Hi everyone. I’m VERY new to checkmk and just managed to set up a good monitoring environment for our infrastructure. It runs very well and I love the automatic agent deployment!
However, I was asked to implement SAML Single-Sign-On with Google Workspace and I simply cannot get it to work. Did anyone get it to work and is will to help me out? I’ve been sitting here for a few hours now and whenever I try to log in, it simply tells me “Authentication Failed - Contact your Administrator”. Is there at least a way to see a log about what is actually wrong?
I’m using the checkmk appliance in a VM if that is important.
If i remember correctly logging is posted in the var/log/web.log in your site
Im working on a site renaming and I faced this same issue, so I rolled back and found out that the issue already occured but somehow it works. Im clueless now.
Mostly what i am missing is what have you setup, and followed what documentation.
Also very important is creating a trace from the whole conversation with google workspace.
Please while testing your authentication run a trace with the plugin/addon in your browser called SAML-Tracer (exists both for Firefox, aswell as Chrome).
The result in the trace is of great value in troubleshooting !!
- Glowsome
The details in var/log/web.log might not have enough detail by default, as the log-level is set to ‘Warning’
This can be boosted by going to :
Setup → Global Settings → User interface → Option Logging
Set Web to the desired level (i suggest Verbose).
The change should be effective immediately, and will provide insight in whats going on on the CMK -side.
- Glowsome
Thanks for the assistance, I`m able to retrieve more logs now but still no success. The funny thing is BOTH environments retrieve the exact same error, but one of them is working :
I`m still evaluating everything.
Is the IDP even sending the user ID ?
Make a trace with SAML tracer, and then look at what comes back in the assertion.
- Glowsome
Yes, it is. Using the SAML tracker I can identify that.
Ideally setting the log_level to debug or using something like SAML-tracer will help you pinpoint the problem.
Most of the times it is the user attributes/claims not being mapped correctly or the values expected by Checkmk SAML setup are not available from the IdP.
You can double check that.
Just re-reading the whole discussion, and matching that with the (official) documentation.
And every time i re-look at your snippet you posted from the errorlog stating that it is looking for a “User ID” attribute.
Now without more insight into the assertion being sent from the IDP it is just stating that the attribute (which should be present) is not found.
Assumption in this is that either:
- The space is causing confusion, as UserID would be more in line with expectation.
OR - The attribute is not at all present/configured on the Google workspace end, and thus not sent in the assertion.
Sending attributes along with a reply from an IDP you must adhere on both ends to the same information.
Meaning if you send the attribute ‘myattribute’ containing an email-address you also need to aim the application to read ‘myattribute’, and not ‘my attribute’.
- Glowsome
I was able to fix my issue after upgrading my instance to the latest edition 2.2.0p17 and replacing the attributes on Users section of Saml Integration. The following video helped me a lot:
Hi @pauloadriano ,
If this solved your issue, would you be so kind as to mark this as the ‘solution’.
This is so that if others are searching for it they will be directed to this post/solution.
Thankyou in advance,
- Glowsome
Hi @pauloadriano . I’m having the same battle here. Could you please tell me what you have filled in for the “User ID attribute”?
Hi @rodehoed,
I`m using the mail address:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
and for name I`m using the Full name:
Thanks @pauloadriano . Not working either Getting:
2024-02-16 11:26:53,695 [10] [cmk.web.saml2 229387] Found user attributes: email, Firstname, Lastname, OUPath
2024-02-16 11:26:53,696 [10] [cmk.web.saml2 229387] Mapping User ID to field http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
2024-02-16 11:26:53,696 [10] [cmk.web.saml2 229387] User ID not found or empty, value is: None
2024-02-16 11:26:53,696 [30] [cmk.web.saml2 229387] Google (GoogleWorkspace) - AttributeError: User ID not found or empty
This is how it looks at Google:
The options are very limited at Google.
If I get things working, I will make a proper tutorial for it on this board!
Try using only email instead of the one that I provided you.
2024-02-16 11:26:53,695 [10] [cmk.web.saml2 229387] Found user attributes: email, Firstname, Lastname, OUPath
Its written in your output. Just “email” will be a good test.
Awesome guys! I did tried that, but it was not working because I had an invalid value in the “Full name attribute” field in checkmk too. I did add “Firstname Lastname” there, but seems only one attribute allowed there.
So works now
Is it possible to place here a screenshot of what your mapped attributes look like currently when it’s working? I’m struggling here to find out as well.