Good morning team I m working on Okta integration today and osquery #fleet

Good morning team! I'm working on Okta integratio...

Mike S.

03/23/2023, 3:54 PM

Good morning team! I'm working on Okta integration today and am running into this error: Mar 23 153519 <hostname> fleet[5941]: {"component":"http","err":"response validation failed: wrong audience:fleet","level":"error","method":"POST","took":"8.576283ms","ts":"2023-03-23T153519.891266573Z","uri":"/api/v1/fleet/sso/callback"} I saw in a previous post where this appears to be an issue with the entity ID. After looking at the metadata, it looks like the Entity ID in Fleet and the metadata are identical. Has anyone else run into this?

Kathy Satterlee

03/23/2023, 4:14 PM

Hey @Mike S.! It definitely sounds like the Entity ID is the most likely culprit. Those are case-sensitive, could that be a factor?

Mike S.

03/23/2023, 4:15 PM

Not that I can tell... I copied/pasted it, but I will double check that!

Mike S.

03/23/2023, 4:16 PM

And hi @Kathy Satterlee!

zwass

03/23/2023, 4:48 PM

Can you check your config matches https://fleetdm.com/docs/deploying/configuration#okta-idp-configuration?

Mike S.

03/23/2023, 5:28 PM

It does match that so we should be good there.

zwass

03/23/2023, 5:37 PM

Do you have

Entity ID

set to

fleet

in the Fleet SSO config?

Mike S.

03/23/2023, 5:38 PM

Yes

zwass

03/23/2023, 7:28 PM

I notice the SAML you shared has an

saml2:Assertion

at the topmost level rather than a

saml2p:Response

samlp:Response

at the top level. I think that's probably the issue. Any idea why that would be? See some example responses at https://www.samltool.com/generic_sso_res.php

zwass

03/23/2023, 7:36 PM

The examples in Okta's docs show the same top level items that we expect (but your response doesn't have) as well: https://developer.okta.com/docs/guides/saml-tracer/main/

5 Views

Open in Slack

Previous Next