Skip to main content

Troubleshooting SAML and OIDC

Jeff
  • Updated

Question/Problem:

When utilizing OIDC or SAML authentication connectors, sometimes it is necessary to get a better picture as to what is being passed from the OIDC or SAML provider. This is a bit tricky for an end user to do, but there are tools to make it easier.

View OIDC claims in Teleport Event log

OIDC doesn't pass user attributes through the browser. Instead, the authentication provider makes a call to teleport directly using the configured callback URL. The browser extension isn't able to see this information.

On a successful OIDC login, you can see the claims that were passed to teleport in the event logs:

2022-02-04T17:44:05Z INFO [AUDIT] user.login
attributes:map[aud:aaaaaaaaaaaaaaaf5b5903384d314397428f10b528e950636fa2b0fabcad9731
auth_time:1.643991485e+09 email:example@example.com email_verified:true
exp:1.643996765e+09 groups:[gitlab-instance-af24f051 developers]
iat:1.643996645e+09 iss:https://gitlab.example.com name:Example example
picture:https://secure.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon
profile:https://gitlab.spectacle.ml/example sub:1 sub_legacy:1405300f1d211e276ec1c7ffb2814b66fd8b8d8d5545e7bd4cda9ff8ba693325]
cluster_name:other code:T1001I ei:0 event:user.login method:oidc success:true
time:2022-02-04T17:44:05.976Z uid:78b2e8c1-b713-44f0-b38e-10eb0c40bb0e
user:example@example.com events/emitter.go:324

This can be helpful when debugging what claims are being passed when roles need to be mapped.

Use a browser extension

SAML, WS-Federation and OAuth tracer is a chrome extension that automatically interprets saml and oidc messages during an authentication workflow.

Install it in the browser where the user will log in.

When you do a login attempt, the extension icon will show the number of requests it has detected (by default it only shows the last twenty).

Seeing User attributes from a SAML provider

Generally, the item that is of interest is the POST to the SAML callback URL on the teleport server. For example, if you are using auth0 with SAML, you would see a GET to your auth0 domain, and then a POST to your teleport URL at /v1/webapi/saml/acs

The POST to that callback URL should contain all the SAML attributes associated with that user. This is especially handy if you are an admin and you want to know what mappings you can set in the teleport connector.

 

Comments

0 comments

Please sign in to leave a comment.