in /usr/share/centreon/src/Core/Security/Authentication/Infrastructure/Provider/OpenId.php solves the issue on our platform (but i don’t know there are side effects)
Hello Matoy,
The workaround is working, thanks.
Regards,
Hi @matoy and @Bochi do you use “Introspection token endpoint” or “User information endpoint” to get user data?
Can you enable debug in “Administration > Parameters > Debug”, perform an authentication, then check in /var/log/centreon/login.log and/or /var/log/php-fpm/centreon-error.log if you receive all user’s information from your IdP?
Hi @Laurent,
I confirm that after enabling debug mode for authentification we have all informations from our IDP and that we don’t use “Introspection token endpoint” and we use “User information endpoint”
Hi @jdidierpichat so the claim defined to get email address is part of the “User information endpoint”?
As a string or as an object?
@Laurent I think object, but not sure to understand the question. We have set “/userinfo” for “User information endpoint” on authentification configuration.
If you have a string, you will have something like {….,”email”:”user@domain.com”,...}
If you have n object, you will have something like {….,”email”:“user@domain.com”],...}
Hey @Laurent , so we have both, string for personnal information and object for mapping of AD group
So I don’t know why Centreon can’t extract email attribute.
Can you put logs here by replacint personal attributes ? (all the JSON answer for /userinfo endpoint.
2023-09-29 14:57:12|-1|0|0|[Openid] [Debug] User Information: {"sub":"xxxx","name":"xxxx","locale":"xx","preferred_username":"xxx@xxx.com","given_name":"xxx","family_name":"xxx","zoneinfo":"xxx","updated_at":xxx,"groups"::"ABC-OKTA","DEF-OKTA"]}
Hi @jdidierpichat In this answer I can’t see “email” field but “preferred_username” look like the email address of your users.