Hi all does anyone have any experiencing with troubleshootin osquery #fleet

Hi all, does anyone have any experiencing with tro...

Ryan

07/12/2022, 12:55 PM

Hi all, does anyone have any experiencing with troubleshooting the SAML integration for SSO in Fleet? We’re getting the following error:

Copy code

There was an error with single sign-on. Please contact your Fleet administrator.

The

journalctl

logs show:

Copy code

fleet[4403]: level=error ts=2022-07-12T12:55:25.527528789Z component=http user=unauthenticated method=POST uri=/api/v1/fleet/sso/callback took=3.385322ms err="response validation failed: wrong audience:fleet"

Kathy Satterlee

07/12/2022, 2:16 PM

Hi, @Ryan! The most likely culprit is that the

Entity ID

set up in Fleet doesn't exactly match with the one in your identity provider comfiguration.

Ryan

07/12/2022, 3:11 PM

Thanks @Kathy Satterlee I’ll take a look to see what ours is set to.

Ryan

07/12/2022, 3:34 PM

Do you have any advice on where to find / how to determine the Entity ID?

Ryan

07/12/2022, 3:34 PM

If it helps, I’m trying to integrate with Okta SAML 2.0

Ryan

07/12/2022, 3:34 PM

Thanks in advance 🙂

Kathy Satterlee

07/12/2022, 3:43 PM

It looks like Okta might call that the

Audience URI

. https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/#create-your-integration

Ryan

07/12/2022, 4:15 PM

Ok thanks, lemme see what I’ve done 😄

Ryan

07/12/2022, 4:29 PM

Ok so I have the following options in the SAML 2.0 configuration for Okta: • Identity Provider Single Sign-On URL • Identity Provider Issuer • X.509 Certificate • IDP Metadata (in XML format)

Ryan

07/12/2022, 4:30 PM

In Fleet I have the following: • Identity provider name • Entity ID • Issuer URI • IDP image URL • Metadata • Metadata URL

Ryan

07/12/2022, 4:38 PM

the Metadata XML itself has a

<md:EntityDescriptor entityID="bla" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

attribute, and the value of entityID there matches

Identity Provider Issuer

Ryan

07/12/2022, 4:40 PM

I get the same error even if I invert these 🤔

Ryan

07/12/2022, 4:44 PM

if I check the “Audience Restriction” field in the SAML Settings of Okta for this app I can see it is set to

fleet

, should that be set to something else?

Kathy Satterlee

07/12/2022, 4:59 PM

I don't have any personal experience with Okta, so I can't answer that one for you. Let me see what I can hunt down.

Ryan

07/12/2022, 5:00 PM

Ok no worries 🙂 It’s a bit tricky given no one appears to be using the same terminology for the fields, looking at the docs for various SAML providers 😄

Kathy Satterlee

07/12/2022, 5:01 PM

So much about tech is like the Wild West.

Ryan

07/12/2022, 5:01 PM

I think I’ll skip for now especially given you don’t support user provisioning yet anyway, you still have to go and manually invite a user, even to use SSO… Thanks for your help so far though! • https://github.com/fleetdm/fleet/issues/2008 • https://github.com/fleetdm/fleet/issues/239

👍 1

Kathy Satterlee

07/12/2022, 5:08 PM

I did find this on the Okta support forum:

have you created the app on the Okta side yet? Assuming that it's a SAML app, your entity ID is usually in the PDF that Okta provides in the sign on tab.

Kathy Satterlee

07/12/2022, 5:13 PM

I'll talk to the team about where we are with prioritizing those tickets and reach back out here later this week to let you know if that's something that might be on the horizon for the near term.

Ryan

07/13/2022, 8:44 AM

Hi, I’ve managed to get it to work in the end, but I think the lack of account provisioning somewhat diminishes the usefulness 😄 Thanks for your help though! I’ll keep an eye on those two tickets to follow any progress, and check back in the future.

Kathy Satterlee

07/13/2022, 2:04 PM

I'm glad you got it running for now!

ty 1

79 Views

Open in Slack

Previous Next