Post_auth SAML group mapping script

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
thibaultmori
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 06, 2022 10:40 am

Post_auth SAML group mapping script

Post by thibaultmori » Tue Dec 06, 2022 10:42 am

Hello,
i followed this guide : https://openvpn.net/vpn-server-resource ... p-mapping/ to implement post_auth group mapping with our SAML Azure AD authentication but when i try to loggin with my test user, it doesn't work.

I have these ouput on my openvpnas.log
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: Groups for user thibault.mori@cdbdx.biz are not reported, please check your IdP configuration
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: No group mapping matches found for 'thibault.mori@cdbdx.biz' ... Using default group settings...

I need help about this issue.

Regards,
Thibault

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Post_auth SAML group mapping script

Post by openvpn_inc » Tue Dec 06, 2022 11:21 am

Hello Thibault,

There are 2 components to this. The SAML IdP must send information about the group that the user is in. And the post_auth script must read that information and use it. It looks like you installed the post_auth script but that the SAML IdP is not sending the information. Did you implement that part of the instructions correctly on your SAML IdP?

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

thibaultmori
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 06, 2022 10:40 am

Re: Post_auth SAML group mapping script

Post by thibaultmori » Wed Dec 07, 2022 11:09 am

Yes

I implement this part following your guide https://openvpn.net/vpn-server-resource ... p-mapping/ for Microsoft Azure AD.
Last edited by Pippin on Wed Dec 07, 2022 11:15 am, edited 1 time in total.
Reason: Corrected link

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Post_auth SAML group mapping script

Post by openvpn_inc » Thu Dec 08, 2022 1:26 pm

Hello Thibault,

I understand. But the script says it is not receiving group data. Could you check that when you implemented the reporting on Azure that you used the correct case and spelling of the word 'groups'? If it was spelled differently, the post_auth script won't see it because it's reported as another attribute name. Basically the problem is that the Access Server is either not getting the group information reported by your SAML IdP at all, or reported with a 'wrong' attribute name.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Post_auth SAML group mapping script

Post by openvpn_inc » Sat Dec 17, 2022 10:30 am

Hi,

You may try to use the "Object Id" instead of the Group Name. Update your script using the "Object Id" of the group in IdP, then make sure to reload your script and soft reload the AS after the change:
cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/saml.py ConfigPut
./sacli start

Regards,
.\kionci
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply