OpenCTI¶
Presentation¶
OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables.
OpenCTI allows SSO via the SAML or OIDC protocols.
Configuring OpenCTI (SAML)¶
Prerequisites¶
First, generate a key/certificate pair for OpenCTI
openssl req -x509 -newkey rsa:4096 -keyout octi-saml-key.pem -out octi-saml-cert.pem -sha256 -days 3650 -nodes
Then, download the LemonLDAP::NG SAML metadata at https://auth.example.com/saml/metadata/idp
In this certificate, extract the ds:X509Certificate
element inside the KeyDescriptor use="signing"
element, and remove all spaces, you will get a long Base64 string that looks like
# On a single line, with no spaces
MIIFazCCA1OgAwIBAgIUDuUn+nT550rK0Qsej28PlQpZoFkwDQYJKoZIhvcN....
Do the same with octi-saml-key.pem
in order to get a long Base64 string representing the OpenCTI signing key.
Regular installation¶
In your OpenCTI configuration
"saml": {
"identifier": "saml",
"strategy": "SamlStrategy",
"config": {
"issuer": "opencti",
"entry_point": "https://auth.example.com/saml/singleSignOn",
"saml_callback_url": "https://opencti.example.com/auth/saml/callback",
"private_key": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...",
"cert": "MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...",
"roles_management": {
"role_attributes": ["groups"],
"roles_mapping": ["my_lemonldap_group:Administrator"]
}
}
private_key
must contain the concatenated content ofocti-saml-key.pem
cert
must contain the concatenated content of the LemonLDAP::NG signing certificate, from SAML metadataThe
roles_management
element is only useful if you want to automatically affect roles to your LemonLDAP::NG users depending on their groups.
Docker¶
In a docker setup, add the following environment variables
- PROVIDERS__SAML__STRATEGY=SamlStrategy
- "PROVIDERS__SAML__CONFIG__LABEL=Login with SAML"
- PROVIDERS__SAML__CONFIG__ISSUER=opencti
- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://auth.example.com/saml/singleSignOn
- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://opencti.example.com/auth/saml/callback
- PROVIDERS__SAML__CONFIG__CERT=MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...
- PROVIDERS__SAML__CONFIG__PRIVATE_KEY=MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...
- "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLE_ATTRIBUTES=[\"groups\"]"
- "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLES_MAPPING=[\"my_lemonldap_group:Administrator\"]"
PRIVATE_KEY
must contain the concatenated content ofocti-saml-key.pem
CERT
must contain the concatenated content of the LemonLDAP::NG signing certificate, from SAML metadataThe
ROLES_MANAGEMENT
variables are only useful if you want to automatically affect roles to your LemonLDAP::NG users depending on their groups.
Configuring LemonLDAP (SAML)¶
Generating OpenCTI metadata¶
Edit the following template to create the metadata for OpenCTI
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="opencti"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
###paste the content of octi-saml-cert.pem here, without the BEGIN and END line###
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://opencti.example.com/auth/saml/callback" />
</SPSSODescriptor>
</EntityDescriptor>
Don’t forget to replace the Location=
attribute and the content of X509Certificate
.
Adding OpenCTI::NG to LemonLDAP configuration¶
Add a new new SAML Service Provider to the LemonLDAP::NG configuration with the following parameters:
- Metadata
Copy the Metadata generated at the previous step
- Exported Attributes
variable name:
groups
attribute name:
groups
OIDC Interconnection¶
This section describe the OpenID Connect configuration
Configure OpenCTI (OIDC)¶
Here is the basic configuration for a docker installation
Define and replace <clientid>
and <clientsecret>
, and also adapt issuer and redirect uri:
- PROVIDERS__OPENID__STRATEGY=OpenIDConnectStrategy
- "PROVIDERS__OPENID__CONFIG__LABEL=Login with OpenID"
- PROVIDERS__OPENID__CONFIG__ISSUER=https://auth.example.com
- PROVIDERS__OPENID__CONFIG__CLIENT_ID=<clientid>
- PROVIDERS__OPENID__CONFIG__CLIENT_SECRET=<clientsecret>
- "PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\"https://opencti.mydomain.com/auth/oic/callback\"]"
For an advanced usage, you can also map lemonldap groups to openCTI groups with these paramters:
- "PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_SCOPE=groups"
- "PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_PATH=[\"groups\", \"realm_access.groups\", \"resource_access.account.groups\"]"
- "PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING=[\"OpenID_Group_1:OpenCTI_Group_1\", \"OpenID_Group_2:OpenCTI_Group_2\", ...]"
Configure LemonLDAP (OIDC)¶
Configure LemonLDAP as an OpenID Connect provider.
As describe in documentation link above, also define a new Relying Party in LL::NG.
Take care to configure at least these parameters:
Public client
: disabledClient ID
: client id defined in previous sectionClient secret
: client secret defined in previous sectionAllowed redirection addresses for login
: redirect uri defined in previous sectionSecurity -> ID Token signature algorithm
: make sure you select RS256, as HS512 is not supported in OpenCTIAdvanced -> User attribute
: take care to use the user unique identifier defined in OpenCTI, usuallymail
Advanced usage, for group mapping:
Exported attributes (claims)
: add claimgroups -> groups
Options -> Scope
: add scopegroups -> groups