Hey everyone,
Hoping someone can shed some light onto why I cannot successfully implement an SSO authentication through a fresh baremetal or Docker image deployment. In either deployments, I cannot successfully pass my user_attr to the librenms instance, even if I manually hardcode the variable with either of the Nginx directives add_header and or proxy_set_header.
Error Message:
Auth Error (sso): No user () [] from 192.168.25.5
LibreNMS validate.php Output:
$ sudo docker compose -f compose.yaml exec --user librenms librenms php validate.php (ignoring the known issue with fping6, as IPv6 is disabled in my network)
===========================================
Component | Version
--------- | -------
LibreNMS | 23.9.1 (2023-09-29T22:59:55-07:00)
DB Schema | 2023_09_01_084057_application_new_defaults (259)
PHP | 8.1.22
Python | 3.10.13
Database | MariaDB 10.5.22-MariaDB-1:10.5.22+maria~ubu2004
RRDTool | 1.7.2
SNMP | 5.9.3
===========================================
[OK] Installed from the official Docker image; no Composer required
[WARN] You have no devices.
[FIX]:
Consider adding a device such as localhost: /addhost
[OK] Database connection successful
[OK] Database Schema is current
[OK] SQL Server meets minimum requirements
[OK] lower_case_table_names is enabled
[OK] MySQL engine is optimal
[OK] Database and column collations are correct
[OK] Database schema correct
[OK] MySQl and PHP time match
[OK] Active pollers found
[OK] Dispatcher Service is enabled
[OK] Locks are functional
[OK] No python wrapper pollers found
[OK] Redis is functional
[INFO] fping FAILURES can be ignored if running LibreNMS in a jail without ::1. You may want to test it manually: fping ::1
[FAIL] /usr/sbin/fping6 could not be executed. /usr/sbin/fping6 must have CAP_NET_RAW capability (getcap) or suid. Selinux exclusions may be required.
(/usr/sbin/fping: can't create socket (must run as root?))
[FAIL] /usr/sbin/fping6 should have CAP_NET_RAW!
[FIX]:
setcap cap_net_raw+ep /usr/sbin/fping6
[OK] rrd_dir is writable
[OK] rrdtool version ok
[WARN] Updates are managed through the official Docker image
LIbreNMS SSO Configuration:
...
$config['auth_mechanism'] = 'sso';
$config['sso']['create_users'] = true;
$config['sso']['email_attr'] = 'XAUTHENTIKEMAIL';
$config['sso']['group_attr'] = 'XAUTHENTIKGROUPS';
$config['sso']['group_delimiter'] = ';';
$config['sso']['group_level_map'] = ['librenms_admins' => 10, 'librenms_users' => 5];
$config['sso']['group_strategy'] = 'map';
$config['sso']['mode'] = 'header';
$config['sso']['realname_attr'] = 'XAUTHENTIKNAME';
$config['sso']['trusted_proxies'] = ['127.0.0.1/32', '192.168.25.0/24'];
$config['sso']['user_attr'] = 'XAUTHENTIKUSERNAME';
...
Nginx Configuration on Docker Host:
server {
listen 443 ssl;
http2 on;
server_name librenms.domain.tld;
ssl_certificate /etc/ssl/certs/librenms.domain.tld.crt;
ssl_certificate_key /etc/ssl/private/librenms.domain.tld.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
proxy_buffers 4 256k;
proxy_buffer_size 256k;
location / {
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header Connection $http_connection;
proxy_set_header Connection "upgrade";
proxy_set_header Host $proxy_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off;
proxy_pass http://192.168.25.5:8000;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header XAUTHENTIKUSERNAME $authentik_username;
proxy_set_header XAUTHENTIKGROUPS $authentik_groups;
proxy_set_header XAUTHENTIKEMAIL $authentik_email;
proxy_set_header XAUTHENTIKNAME $authentik_name;
proxy_set_header XAUTHENTIKUID $authentik_uid;
}
location /outpost.goauthentik.io {
proxy_pass https://authentik.domain.tld/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
}
Based on the logic of the SSOAuthorizer.php I removed all the dashes and underscores from my header variables and made everything uppercase.
...
$header_key = $prefix . str_replace('-', '_', strtoupper($attr));
if (Config::get('sso.mode') === 'header' && array_key_exists($header_key, $_SERVER)) {
return $_SERVER[$header_key];
...
I am assuming that others got SSO to work for them, and I am probably just overlooking something. Does anyone have any pointers to where the issue might be? Thanks in advance for any help!