123

For what it's worth, most Web UIs I see that take in certs use a text box/area rather than a text field which (directly or indirectly, not sure) preserves the line breaks in the cert. Everywhere I'm seeing, a text field doesn't seem to preserve the needed line breaks when its value is stored in a string.

Not sure which file(s) I'd need to edit to test a fix for this as I'm not the strongest with web development, but would be willing to try and report back.

olivierlambert

Okay thanks for the feedback Let's see if we can fix it with a text box/area instead of a simple text field!

Re-ping @julien-f

julien-f

It's now fixed, please let us know if you have other issues

https://github.com/vatesfr/xen-orchestra/pull/6403

MathieuRA opened this pull request in vatesfr/xen-orchestra

closed feat(xo-server-auth-saml): support multiline cert #6403

dant123

@julien-f confirmed fixed, thank you! Copy/pasted the Azure AD enterprise app's base64 cert in again and saved to get it working. After updating XO of course.

olivierlambert

Yay! Great news, thanks for the feedback @dant123 !

Mathieu

@dant123
Old topic but thanks a lot for your first post, it was quite helpful for me to setup authentification with Microsoft Entra.

I just didn't get immediately that you also need to specify the callback URL in the XO plugin settings, not only in the enterprise application in the Microsoft portal.

My XO is behind a reverse proxy with a Let's Encrypt certificate, but it is also working with a self-signed certificate and a local DNS record.

@olivierlambert Might be worth an addendum in the official documentation with specific screenshots for Microsoft Entra?

olivierlambert

Sure, happy to have a PR on our doc!

Mathieu

Hello,

Has the saml-auth plugin updated recently ?

Using XOCE, commit c0065, it was working fine. Updating today to latest release, SAML authentication (Microsoft Entra ID), is not working anymore, I land on a page with a
'Internal server error' message.

Thanks,

olivierlambert

Hi,

Yes it was. You need to be sure that your SAML provider used the signed SAML assertion.

Examples in Keycloak then Azure respectively:

nathanael-h

@Mathieu yes indeed, I worked on this with @pierrebrunet PR https://github.com/vatesfr/xen-orchestra/pull/9042
Do you have any logs in xo-server service?

pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

closed chore: update packages #9042

pierrebrunet

@Mathieu Hi, you need to be sure to have signed assertion and signed response because only one won't be enough.

We have updated the doc when you saw the impact. Sorry for the inconvenience:
https://github.com/vatesfr/xen-orchestra/pull/9084/files#diff-6319d6b750c3bdbca61a9d9a1577a8aa4fa3a8a37764b91aef4672f69403baa4R221

pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

closed chore: update doc for SAML due to breaking changes in config #9084

Mathieu

@pierrebrunet

Hello,

I've updated the cert with signed assertion and response

I also tried with a brand new certificate.

Unfortunately, login is still failing.

From xo-server:

Oct 09 08:11:17 xo-ce xo-server[272092]: Error: SAML assertion audience mismatch. Expected: 1671ff50-10e1-4a02-a0c5-4ed298898281 Received: https://XO_DNS_RECORD/
Oct 09 08:11:17 xo-ce xo-server[272092]:     at /opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1264:18
Oct 09 08:11:17 xo-ce xo-server[272092]:     at Array.map (<anonymous>)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.checkAudienceValidityError (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1259:8)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.processValidlySignedAssertionAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1151:32)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:808:16)

And here is the plug-in configuration:

I'm not expert at all in SAML, sorry not being able to debug deeper.

pierrebrunet

@Mathieu Hello, can you show us your plugin configuration (without the certificate for security purpose) please?

Edit: thank you!

Mathieu

@pierrebrunet Just posted it above

pierrebrunet

@Mathieu Hi, do you use XO from source or do you have an XOA license? Just to know how to help you more confortably

Mathieu

@pierrebrunet
XO from source, commit 1ee07 from today.