Hello Florian,
welcome to the OpenXPKI Crowd ;)
Basically your approach looks correct, are you sure that your ENV
variable gets populated properly? Raise the loglevel of the "auth"
category to debug, that might show you a more detailed error message
indicating where the mapping fails.
Regarding the second part of the question - have a look into the folder
"realm.tl/profile/template/", in the field for "email" you can see
"preset: userinfo.email" - userinfo is a hash that is filled with
anything found in "envkeys".
best regards
Oliver
On 09.12.22 14:42, Cramoisan, Florian (Aruba PoC) wrote:
Hi List,
This is my first ever message out there so please excuse lack of format !
I’m struggling to setup my SSO as source of authentication for OpenXPKI.
The SSO part is handled by an apache plugin, and works fine. I am able
to check the claims and generate a “SSO_ROLE” environment variable
containing the intended role the user should get after authentication.
Now my issue is trying to pass this information to the auth layer so
the user effectively gets that role.
I use NoAuth as per the examples:
_Stack:_
BasicAuth:
handler: ExternalAuth
type: client
envkeys:
email: OIDC_CLAIM_unique_name
_Handler_
ExternalAuth:
type: NoAuth
role: User
If I remove the “role” statement from the handler and add an envkey
“role” mapping to my Apache ENV variable, I get an auth error.
What is the “proper” way to
* Pass the role to the auth layer
* Store some extra information (such as email or Org Unit) to be
used later in certificate generation
Thanks & Regards,
*Florian Cramoisan*
*PoC Engineer - WW**| **HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831**|**ACCX#1261**|**ACDX#1282**| ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient.//// If you are
not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete all
copies of this message.//// If you are receiving this message
internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”./
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
