OpenVPN Support Forum

Hello,
i followed this guide : https://openvpn.net/vpn-server-resource ... p-mapping/ to implement post_auth group mapping with our SAML Azure AD authentication but when i try to loggin with my test user, it doesn't work.

I have these ouput on my openvpnas.log
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: Groups for user thibault.mori@cdbdx.biz are not reported, please check your IdP configuration
2022-12-05T11:29:05+0100 [stdout#info] ***** POST_AUTH: No group mapping matches found for 'thibault.mori@cdbdx.biz' ... Using default group settings...

I need help about this issue.

Regards,
Thibault

Hello Thibault,

There are 2 components to this. The SAML IdP must send information about the group that the user is in. And the post_auth script must read that information and use it. It looks like you installed the post_auth script but that the SAML IdP is not sending the information. Did you implement that part of the instructions correctly on your SAML IdP?

Kind regards,
Johan

Yes

I implement this part following your guide https://openvpn.net/vpn-server-resource ... p-mapping/ for Microsoft Azure AD.

Hello Thibault,

I understand. But the script says it is not receiving group data. Could you check that when you implemented the reporting on Azure that you used the correct case and spelling of the word 'groups'? If it was spelled differently, the post_auth script won't see it because it's reported as another attribute name. Basically the problem is that the Access Server is either not getting the group information reported by your SAML IdP at all, or reported with a 'wrong' attribute name.

Kind regards,
Johan

Hi,

You may try to use the "Object Id" instead of the Group Name. Update your script using the "Object Id" of the group in IdP, then make sure to reload your script and soft reload the AS after the change:
cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/saml.py ConfigPut
./sacli start

Regards,
.\kionci