2.2.0p26.cee
jammy
SAML2 auth worked just fine before update
after update “Authentication failed…”
2024-05-28 09:12:10,924 [30] [cmk.web.saml2 642526] SSO (OKTA) - SignatureError: {‘message’: ‘Signature verification failed. Invalid document format.’, ‘reason’: '{'doc': '<ns0:Response xmlns:ns0="u…
Probably you can raise the verbosity of the SAML logging and then check the ~/var/log/web.log for more information
Setup >> General >> Global settings >> Logging >> SAML = Debug
log-level increased…
quite some errors point to “xs:string”
‘error’: ‘“global xs:simpleType/xs:complexType 'xs:string' not found”’}
IdP is OKTA
found, that Okta- Assertions have a different format from Azure/ Entera
when arriving at Check_mk SP
while error in logs point to problems decoding xs:string, it worked in 2.2.0p6.cee with Okta
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>azure_ad@v6rgb.onmicrosoft.com</AttributeValue>
</Attribute>
...
Okta:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>John Doe</saml2:AttributeValue>
</saml2:Attribute>however, in check_mk 2.3 SAML2 via Okta it is working again for us
which is fine - 2.2.0p26.cee was just installed as a requirement to upgrade to 2.3
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.