XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAML Auth with Azure AD

    Scheduled Pinned Locked Moved Solved Xen Orchestra
    30 Posts 8 Posters 3.6k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MathieuM Offline
      Mathieu @pierrebrunet
      last edited by Mathieu

      @pierrebrunet

      Hello,

      I've updated the cert with signed assertion and response

      a2bbfd50-40ff-4db8-9947-32d0a7902bc7-image.png

      I also tried with a brand new certificate.

      Unfortunately, login is still failing.

      From xo-server:

      Oct 09 08:11:17 xo-ce xo-server[272092]: Error: SAML assertion audience mismatch. Expected: 1671ff50-10e1-4a02-a0c5-4ed298898281 Received: https://XO_DNS_RECORD/
Oct 09 08:11:17 xo-ce xo-server[272092]:     at /opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1264:18
Oct 09 08:11:17 xo-ce xo-server[272092]:     at Array.map (<anonymous>)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.checkAudienceValidityError (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1259:8)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.processValidlySignedAssertionAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:1151:32)
Oct 09 08:11:17 xo-ce xo-server[272092]:     at SAML.validatePostResponseAsync (/opt/xo/xo-builds/xen-orchestra-202510090759/node_modules/@node-saml/node-saml/src/saml.ts:808:16)

      And here is the plug-in configuration:
      c2970287-4c00-4c36-817b-89195e2ce116-image.png

      I'm not expert at all in SAML, sorry not being able to debug deeper.

      P 1 Reply Last reply Reply Quote 0
      • P Offline
        pierrebrunet Vates πŸͺ XO Team @Mathieu
        last edited by pierrebrunet

        @Mathieu Hello, can you show us your plugin configuration (without the certificate for security purpose) please?

        Edit: thank you!

        MathieuM 1 Reply Last reply Reply Quote 0
        • MathieuM Offline
          Mathieu @pierrebrunet
          last edited by

          @pierrebrunet Just posted it above

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            pierrebrunet Vates πŸͺ XO Team @Mathieu
            last edited by pierrebrunet

            @Mathieu Hi, do you use XO from source or do you have an XOA license? Just to know how to help you more confortably

            MathieuM 1 Reply Last reply Reply Quote 0
            • MathieuM Offline
              Mathieu @pierrebrunet
              last edited by

              @pierrebrunet
              XO from source, commit 1ee07 from today.

              P 2 Replies Last reply Reply Quote 0
              • P Offline
                pierrebrunet Vates πŸͺ XO Team @Mathieu
                last edited by

                @Mathieu Thanks to your help, we are deploying a patch with config update and control over document and assertion signatures
                https://github.com/vatesfr/xen-orchestra/pull/9093

                pierrebrunet289 opened this pull request in vatesfr/xen-orchestra

                closed fix(plugin/auth-saml): add default config in SAML #9093

                1 Reply Last reply Reply Quote 1
                • P Offline
                  pierrebrunet Vates πŸͺ XO Team @Mathieu
                  last edited by

                  @Mathieu Hi,
                  We merged the PR linked above with new options. If you have time, can you confirm it is working for you?
                  It will fix the audience error and let you choose if you want to sign responses and assertions.

                  P 1 Reply Last reply Reply Quote 0
                  • P Offline
                    probain @pierrebrunet
                    last edited by

                    @pierrebrunet
                    I'm jumping in here as well. Reporting that the PR fixes it for Google Workspace as well!
                    However, the checkbox in GW is called "Signed response".
                    No further adjustments of the plugin itself was needed.

                    P 1 Reply Last reply Reply Quote 1
                    • P Offline
                      pierrebrunet Vates πŸͺ XO Team @probain
                      last edited by

                      @probain Hi,
                      Great!! Can you confirm the checkbox is in the Service Provider Details window? It is to enhance the doc part about SAML.

                      P 1 Reply Last reply Reply Quote 1
                      • P Offline
                        probain @pierrebrunet
                        last edited by probain

                        @pierrebrunet
                        For Google Workspace:
                        Yes it is in the "Service Provider details"-section: See screenshot for example
                        f2d58e46-b168-43a5-85b1-7a59b305f7b4-image.png

                        Edit: Removed doubled screenshot

                        P 1 Reply Last reply Reply Quote 1
                        • P Offline
                          pierrebrunet Vates πŸͺ XO Team @probain
                          last edited by

                          @probain Thank you!

                          1 Reply Last reply Reply Quote 2
                          • olivierlambertO olivierlambert marked this topic as a question
                          • olivierlambertO olivierlambert has marked this topic as solved
                          • First post
                            Last post