Page 1 of 1

Post_auth SAML group mapping script

Posted: Tue Dec 06, 2022 10:42 am
by thibaultmori
Hello,
i followed this guide : https://openvpn.net/vpn-server-resource ... p-mapping/ to implement post_auth group mapping with our SAML Azure AD authentication but when i try to loggin with my test user, it doesn't work.

I have these ouput on my openvpnas.log
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: Groups for user thibault.mori@cdbdx.biz are not reported, please check your IdP configuration
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: No group mapping matches found for 'thibault.mori@cdbdx.biz' ... Using default group settings...

I need help about this issue.

Regards,
Thibault

Re: Post_auth SAML group mapping script

Posted: Tue Dec 06, 2022 11:21 am
by openvpn_inc
Hello Thibault,

There are 2 components to this. The SAML IdP must send information about the group that the user is in. And the post_auth script must read that information and use it. It looks like you installed the post_auth script but that the SAML IdP is not sending the information. Did you implement that part of the instructions correctly on your SAML IdP?

Kind regards,
Johan

Re: Post_auth SAML group mapping script

Posted: Wed Dec 07, 2022 11:09 am
by thibaultmori
Yes

I implement this part following your guide https://openvpn.net/vpn-server-resource ... p-mapping/ for Microsoft Azure AD.

Re: Post_auth SAML group mapping script

Posted: Thu Dec 08, 2022 1:26 pm
by openvpn_inc
Hello Thibault,

I understand. But the script says it is not receiving group data. Could you check that when you implemented the reporting on Azure that you used the correct case and spelling of the word 'groups'? If it was spelled differently, the post_auth script won't see it because it's reported as another attribute name. Basically the problem is that the Access Server is either not getting the group information reported by your SAML IdP at all, or reported with a 'wrong' attribute name.

Kind regards,
Johan

Re: Post_auth SAML group mapping script

Posted: Sat Dec 17, 2022 10:30 am
by openvpn_inc
Hi,

You may try to use the "Object Id" instead of the Group Name. Update your script using the "Object Id" of the group in IdP, then make sure to reload your script and soft reload the AS after the change:
cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/saml.py ConfigPut
./sacli start

Regards,
.\kionci