CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 01:02:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

oidc 1

Browse Source
This commit is contained in:
Jason Ertel
2023-07-25 08:12:45 -04:00
parent 101e2e8ba1
commit 6d56deb2e4
6 changed files with 128 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
salt/kratos/config.sls
View File

@@ -51,6 +51,14 @@ kratosschema:
- group: 928
- mode: 600
kratosoidc:
file.managed:
- name: /opt/so/conf/kratos/oidc.jsonnet
- source: salt://kratos/files/oidc.jsonnet
- user: 928
- group: 928
- mode: 600
kratosconfig:
file.managed:
- name: /opt/so/conf/kratos/kratos.yaml

13
salt/kratos/defaults.yaml
View File

@@ -1,5 +1,18 @@
kratos:
enabled: False
oidc:
enabled: false
config:
id: SSO
mapper_url: file:///kratos-conf/oidc.jsonnet
subject_source: userinfo
scopes:
- email
- profile
requested_claims:
id_token:
email:
essential: true
config:
session:
lifespan: 24h

8
salt/kratos/files/oidc.jsonnet Normal file
View File

@@ -0,0 +1,8 @@
local claims = std.extVar('claims');
{
identity: {
traits: {
email: if 'email' in claims then claims.email else claims.preferred_username
},
},
}

4
salt/kratos/map.jinja
View File

@@ -20,3 +20,7 @@
{% do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}
{% if KRATOSMERGED.oidc.enabled and 'oidc' in salt['pillar.get']('licensed_features') %}
{% do KRATOSMERGED.config.selfservice.methods.update({'oidc': {'enabled': true, 'config': {'providers': [KRATOSMERGED.oidc.config]}}}) %}
{% endif %}

86
salt/kratos/soc_kratos.yaml
View File

@@ -3,6 +3,91 @@ kratos:
description: You can enable or disable Kratos.
advanced: True
helpLink: kratos.html
oidc:
enabled:
description: Set to True to enable OIDC / Single Sign-On (SSO) into SOC. Requires a valid Security Onion license key.
global: True
helpLink: oidc.html
config:
id:
description: Customize the OIDC provider name. This name appears on the login page. Required.
global: True
forcedType: string
helpLink: oidc.html
provider:
description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
global: True
forcedType: string
regex: "auth0|generic|github|google|microsoft"
regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
helpLink: oidc.html
client_id:
description: Specify the client ID, also referenced as the application ID. Required.
global: True
forcedType: string
helpLink: oidc.html
client_secret:
description: Specify the client secret. Required.
global: True
forcedType: string
helpLink: oidc.html
microsoft_tenant:
description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'.
global: True
forcedType: string
helpLink: oidc.html
subject_source:
description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
global: True
forcedType: string
regex: me|userinfo
regexFailureMessage: "Valid values are: me, userinfo"
helpLink: oidc.html
auth_url:
description: Provider's auth URL. Required when provider is 'generic'.
global: True
forcedType: string
helpLink: oidc.html
issuer_url:
description: Provider's issuer URL. Required when provider is 'generic'.
global: True
forcedType: string
helpLink: oidc.html
mapper_url:
description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting.
advanced: True
global: True
forcedType: string
helpLink: oidc.html
token_url:
description: Provider's token URL. Required when provider is 'generic'.
global: True
forcedType: string
helpLink: oidc.html
scope:
description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. Some providers use an alternate scope name, such as 'user:email'.
advanced: True
global: True
forcedType: "[]string"
helpLink: oidc.html
requested_claims:
id_token:
email:
essential:
description: Specifies whether the email claim is necessary. Typically leave this value set to true.
advanced: True
global: True
helpLink: oidc.html
files:
oidc__jsonnet:
title: OIDC Claims Mapping
description: Customize the OIDC claim mappings to the Kratos schema. The default mappings include the minimum required for login functionality, so this typically does not need to be customized. Visit https://jsonnet.org for more information about this file format.
advanced: True
file: True
global: True
helpLink: oidc.html
config:
session:
lifespan:
@@ -65,6 +150,7 @@ kratos:
global: True
advanced: True
helpLink: kratos.html
flows:
settings:
privileged_session_max_age:

13
salt/manager/tools/sbin/so-user
View File

@@ -341,14 +341,19 @@ function syncElastic() {
" and ic.identity_id=i.id " \
" and ict.id=ic.identity_credential_type_id " \
" and ict.name='password' " \
" and instr(ic.config, 'hashed_password') " \
" and i.state == 'active' " \
"order by ici.identifier;" | \
sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath")
[[ $? != 0 ]] && fail "Unable to read credential hashes from database"
echo "${userData}" | \
jq -r '.user + ":" + .data.hashed_password' \
>> "$usersTmpFile"
user_data_formatted=$(echo "${userData}" | jq -r '.user + ":" + .data.hashed_password')
if lookup_salt_value "licensed_features" "" "pillar" | grep -x oidc; then
# generate random placeholder salt/hash for users without passwords
random_crypt=$(get_random_value 53)
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
fi
echo "${user_data_formatted}" >> "$usersTmpFile"
# Append the user roles
while IFS="" read -r rolePair || [ -n "$rolePair" ]; do