Hello,
i followed this guide : https://openvpn.net/vpn-server-resource ... p-mapping/ to implement post_auth group mapping with our SAML Azure AD authentication but when i try to loggin with my test user, it doesn't work.
I have these ouput on my openvpnas.log
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: Groups for user thibault.mori@cdbdx.biz are not reported, please check your IdP configuration
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: No group mapping matches found for 'thibault.mori@cdbdx.biz' ... Using default group settings...
I need help about this issue.
Regards,
Thibault
Post_auth SAML group mapping script
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Dec 06, 2022 10:40 am
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Post_auth SAML group mapping script
Hello Thibault,
There are 2 components to this. The SAML IdP must send information about the group that the user is in. And the post_auth script must read that information and use it. It looks like you installed the post_auth script but that the SAML IdP is not sending the information. Did you implement that part of the instructions correctly on your SAML IdP?
Kind regards,
Johan
There are 2 components to this. The SAML IdP must send information about the group that the user is in. And the post_auth script must read that information and use it. It looks like you installed the post_auth script but that the SAML IdP is not sending the information. Did you implement that part of the instructions correctly on your SAML IdP?
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Dec 06, 2022 10:40 am
Re: Post_auth SAML group mapping script
Yes
I implement this part following your guide https://openvpn.net/vpn-server-resource ... p-mapping/ for Microsoft Azure AD.
I implement this part following your guide https://openvpn.net/vpn-server-resource ... p-mapping/ for Microsoft Azure AD.
Last edited by Pippin on Wed Dec 07, 2022 11:15 am, edited 1 time in total.
Reason: Corrected link
Reason: Corrected link
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Post_auth SAML group mapping script
Hello Thibault,
I understand. But the script says it is not receiving group data. Could you check that when you implemented the reporting on Azure that you used the correct case and spelling of the word 'groups'? If it was spelled differently, the post_auth script won't see it because it's reported as another attribute name. Basically the problem is that the Access Server is either not getting the group information reported by your SAML IdP at all, or reported with a 'wrong' attribute name.
Kind regards,
Johan
I understand. But the script says it is not receiving group data. Could you check that when you implemented the reporting on Azure that you used the correct case and spelling of the word 'groups'? If it was spelled differently, the post_auth script won't see it because it's reported as another attribute name. Basically the problem is that the Access Server is either not getting the group information reported by your SAML IdP at all, or reported with a 'wrong' attribute name.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Post_auth SAML group mapping script
Hi,
You may try to use the "Object Id" instead of the Group Name. Update your script using the "Object Id" of the group in IdP, then make sure to reload your script and soft reload the AS after the change:
cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/saml.py ConfigPut
./sacli start
Regards,
.\kionci
You may try to use the "Object Id" instead of the Group Name. Update your script using the "Object Id" of the group in IdP, then make sure to reload your script and soft reload the AS after the change:
cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/saml.py ConfigPut
./sacli start
Regards,
.\kionci
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support