Refined it a bit further for the Risk-Based policy.
So from just evaluating origin of an authentication request i have incorporated one’s organisational role within the federation.
Remember, this business-logic is handled by my IDP, not CheckMK !
After following the steps in the official documentation for Azure AD SAML setup via a custom Enterprise Application, I am able to get “signed in” to checkmk (auto-redirects to my IDP) and upon return I see an empty checkmk with no hosts or dashboards.
When I try going to the user profile settings, I see this message:
At the top of the User popup is my user.userPrincipleName. I have tried manually creating the user, but same result.
Any thoughts?
Did you create the user in exactly the same casing as is being sent over SAML ?
Yep, after creating the account with the SAML user having the same username and email as the user’s SAML UPN (Azure AD), it just says the user account doesn’t exist.
Ok so… the first character of the user’s email domain was being sent over capitalized. Capitalizing it in CheckMk fixed it. The user is correctly logged in with the SAML credential now.
It’s possible to avoid the users from accessing CheckMK when they don’t have an account created?
That will depend on the way your IDP works.
I use risk-based policies to deny access to a resource configured on mine.
In essence what i do is i check after authentication on my IDP if a/the user is member of a group.
If the user is not part of the group he/she will get an ‘access denied’ from the IDP for the resource.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
