OpenCTI ========= .. image:: /applications/opencti.png :class: align-center Presentation ------------ `OpenCTI `__ is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. OpenCTI allows SSO via the SAML or OIDC protocols. Configuring OpenCTI (SAML) -------------------------- Prerequisites ~~~~~~~~~~~~~ First, generate a key/certificate pair for OpenCTI :: openssl req -x509 -newkey rsa:4096 -keyout octi-saml-key.pem -out octi-saml-cert.pem -sha256 -days 3650 -nodes Then, download the LemonLDAP::NG SAML metadata at https://auth.example.com/saml/metadata/idp In this certificate, extract the ``ds:X509Certificate`` element inside the ``KeyDescriptor use="signing"`` element, and remove all spaces, you will get a long Base64 string that looks like :: # On a single line, with no spaces MIIFazCCA1OgAwIBAgIUDuUn+nT550rK0Qsej28PlQpZoFkwDQYJKoZIhvcN.... Do the same with ``octi-saml-key.pem`` in order to get a long Base64 string representing the OpenCTI signing key. Regular installation ~~~~~~~~~~~~~~~~~~~~ In your OpenCTI configuration :: "saml": { "identifier": "saml", "strategy": "SamlStrategy", "config": { "issuer": "opencti", "entry_point": "https://auth.example.com/saml/singleSignOn", "saml_callback_url": "https://opencti.example.com/auth/saml/callback", "private_key": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...", "cert": "MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...", "roles_management": { "role_attributes": ["groups"], "roles_mapping": ["my_lemonldap_group:Administrator"] } } * ``private_key`` must contain the concatenated content of ``octi-saml-key.pem`` * ``cert`` must contain the concatenated content of the LemonLDAP::NG signing certificate, from SAML metadata * The ``roles_management`` element is only useful if you want to automatically affect roles to your LemonLDAP::NG users depending on their groups. Docker ~~~~~~ In a docker setup, add the following environment variables :: - PROVIDERS__SAML__STRATEGY=SamlStrategy - "PROVIDERS__SAML__CONFIG__LABEL=Login with SAML" - PROVIDERS__SAML__CONFIG__ISSUER=opencti - PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://auth.example.com/saml/singleSignOn - PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://opencti.example.com/auth/saml/callback - PROVIDERS__SAML__CONFIG__CERT=MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w... - PROVIDERS__SAML__CONFIG__PRIVATE_KEY=MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg... - "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLE_ATTRIBUTES=[\"groups\"]" - "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLES_MAPPING=[\"my_lemonldap_group:Administrator\"]" * ``PRIVATE_KEY`` must contain the concatenated content of ``octi-saml-key.pem`` * ``CERT`` must contain the concatenated content of the LemonLDAP::NG signing certificate, from SAML metadata * The ``ROLES_MANAGEMENT`` variables are only useful if you want to automatically affect roles to your LemonLDAP::NG users depending on their groups. Configuring LemonLDAP (SAML) ---------------------------- Generating OpenCTI metadata ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Edit the following template to create the metadata for OpenCTI :: ###paste the content of octi-saml-cert.pem here, without the BEGIN and END line### Don't forget to replace the ``Location=`` attribute and the content of ``X509Certificate``. Adding OpenCTI::NG to LemonLDAP configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Add a new :ref:`new SAML Service Provider to the LemonLDAP::NG configuration` with the following parameters: * **Metadata** * Copy the Metadata generated at the previous step * **Exported Attributes** * variable name: ``groups`` * attribute name: ``groups`` OIDC Interconnection -------------------- This section describe the OpenID Connect configuration Configure OpenCTI (OIDC) ~~~~~~~~~~~~~~~~~~~~~~~~ Here is the basic configuration for a docker installation Define and replace ```` and ````, and also adapt issuer and redirect uri: .. code-block:: - PROVIDERS__OPENID__STRATEGY=OpenIDConnectStrategy - "PROVIDERS__OPENID__CONFIG__LABEL=Login with OpenID" - PROVIDERS__OPENID__CONFIG__ISSUER=https://auth.example.com - PROVIDERS__OPENID__CONFIG__CLIENT_ID= - PROVIDERS__OPENID__CONFIG__CLIENT_SECRET= - "PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\"https://opencti.mydomain.com/auth/oic/callback\"]" For an advanced usage, you can also map lemonldap groups to openCTI groups with these paramters: .. code-block:: - "PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_SCOPE=groups" - "PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_PATH=[\"groups\", \"realm_access.groups\", \"resource_access.account.groups\"]" - "PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=[\"OpenID_Group_1:OpenCTI_Group_1\", \"OpenID_Group_2:OpenCTI_Group_2\", ...]" Configure LemonLDAP (OIDC) ~~~~~~~~~~~~~~~~~~~~~~~~~~ Configure LemonLDAP as an :doc:`OpenID Connect provider <../idpopenidconnect>`. As describe in documentation link above, also define a new Relying Party in LL::NG. Take care to configure at least these parameters: * ``Public client``: disabled * ``Client ID``: client id defined in previous section * ``Client secret``: client secret defined in previous section * ``Allowed redirection addresses for login``: redirect uri defined in previous section * ``Security -> ID Token signature algorithm``: make sure you select **RS256**, as HS512 is not supported in OpenCTI * ``Advanced -> User attribute``: take care to use the user unique identifier defined in OpenCTI, usually ``mail`` Advanced usage, for group mapping: * ``Exported attributes (claims)``: add claim ``groups -> groups`` * ``Options -> Scope``: add scope ``groups -> groups``