Cannot successfully pass the SSO authentication `user_attr` option

Hey everyone,

Hoping someone can shed some light onto why I cannot successfully implement an SSO authentication through a fresh baremetal or Docker image deployment. In either deployments, I cannot successfully pass my user_attr to the librenms instance, even if I manually hardcode the variable with either of the Nginx directives add_header and or proxy_set_header.

Error Message:

Auth Error (sso): No user () [] from

LibreNMS validate.php Output:
$ sudo docker compose -f compose.yaml exec --user librenms librenms php validate.php (ignoring the known issue with fping6, as IPv6 is disabled in my network)

Component | Version
--------- | -------
LibreNMS  | 23.9.1 (2023-09-29T22:59:55-07:00)
DB Schema | 2023_09_01_084057_application_new_defaults (259)
PHP       | 8.1.22
Python    | 3.10.13
Database  | MariaDB 10.5.22-MariaDB-1:10.5.22+maria~ubu2004
RRDTool   | 1.7.2
SNMP      | 5.9.3

[OK]    Installed from the official Docker image; no Composer required
[WARN]  You have no devices.
        Consider adding a device such as localhost: /addhost
[OK]    Database connection successful
[OK]    Database Schema is current
[OK]    SQL Server meets minimum requirements
[OK]    lower_case_table_names is enabled
[OK]    MySQL engine is optimal
[OK]    Database and column collations are correct
[OK]    Database schema correct
[OK]    MySQl and PHP time match
[OK]    Active pollers found
[OK]    Dispatcher Service is enabled
[OK]    Locks are functional
[OK]    No python wrapper pollers found
[OK]    Redis is functional
[INFO]  fping FAILURES can be ignored if running LibreNMS in a jail without ::1. You may want to test it manually: fping ::1
[FAIL]  /usr/sbin/fping6 could not be executed. /usr/sbin/fping6 must have CAP_NET_RAW capability (getcap) or suid. Selinux exclusions may be required.
 (/usr/sbin/fping: can't create socket (must run as root?))
[FAIL]  /usr/sbin/fping6 should have CAP_NET_RAW!
        setcap cap_net_raw+ep /usr/sbin/fping6
[OK]    rrd_dir is writable
[OK]    rrdtool version ok
[WARN]  Updates are managed through the official Docker image

LIbreNMS SSO Configuration:

$config['auth_mechanism'] = 'sso';
$config['sso']['create_users'] = true;
$config['sso']['email_attr'] = 'XAUTHENTIKEMAIL';
$config['sso']['group_attr'] = 'XAUTHENTIKGROUPS';
$config['sso']['group_delimiter'] = ';';
$config['sso']['group_level_map'] = ['librenms_admins' => 10, 'librenms_users' => 5];
$config['sso']['group_strategy']  = 'map';
$config['sso']['mode'] = 'header';
$config['sso']['realname_attr'] = 'XAUTHENTIKNAME';
$config['sso']['trusted_proxies'] = ['', ''];
$config['sso']['user_attr'] = 'XAUTHENTIKUSERNAME';

Nginx Configuration on Docker Host:

server {
  listen 443 ssl;
  http2 on;
  server_name librenms.domain.tld;

  ssl_certificate /etc/ssl/certs/librenms.domain.tld.crt;
  ssl_certificate_key /etc/ssl/private/librenms.domain.tld.key;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  proxy_buffers 4 256k;
  proxy_buffer_size 256k;

  location / {
    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_set_header Connection $http_connection;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $proxy_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_ssl_verify off;

    auth_request     /;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header XAUTHENTIKUSERNAME $authentik_username;
    proxy_set_header XAUTHENTIKGROUPS $authentik_groups;
    proxy_set_header XAUTHENTIKEMAIL $authentik_email;
    proxy_set_header XAUTHENTIKNAME $authentik_name;
    proxy_set_header XAUTHENTIKUID $authentik_uid;

  location / {
    proxy_pass              https://authentik.domain.tld/;
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";

  location @goauthentik_proxy_signin {
    add_header Set-Cookie $auth_cookie;
    return 302 /$request_uri;

Based on the logic of the SSOAuthorizer.php I removed all the dashes and underscores from my header variables and made everything uppercase.

            $header_key = $prefix . str_replace('-', '_', strtoupper($attr));

            if (Config::get('sso.mode') === 'header' && array_key_exists($header_key, $_SERVER)) {
                return $_SERVER[$header_key];

I am assuming that others got SSO to work for them, and I am probably just overlooking something. Does anyone have any pointers to where the issue might be? Thanks in advance for any help!

Did you happen to get this working?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.