LibreNMS Socialite Microsoft Roles Mapping

Hello LibreNMS community. I am in the process of setting up a new deployment of LibreNMS and things are going well but I am stuck on roles mapping. I am trying to utilize the “roles” claim on a Microsoft azure application instead of the “groups” claim but can’t seem to figure out a way to get this working.

I have confirmed the tokens have roles claim properly :

"roles": [
    "engineer"
  ],

but I can’t seem to figure out how to get LibreNMS to map off that value properly.

I have spent hours reading through the forums and found many great posts but it’s either not clicking or not working for me.

My current configuration:

librenms@xxx:~$ lnms config:get auth.socialite
{
    "redirect": false,
    "register": true,
    "default_role": "none",
    "claims": {
        "engineer": {
            "roles": [
                "admin"
            ]
        }
    },
    "scopes": [],
    "configs": {
        "microsoft": {
            "client_id": "xxx",
            "client_secret": "xxx",
            "tenant": "xxx",
            "listener": "\\SocialiteProviders\\Microsoft\\MicrosoftExtendSocialite"
        }
    }
}

This is allowing users to login, and it is creating the account in librenms properly, just with NO roles.

I want to map the Microsoft roles claim “engineer” to the built-in librenms “admin” role.

Reading through this forum and librenms documentation I have read the mention that if you are trying to use a claim other than “groups” you need to specify a new “scope”.

so I have tried adding a scope of “roles” in the librenms config as such :

librenms@xxx:~$ lnms config:get auth.socialite
{
    "redirect": false,
    "register": true,
    "default_role": "none",
    "claims": {
        "engineer": {
            "roles": [
                "admin"
            ]
        }
    },
    "scopes": [
        "roles"
    ],
    "configs": {
        "microsoft": {
            "client_id": "xxx",
            "client_secret": "xxx",
            "tenant": "xxx",
            "listener": "\\SocialiteProviders\\Microsoft\\MicrosoftExtendSocialite"
        }
    }
}

When I attempt to authenticate, I get the error that pops up stating :

"invalid_client: AADSTS650053: The application 'xxx' asked for scope 'roles' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor."

Due to the fact I am already receiving the “roles” claim properly from Microsoft, I don’t think I need to make any changes on that end?

I have also tried :

{
    "redirect": false,
    "register": true,
    "default_role": "none",
    "claims": {
        "roles.engineer": {
            "roles": [
                "admin"
            ]
        }
    },
    "scopes": [],
    "configs": {
        "microsoft": {
            "client_id": "xxx",
            "client_secret": "xxx",
            "tenant": "xxx",
            "listener": "\\SocialiteProviders\\Microsoft\\MicrosoftExtendSocialite"
        }
    }
}

Does anyone know how I can get LibreNMS to look at the “roles” claim and map to a local roles based on that value?

Thank you!

The reason I am attempting to utilize the microsoft “roles” claim is because my organization has a lot of groups and many users have too many groups on their account for them all to show up in tokens. I did find a setting that only sends groups that are assigned permissions to the app in the “groups” claim. So I enabled that and I now have both the roles AND groups claim active on my tokens. I was hopeful that having the more standard “groups” claim would work out but I am still not able to get this functioning.

The groups claim has the OID of the groups:

"groups": [
    "c4bc85bc-3916-4606-942d-xxxxxxxxxxxx"
  ],

I have also changed it to use the SAMAccountName as well with no luck.

The LibreNMS documentation states :
“Be aware that the scope name must match the claim name.”

But Microsoft prefixes all it’s claims with:
api://[CLIENTID]/

So if I configure a SCOPE in LibreNMS called “groups”, I get errors when I login stating the scope “groups” doesn’t exist on my app.

Anyone have any ideas or have dealt with this before? Thanks!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.