Title
#fleet
r

Ryan

07/12/2022, 12:55 PM
Hi all, does anyone have any experiencing with troubleshooting the SAML integration for SSO in Fleet? We’re getting the following error:
There was an error with single sign-on. Please contact your Fleet administrator.
The
journalctl
logs show:
fleet[4403]: level=error ts=2022-07-12T12:55:25.527528789Z component=http user=unauthenticated method=POST uri=/api/v1/fleet/sso/callback took=3.385322ms err="response validation failed: wrong audience:fleet"
Kathy Satterlee

Kathy Satterlee

07/12/2022, 2:16 PM
Hi, @Ryan! The most likely culprit is that the
Entity ID
set up in Fleet doesn't exactly match with the one in your identity provider comfiguration.
r

Ryan

07/12/2022, 3:11 PM
Thanks @Kathy Satterlee I’ll take a look to see what ours is set to.
3:34 PM
Do you have any advice on where to find / how to determine the Entity ID?
3:34 PM
If it helps, I’m trying to integrate with Okta SAML 2.0
3:34 PM
Thanks in advance 🙂
Kathy Satterlee

Kathy Satterlee

07/12/2022, 3:43 PM
r

Ryan

07/12/2022, 4:15 PM
Ok thanks, lemme see what I’ve done 😄
4:29 PM
Ok so I have the following options in the SAML 2.0 configuration for Okta: • Identity Provider Single Sign-On URL • Identity Provider Issuer • X.509 Certificate • IDP Metadata (in XML format)
4:30 PM
In Fleet I have the following: • Identity provider name • Entity ID • Issuer URI • IDP image URL • Metadata • Metadata URL
4:38 PM
the Metadata XML itself has a
<md:EntityDescriptor entityID="bla" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
attribute, and the value of entityID there matches
Identity Provider Issuer
4:40 PM
I get the same error even if I invert these 🤔
4:44 PM
if I check the “Audience Restriction” field in the SAML Settings of Okta for this app I can see it is set to
fleet
, should that be set to something else?
Kathy Satterlee

Kathy Satterlee

07/12/2022, 4:59 PM
I don't have any personal experience with Okta, so I can't answer that one for you. Let me see what I can hunt down.
r

Ryan

07/12/2022, 5:00 PM
Ok no worries 🙂 It’s a bit tricky given no one appears to be using the same terminology for the fields, looking at the docs for various SAML providers 😄
Kathy Satterlee

Kathy Satterlee

07/12/2022, 5:01 PM
So much about tech is like the Wild West.
r

Ryan

07/12/2022, 5:01 PM
I think I’ll skip for now especially given you don’t support user provisioning yet anyway, you still have to go and manually invite a user, even to use SSO… Thanks for your help so far though! https://github.com/fleetdm/fleet/issues/2008 https://github.com/fleetdm/fleet/issues/239
Kathy Satterlee

Kathy Satterlee

07/12/2022, 5:08 PM
I did find this on the Okta support forum:
have you created the app on the Okta side yet? Assuming that it's a SAML app, your entity ID is usually in the PDF that Okta provides in the sign on tab.
5:13 PM
I'll talk to the team about where we are with prioritizing those tickets and reach back out here later this week to let you know if that's something that might be on the horizon for the near term.
r

Ryan

07/13/2022, 8:44 AM
Hi, I’ve managed to get it to work in the end, but I think the lack of account provisioning somewhat diminishes the usefulness 😄 Thanks for your help though! I’ll keep an eye on those two tickets to follow any progress, and check back in the future.
Kathy Satterlee

Kathy Satterlee

07/13/2022, 2:04 PM
I'm glad you got it running for now!