Cannot successfully pass the SSO authentication `user_attr` option

Help
1

Hey everyone,

Hoping someone can shed some light onto why I cannot successfully implement an SSO authentication through a fresh baremetal or Docker image deployment. In either deployments, I cannot successfully pass my user_attr to the librenms instance, even if I manually hardcode the variable with either of the Nginx directives add_header and or proxy_set_header.

Error Message:

Auth Error (sso): No user () [] from 192.168.25.5

LibreNMS validate.php Output:
$ sudo docker compose -f compose.yaml exec --user librenms librenms php validate.php (ignoring the known issue with fping6, as IPv6 is disabled in my network)

===========================================
Component | Version
--------- | -------
LibreNMS  | 23.9.1 (2023-09-29T22:59:55-07:00)
DB Schema | 2023_09_01_084057_application_new_defaults (259)
PHP       | 8.1.22
Python    | 3.10.13
Database  | MariaDB 10.5.22-MariaDB-1:10.5.22+maria~ubu2004
RRDTool   | 1.7.2
SNMP      | 5.9.3
===========================================

[OK]    Installed from the official Docker image; no Composer required
[WARN]  You have no devices.
        [FIX]:
        Consider adding a device such as localhost: /addhost
[OK]    Database connection successful
[OK]    Database Schema is current
[OK]    SQL Server meets minimum requirements
[OK]    lower_case_table_names is enabled
[OK]    MySQL engine is optimal
[OK]    Database and column collations are correct
[OK]    Database schema correct
[OK]    MySQl and PHP time match
[OK]    Active pollers found
[OK]    Dispatcher Service is enabled
[OK]    Locks are functional
[OK]    No python wrapper pollers found
[OK]    Redis is functional
[INFO]  fping FAILURES can be ignored if running LibreNMS in a jail without ::1. You may want to test it manually: fping ::1
[FAIL]  /usr/sbin/fping6 could not be executed. /usr/sbin/fping6 must have CAP_NET_RAW capability (getcap) or suid. Selinux exclusions may be required.
 (/usr/sbin/fping: can't create socket (must run as root?))
[FAIL]  /usr/sbin/fping6 should have CAP_NET_RAW!
        [FIX]:
        setcap cap_net_raw+ep /usr/sbin/fping6
[OK]    rrd_dir is writable
[OK]    rrdtool version ok
[WARN]  Updates are managed through the official Docker image

LIbreNMS SSO Configuration:

...
$config['auth_mechanism'] = 'sso';
$config['sso']['create_users'] = true;
$config['sso']['email_attr'] = 'XAUTHENTIKEMAIL';
$config['sso']['group_attr'] = 'XAUTHENTIKGROUPS';
$config['sso']['group_delimiter'] = ';';
$config['sso']['group_level_map'] = ['librenms_admins' => 10, 'librenms_users' => 5];
$config['sso']['group_strategy']  = 'map';
$config['sso']['mode'] = 'header';
$config['sso']['realname_attr'] = 'XAUTHENTIKNAME';
$config['sso']['trusted_proxies'] = ['127.0.0.1/32', '192.168.25.0/24'];
$config['sso']['user_attr'] = 'XAUTHENTIKUSERNAME';
...

Nginx Configuration on Docker Host:

server {
  listen 443 ssl;
  http2 on;
  server_name librenms.domain.tld;

  ssl_certificate /etc/ssl/certs/librenms.domain.tld.crt;
  ssl_certificate_key /etc/ssl/private/librenms.domain.tld.key;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  proxy_buffers 4 256k;
  proxy_buffer_size 256k;

  location / {
    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_set_header Connection $http_connection;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $proxy_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_ssl_verify off;
    proxy_pass http://192.168.25.5:8000;

    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header XAUTHENTIKUSERNAME $authentik_username;
    proxy_set_header XAUTHENTIKGROUPS $authentik_groups;
    proxy_set_header XAUTHENTIKEMAIL $authentik_email;
    proxy_set_header XAUTHENTIKNAME $authentik_name;
    proxy_set_header XAUTHENTIKUID $authentik_uid;
  }

  location /outpost.goauthentik.io {
    proxy_pass              https://authentik.domain.tld/outpost.goauthentik.io;
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
  }

  location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
  }
}

Based on the logic of the SSOAuthorizer.php I removed all the dashes and underscores from my header variables and made everything uppercase.

...
            $header_key = $prefix . str_replace('-', '_', strtoupper($attr));

            if (Config::get('sso.mode') === 'header' && array_key_exists($header_key, $_SERVER)) {
                return $_SERVER[$header_key];
...

I am assuming that others got SSO to work for them, and I am probably just overlooking something. Does anyone have any pointers to where the issue might be? Thanks in advance for any help!

2

Did you happen to get this working?

3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.