When utilizing OIDC or SAML authentication connectors, sometimes it is necessary to get a better picture as to what is being passed from the OIDC or SAML provider. This is a bit tricky for an end user to do, but there are tools to make it easier.
View OIDC claims in Teleport Event log
OIDC doesn't pass user attributes through the browser. Instead, the authentication provider makes a call to teleport directly using the configured callback URL. The browser extension isn't able to see this information.
On a successful OIDC login, you can see the claims that were passed to teleport in the event logs:
2022-02-04T17:44:05Z INFO [AUDIT] user.login
auth_time:1.643991485e+09 email:firstname.lastname@example.org email_verified:true
exp:1.643996765e+09 groups:[gitlab-instance-af24f051 developers]
iat:1.643996645e+09 iss:https://gitlab.example.com name:Example example
profile:https://gitlab.spectacle.ml/example sub:1 sub_legacy:1405300f1d211e276ec1c7ffb2814b66fd8b8d8d5545e7bd4cda9ff8ba693325]
cluster_name:other code:T1001I ei:0 event:user.login method:oidc success:true
This can be helpful when debugging what claims are being passed when roles need to be mapped.
Use a browser extension
SAML, WS-Federation and OAuth tracer is a chrome extension that automatically interprets saml and oidc messages during an authentication workflow.
Install it in the browser where the user will log in.
When you do a login attempt, the extension icon will show the number of requests it has detected (by default it only shows the last twenty).
Seeing User attributes from a SAML provider
Generally, the item that is of interest is the POST to the SAML callback URL on the teleport server. For example, if you are using auth0 with SAML, you would see a GET to your auth0 domain, and then a POST to your teleport URL at /v1/webapi/saml/acs
The POST to that callback URL should contain all the SAML attributes associated with that user. This is especially handy if you are an admin and you want to know what mappings you can set in the teleport connector.
Please sign in to leave a comment.