OpenCTI-Platform · aHenryJard · Mar 28, 2024 · Mar 28, 2024
diff --git a/opencti-platform/opencti-dev/docker-compose.yml b/opencti-platform/opencti-dev/docker-compose.yml
@@ -77,19 +77,6 @@ services:
  - 16686:16686
  - 4318:4318
 
- # SAML / OpenId provider with keycloak - disabled by default
- # docker compose --profile openid up -d
- opencti-dev-keycloak:
- profiles: [ openid ]
- image: quay.io/keycloak/keycloak:23.0.1
- container_name: opencti-dev-keycloak
- command: start-dev
- environment:
- KEYCLOAK_ADMIN: "admin"
- KEYCLOAK_ADMIN_PASSWORD: "admin"
- ports:
- - "9999:8080"
-
 volumes:
  esdata:
  driver: local

diff --git a/opencti-platform/opencti-graphql/package.json b/opencti-platform/opencti-graphql/package.json
@@ -49,7 +49,6 @@
  "@graphql-tools/utils": "10.1.2",
  "@jorgeferrero/stream-to-buffer": "2.0.6",
  "@mistralai/mistralai": "0.1.3",
- "@node-saml/passport-saml": "4.0.4",
  "@opensearch-project/opensearch": "2.6.0",
  "@opentelemetry/api": "1.8.0",
  "@opentelemetry/api-metrics": "0.33.0",
@@ -133,6 +132,7 @@
  "passport-google-oauth": "2.0.0",
  "passport-ldapauth": "3.0.1",
  "passport-local": "1.0.0",
+ "passport-saml": "3.2.4",
  "prom-client": "15.1.0",
  "python-shell": "5.0.0",
  "ramda": "0.29.1",

diff --git a/opencti-platform/opencti-graphql/src/config/providers.js b/opencti-platform/opencti-graphql/src/config/providers.js
@@ -7,7 +7,7 @@
 import LocalStrategy from 'passport-local';
 import LdapStrategy from 'passport-ldapauth';
 import Auth0Strategy from 'passport-auth0';
-import { Strategy as SamlStrategy } from '@node-saml/passport-saml';
+import { Strategy as SamlStrategy } from 'passport-saml';
 import { custom as OpenIDCustom, Issuer as OpenIDIssuer, Strategy as OpenIDStrategy } from 'openid-client';
 import { OAuth2Strategy as GoogleStrategy } from 'passport-google-oauth';
 import validator from 'validator';
@@ -213,78 +213,66 @@
  if (strategy === STRATEGY_SAML) {
  const providerRef = identifier || 'saml';
  const samlOptions = { ...mappedConfig };
- const samlStrategy = new SamlStrategy(
- samlOptions,
- (profile, done) => {
- // SAML Login function
- logApp.info('[SAML] Successfully logged', { profile });
- const samlAttributes = profile.attributes ? profile.attributes : profile;
- const roleAttributes = mappedConfig.roles_management?.role_attributes || ['roles'];
- const groupAttributes = mappedConfig.groups_management?.group_attributes || ['groups'];
- const userName = samlAttributes[mappedConfig.account_attribute] || '';
- const firstname = samlAttributes[mappedConfig.firstname_attribute] || '';
- const lastname = samlAttributes[mappedConfig.lastname_attribute] || '';
- const { nameID, nameIDFormat } = samlAttributes;
- const isRoleBaseAccess = isNotEmptyField(mappedConfig.roles_management);
- const isGroupBaseAccess = (isNotEmptyField(mappedConfig.groups_management) && isNotEmptyField(mappedConfig.groups_management?.groups_mapping)) || isRoleBaseAccess;
- logApp.info('[SAML] Groups management configuration', { groupsManagement: mappedConfig.groups_management, isRoleBaseAccess, isGroupBaseAccess });
- // region roles mapping
- if (isRoleBaseAccess) {
- logApp.error('SSO mapping on roles is deprecated, you should clean roles_management in your config and bind on groups.');
- }
- const computeRolesMapping = () => {
- const attrRoles = roleAttributes.map((a) => (Array.isArray(samlAttributes[a]) ? samlAttributes[a] : [samlAttributes[a]]));
- const samlRoles = R.flatten(attrRoles).filter((v) => isNotEmptyField(v));
- const rolesMapping = mappedConfig.roles_management?.roles_mapping || [];
- const rolesMapper = genConfigMapper(rolesMapping);
- return samlRoles.map((a) => rolesMapper[a]).filter((r) => isNotEmptyField(r));
- };
- // endregion
- // region groups mapping
- const computeGroupsMapping = () => {
- const attrGroups = groupAttributes.map((a) => (Array.isArray(samlAttributes[a]) ? samlAttributes[a] : [samlAttributes[a]]));
- const samlGroups = R.flatten(attrGroups).filter((v) => isNotEmptyField(v));
- const groupsMapping = mappedConfig.groups_management?.groups_mapping || [];
- const groupsMapper = genConfigMapper(groupsMapping);
- return samlGroups.map((a) => groupsMapper[a]).filter((r) => isNotEmptyField(r));
- };
- const groupsToAssociate = R.uniq(computeGroupsMapping().concat(computeRolesMapping()));
- // endregion
- // region organizations mapping
- const isOrgaMapping = isNotEmptyField(mappedConfig.organizations_default) || isNotEmptyField(mappedConfig.organizations_management);
- const computeOrganizationsMapping = () => {
- const orgaDefault = mappedConfig.organizations_default ?? [];
- const orgasMapping = mappedConfig.organizations_management?.organizations_mapping || [];
- const orgaPath = mappedConfig.organizations_management?.organizations_path || ['organizations'];
- const availableOrgas = R.flatten(
- orgaPath.map((path) => {
- const value = R.path(path.split('.'), profile) || [];
- return Array.isArray(value) ? value : [value];
- })
- );
- const orgasMapper = genConfigMapper(orgasMapping);
- return [...orgaDefault, ...availableOrgas.map((a) => orgasMapper[a]).filter((r) => isNotEmptyField(r))];
+ const samlStrategy = new SamlStrategy(samlOptions, (profile, done) => {
+ logApp.info('[SAML] Successfully logged', { profile });
+ const samlAttributes = profile.attributes ? profile.attributes : profile;
+ const roleAttributes = mappedConfig.roles_management?.role_attributes || ['roles'];
+ const groupAttributes = mappedConfig.groups_management?.group_attributes || ['groups'];
+ const userName = samlAttributes[mappedConfig.account_attribute] || '';
+ const firstname = samlAttributes[mappedConfig.firstname_attribute] || '';
+ const lastname = samlAttributes[mappedConfig.lastname_attribute] || '';
+ const { nameID, nameIDFormat } = samlAttributes;
+ const isGroupBaseAccess = (isNotEmptyField(mappedConfig.groups_management) && isNotEmptyField(mappedConfig.groups_management?.groups_mapping));
+ logApp.info('[SAML] Groups management configuration', { groupsManagement: mappedConfig.groups_management });
+ // region roles mapping
+ const computeRolesMapping = () => {
+ const attrRoles = roleAttributes.map((a) => (Array.isArray(samlAttributes[a]) ? samlAttributes[a] : [samlAttributes[a]]));
+ const samlRoles = R.flatten(attrRoles).filter((v) => isNotEmptyField(v));
+ const rolesMapping = mappedConfig.roles_management?.roles_mapping || [];
+ const rolesMapper = genConfigMapper(rolesMapping);
+ return samlRoles.map((a) => rolesMapper[a]).filter((r) => isNotEmptyField(r));
+ };
+ // endregion
+ // region groups mapping
+ const computeGroupsMapping = () => {
+ const attrGroups = groupAttributes.map((a) => (Array.isArray(samlAttributes[a]) ? samlAttributes[a] : [samlAttributes[a]]));
+ const samlGroups = R.flatten(attrGroups).filter((v) => isNotEmptyField(v));
+ const groupsMapping = mappedConfig.groups_management?.groups_mapping || [];
+ const groupsMapper = genConfigMapper(groupsMapping);
+ return samlGroups.map((a) => groupsMapper[a]).filter((r) => isNotEmptyField(r));
+ };
+ const groupsToAssociate = R.uniq(computeGroupsMapping().concat(computeRolesMapping()));
+ // endregion
+ // region organizations mapping
+ const isOrgaMapping = isNotEmptyField(mappedConfig.organizations_default) || isNotEmptyField(mappedConfig.organizations_management);
+ const computeOrganizationsMapping = () => {
+ const orgaDefault = mappedConfig.organizations_default ?? [];
+ const orgasMapping = mappedConfig.organizations_management?.organizations_mapping || [];
+ const orgaPath = mappedConfig.organizations_management?.organizations_path || ['organizations'];
+ const availableOrgas = R.flatten(
+ orgaPath.map((path) => {
+ const value = R.path(path.split('.'), profile) || [];
+ return Array.isArray(value) ? value : [value];
+ })
+ );
+ const orgasMapper = genConfigMapper(orgasMapping);
+ return [...orgaDefault, ...availableOrgas.map((a) => orgasMapper[a]).filter((r) => isNotEmptyField(r))];
+ };
+ const organizationsToAssociate = isOrgaMapping ? computeOrganizationsMapping() : [];
+ // endregion
+ logApp.info('[SAML] Login handler', { isGroupBaseAccess, groupsToAssociate });
+ if (!isGroupBaseAccess || groupsToAssociate.length > 0) {
+ const { nameID: email } = profile;
+ const opts = {
+ providerGroups: groupsToAssociate,
+ providerOrganizations: organizationsToAssociate,
+ autoCreateGroup: mappedConfig.auto_create_group ?? false,
  };
- const organizationsToAssociate = isOrgaMapping ? computeOrganizationsMapping() : [];
- // endregion
- logApp.info('[SAML] Login handler', { isGroupBaseAccess, groupsToAssociate });
- if (!isGroupBaseAccess || groupsToAssociate.length > 0) {
- const { nameID: email } = profile;
- const opts = {
- providerGroups: groupsToAssociate,
- providerOrganizations: organizationsToAssociate,
- autoCreateGroup: mappedConfig.auto_create_group ?? false,
- };
- providerLoginHandler({ email, name: userName, firstname, lastname, provider_metadata: { nameID, nameIDFormat } }, done, opts);
- } else {
- done({ message: 'Restricted access, ask your administrator' });
- }
- },
- (profile) => {
- // SAML Logout function
- logApp.info(`[SAML] Logout done for ${profile}`);
+ providerLoginHandler({ email, name: userName, firstname, lastname, provider_metadata: { nameID, nameIDFormat } }, done, opts);
+ } else {
+ done({ message: 'Restricted access, ask your administrator' });
  }
- );
+ });
  samlStrategy.logout_remote = samlOptions.logout_remote;
  passport.use(providerRef, samlStrategy);
  providers.push({ name: providerName, type: AUTH_SSO, strategy, provider: providerRef });