XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Home
    2. dant123
    3. Best
    D
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 8
    • Best 2
    • Controversial 0
    • Groups 0

    Best posts made by dant123

    • RE: SAML Auth with Azure AD

      @julien-f confirmed fixed, thank you! Copy/pasted the Azure AD enterprise app's base64 cert in again and saved to get it working. After updating XO of course.

      posted in Xen Orchestra
      D
      dant123
    • SAML Auth with Azure AD

      Don't see it officially documented anywhere so I'll put down what worked for me and where I'm stuck. Using fully updated community edition (Xen Orchestra commit a4118, xo-server 5.100.0, xo-web 5.101.0).

      XO instance is behind reverse proxy (Nginx Proxy Manager) pointed to Web UI's IP, port 443, HTTPS with websocket support and forced HTTPS redirection. Cert is valid. Public URL confirmed working.

      1. Azure Active Directory > Enterprise applications > New application > Create your own application > Name: Xen Orchestra, Type: Non-gallery > Create

      2. Azure Active Directory > Enterprise applications >Xen Orchestra > Users and groups > Added myself

      3. Azure Active Directory > Enterprise applications > Xen Orchestra > Single sign-on > SAML > Basic SAML Configuration >
        Identifier (Entity ID): https://<Public URL>
        Reply URL (Assertion Consumer Service URL): https://<Public URL>/signin/saml/callback

      4. XO > Settings > Plugins > auth-saml (v0.9.0) >
        Certificate: Copied contents of Certificate (Base64) (from Azure Active Directory > Enterprise applications > Xen Orchestra > Single sign-on > SAML > SAML Signing Certificate)
        Entry point: Copied from Login URL (from Azure Active Directory > Enterprise applications > Xen Orchestra > Single sign-on > SAML > Set up Xen Orchestra)
        Issuer: Copied from Application ID (from Azure Active Directory > Enterprise applications > Xen Orchestra > Properties)
        Username field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        Don't request an authentication context: Enabled (tried disabled too)

      With any other Issuer I try, Microsoft gives an error that the application was not found.
      With the application ID, it's found but I get the following error:
      "Sorry, but we’re having trouble signing you in.
      AADSTS50011: The reply URL 'http://<Public URL>/signin/saml/callback' specified in the request does not match the reply URLs configured for the application '<Application ID>'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/urlMismatchError to learn more about how to fix this. "

      Issue is, everywhere I can see, from the reverse proxy to my enterprise app, I'm using HTTPS. For some reason XO is sending the SAML request as http.

      I've tried replacing the HTTPS reply URL under Azure Active Directory > App registrations > Xen Orchestra > Manifest with HTTP but it won't save. Was able to add the HTTP one on top of the HTTPS one, but same error.

      I see a single mention of it here: https://github.com/vatesfr/xen-orchestra/issues/3822 as the last comment on the issue with no followup.

      tbe created this issue in vatesfr/xen-orchestra

      closed SAML Auth: Wrong callback URL #3822

      posted in Xen Orchestra
      D
      dant123