SAML 2.0 with mod_auth_mellon - Roles & permissions

Hi,

I have read the SAML chapter in the documentation, and the articles in the forum containing SAML. What I cannot find is the information, how the users roles will be mapped from the SAML provider to CheckMK. How is this supposed to work? I don’t see anything about this in the documentation? Users without permissions are not that useful? What do I miss here?

Then I’m also concerned about the setting “Authenticate users by incoming HTTP requests” in the Global Settings. This is what the documentation wants me to enable. The comment of the option says “Only allow access from trusted IP addresses … a user could fake the authentication information”. Ok? The SAML documentation is trusting the “RequestHeader unser X-Remote-User” in auth.conf to prevent that, do I understand that correctly?

Regards,
Sven

Hi Sven,

afaik, SAML only takes care of authenticating the user, the authorization (assignment of users to groups) is still done over the ldap sync, where you can optionally map the user roles using AD groups or assign them by hand. User management with LDAP/Active Directory

Gerd

Ok, so I have created my personal user manually in CheckMk and set up the SAML authentication. This works so far, the SAML provider returns a response with my ID and some attributes, etc. I’m logged in.

But I see some unexpected behaviour here:

  1. CheckMK does not care if I enable the “Authenticate users by incoming HTTP requests” option. It still logs me in when this option is disabled. I think this is a bug.

  2. CheckMK does not care if the user returned in the SAML response is existing in CheckMk at all. It logs in anyone who is able to log in at the SAML provider, not caring if I have created that user in CheckMk or replicated it via LDAP. I’m then logged in with a user that seems to have read-only permissions, and when I try opening “Edit profile” is says that the user is not existing. I think correct behaviour would be to only log in users that are existing in CheckMk.

Regards,
Sven

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.