Product: PowerShell Universal
Version: 2.9.2
Hey PSU folks,
Following documentation here, OpenID Connect - PowerShell Universal, starting at Configuring Okta, we’ve followed the steps and have been half way successful. We can authenticate with Okta (which is using DUO for MFA), but we are not getting our AD group memberships as claims.
The process I followed was to create the Okta app, then add the OIDC settings to my appsettings.json file and restart the service. This did not work, so I added the OIDC authentication type in PSU, configured all the settings the same as my appsettings.json file, confirmed the settings in my authentication.ps1 file, and restarted the service. Not we hit Okta, authenticate, DUO prompts us for MFA, and after confirming MFA I’m taken to PSU - but my AD group memberships are not coming over.
My Okta admin walked through the setup with me watching. Everything is setup the same way it is in the documentation. Including the settings for Group claim type = Filter, and the Groups claim filter = groups & Matches regex .*
My appsettings.json file, my authentication.ps1 file, and the OIDC authentication configuration in the web UI all have the same settings, and Scope is set to “openid profile groups”
I’m expecting this means when Okta performs the authentication it will pull over all my AD group memberships as claims; using .* for the filter. However, when I visit Security > Roles > View Claim Information I do not see any of my AD groups as claims.
In my roles.ps1 file I’ve dumped $UserInfo and $UserInfo.Groups to a text file, but they are both blank. I dumped $User to a file and found I have .Claims with various claims & I have .Identity. Having $User.Identity.Name -eq “My User Name” in my roles.ps1 file is how I’m able to assign the Administrator role to myself at this point in time. The documentation says to use $UserInfo.Groups -contains “AD Group/Claim Name”, but I don’t have anything in $UserInfo.Groups.
I’ve been banging my head for 2 days on this and not getting anywhere. Any ideas?
I enabled debug log level, but a log in just shows:
2022-04-07 12:51:46.078 -05:00 [INF] Evaluting claims for user@domain.com, Cache: False
2022-04-07 12:51:46.078 -05:00 [DBG] Running claims evaluation
2022-04-07 12:51:46.079 -05:00 [DBG] Evaluating roles.
2022-04-07 12:51:46.790 -05:00 [INF] user@domain.com is part of role Administrator
My authentication.ps1 file is:
Set-PSUAuthenticationMethod -Type "OpenIDConnect" -CallbackPath "/authorization-code/callback" -ClientId "<ID>" -ClientSecret "<Secret>" -Authority "https://domain.okta.com" -UseTokenLifetime $true -GetClaimsFromUserInfoEndpoint $true -SaveTokens $true -Scopes "openid profile groups"
My appsettings.json file is:
"Kestrel": {
"Endpoints": {
"HTTP": {
"Url": "http://*:80"
},
"HTTPS": {
"Url": "https://*:443",
"Certificate": {
"Subject": "*.domain.com",
"Store": "My",
"Location": "LocalMachine"
}
}
},
"RedirectToHttps": "true"
},
"ApplicationInsights": {
"InstrumentationKey": "<Key>"
},
"OIDC": {
"Enabled": "true",
"CallbackPath": "/authorization-code/callback",
"ClientID": "ID",
"ClientSecret": "Secret",
"Resource": "",
"Authority": "https://domain.okta.com",
"ResponseType": "code",
"SaveTokens": "true",
"CorrelationCookieSameSite": "",
"UseTokenLifetime": true,
"Scope": "openid profile groups",
"GetUserInfo": true
}
The claims I get out of $User.Claims, and what is reflected when I click View Claim Information:
* Type: name - Value: <Name from AD> - Issuer: https://domain.okta.com
* Type: jti- Value: ID.<string> - Issuer: https://domain.okta.com
* Type: http://schemas.microsoft.com/claims/authnmethodsreferences - Value: otp - Issuer: https://domain.okta.com
* Type: http://schemas.microsoft.com/claims/authnmethodsreferences - Value: pwd - Issuer: https://domain.okta.com
* Type: http://schemas.microsoft.com/identity/claims/identityprovider - Value: <string>- Issuer: https://domain.okta.com
* Type: preferred_username - Value: <UPN from AD> - Issuer: https://domain.okta.com
* Type: auth_time - Value: <string> - Issuer: https://domain.okta.com
* Type: http://schemas.microsoft.com/ws/2008/06/identity/claims/role - Value: Administrator- Issuer: https://www.poshtools.com
* Type: given_name - Value: <GivenName from AD> - Issuer: OpenIdConnect
* Type: family_name - Value: <SurName from AD> - Issuer: OpenIdConnect