Hi all, does anyone have any experiencing with tro...
# fleet
Hi all, does anyone have any experiencing with troubleshooting the SAML integration for SSO in Fleet? We’re getting the following error:
Copy code
There was an error with single sign-on. Please contact your Fleet administrator.
logs show:
Copy code
fleet[4403]: level=error ts=2022-07-12T12:55:25.527528789Z component=http user=unauthenticated method=POST uri=/api/v1/fleet/sso/callback took=3.385322ms err="response validation failed: wrong audience:fleet"
Hi, @Ryan! The most likely culprit is that the
Entity ID
set up in Fleet doesn't exactly match with the one in your identity provider comfiguration.
Thanks @Kathy Satterlee I’ll take a look to see what ours is set to.
Do you have any advice on where to find / how to determine the Entity ID?
If it helps, I’m trying to integrate with Okta SAML 2.0
Thanks in advance 🙂
Ok thanks, lemme see what I’ve done 😄
Ok so I have the following options in the SAML 2.0 configuration for Okta: • Identity Provider Single Sign-On URL • Identity Provider Issuer • X.509 Certificate • IDP Metadata (in XML format)
In Fleet I have the following: • Identity provider name • Entity ID • Issuer URI • IDP image URL • Metadata • Metadata URL
the Metadata XML itself has a
<md:EntityDescriptor entityID="bla" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
attribute, and the value of entityID there matches
Identity Provider Issuer
I get the same error even if I invert these 🤔
if I check the “Audience Restriction” field in the SAML Settings of Okta for this app I can see it is set to
, should that be set to something else?
I don't have any personal experience with Okta, so I can't answer that one for you. Let me see what I can hunt down.
Ok no worries 🙂 It’s a bit tricky given no one appears to be using the same terminology for the fields, looking at the docs for various SAML providers 😄
So much about tech is like the Wild West.
I think I’ll skip for now especially given you don’t support user provisioning yet anyway, you still have to go and manually invite a user, even to use SSO… Thanks for your help so far though! • https://github.com/fleetdm/fleet/issues/2008https://github.com/fleetdm/fleet/issues/239
👍 1
I did find this on the Okta support forum:
have you created the app on the Okta side yet? Assuming that it's a SAML app, your entity ID is usually in the PDF that Okta provides in the sign on tab.
I'll talk to the team about where we are with prioritizing those tickets and reach back out here later this week to let you know if that's something that might be on the horizon for the near term.
Hi, I’ve managed to get it to work in the end, but I think the lack of account provisioning somewhat diminishes the usefulness 😄 Thanks for your help though! I’ll keep an eye on those two tickets to follow any progress, and check back in the future.
I'm glad you got it running for now!
ty 1