XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAML Auth with Azure AD

    Scheduled Pinned Locked Moved Xen Orchestra
    27 Posts 8 Posters 3.5k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nathanael-hN Offline
      nathanael-h Vates 🪐 DevOps Team @Mathieu
      last edited by

      @Mathieu yes indeed, I worked on this with @pierrebrunet PR https://github.com/vatesfr/xen-orchestra/pull/9042
      Do you have any logs in xo-server service?

      pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

      closed chore: update packages #9042

      1 Reply Last reply Reply Quote 0
      • P Offline
        pierrebrunet Vates 🪐 XO Team
        last edited by pierrebrunet

        @Mathieu Hi, you need to be sure to have signed assertion and signed response because only one won't be enough.

        We have updated the doc when you saw the impact. Sorry for the inconvenience:
        https://github.com/vatesfr/xen-orchestra/pull/9084/files#diff-6319d6b750c3bdbca61a9d9a1577a8aa4fa3a8a37764b91aef4672f69403baa4R221

        pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

        closed chore: update doc for SAML due to breaking changes in config #9084

        MathieuM 1 Reply Last reply Reply Quote 0
        • MathieuM Offline
          Mathieu @pierrebrunet
          last edited by Mathieu

          @pierrebrunet

          Hello,

          I've updated the cert with signed assertion and response

          a2bbfd50-40ff-4db8-9947-32d0a7902bc7-image.png

          I also tried with a brand new certificate.

          Unfortunately, login is still failing.

          From xo-server:

          Oct 09 08:11:17 xo-ce xo-server[272092]: Error: SAML assertion audience mismatch. Expected: 1671ff50-10e1-4a02-a0c5-4ed298898281 Received: https://XO_DNS_RECORD/
Oct 09 08:11:17 xo-ce xo-server[272092]:     at /opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1264:18
Oct 09 08:11:17 xo-ce xo-server[272092]:     at Array.map (<anonymous>)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.checkAudienceValidityError (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1259:8)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.processValidlySignedAssertionAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1151:32)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:808:16)

          And here is the plug-in configuration:
          c2970287-4c00-4c36-817b-89195e2ce116-image.png

          I'm not expert at all in SAML, sorry not being able to debug deeper.

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            pierrebrunet Vates 🪐 XO Team @Mathieu
            last edited by pierrebrunet

            @Mathieu Hello, can you show us your plugin configuration (without the certificate for security purpose) please?

            Edit: thank you!

            MathieuM 1 Reply Last reply Reply Quote 0
            • MathieuM Offline
              Mathieu @pierrebrunet
              last edited by

              @pierrebrunet Just posted it above

              P 1 Reply Last reply Reply Quote 0
              • P Offline
                pierrebrunet Vates 🪐 XO Team @Mathieu
                last edited by pierrebrunet

                @Mathieu Hi, do you use XO from source or do you have an XOA license? Just to know how to help you more confortably

                MathieuM 1 Reply Last reply Reply Quote 0
                • MathieuM Offline
                  Mathieu @pierrebrunet
                  last edited by

                  @pierrebrunet
                  XO from source, commit 1ee07 from today.

                  P 2 Replies Last reply Reply Quote 0
                  • P Offline
                    pierrebrunet Vates 🪐 XO Team @Mathieu
                    last edited by

                    @Mathieu Thanks to your help, we are deploying a patch with config update and control over document and assertion signatures
                    https://github.com/vatesfr/xen-orchestra/pull/9093

                    pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

                    closed fix(plugin/auth-saml): add default config in SAML #9093

                    1 Reply Last reply Reply Quote 1
                    • P Offline
                      pierrebrunet Vates 🪐 XO Team @Mathieu
                      last edited by

                      @Mathieu Hi,
                      We merged the PR linked above with new options. If you have time, can you confirm it is working for you?
                      It will fix the audience error and let you choose if you want to sign responses and assertions.

                      P 1 Reply Last reply Reply Quote 0
                      • P Offline
                        probain @pierrebrunet
                        last edited by

                        @pierrebrunet
                        I'm jumping in here as well. Reporting that the PR fixes it for Google Workspace as well!
                        However, the checkbox in GW is called "Signed response".
                        No further adjustments of the plugin itself was needed.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post