Problem activating SSO plugin

Termindiego25 · January 24, 2023, 12:14pm

Good morning, I tried to activate the alpha plugin released on the new version and the option doesn’t shows in the Administration page.
I followed the steps in this guide in order to activate the Microsoft SSO and test it.
I have the browser extension v3.9.1 and Passbolt PRO v3.9.0., using Apache v2.4.38, PHP v8.2.1 and Debian 10.
Here is the passbolt.php file with the flag activated:

<?php
/**
 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SA (https://www.passbolt.com)
 *
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
 * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
 * @link          https://www.passbolt.com Passbolt(tm)
 * @since         2.0.0
 */
/**
 * PASSBOLT CONFIGURATION FILE
 *
 * This is a generated configuration file, which was generated by the passbolt web installer.
 *
 * To see all available options, you can refer to the default.php file, or replace this file
 * by a copy of passbolt.default.php
 * Do not modify default.php or you may break your upgrade process.
 *
 * Read more about how to install passbolt: https://www.passbolt.com/help/tech/install
 * Any issue, check out our FAQ: https://www.passbolt.com/faq
 * An installation issue? Ask for help to the community: https://community.passbolt.com/
 */
return [
    'App' => [
        // A base URL to use for absolute links.
        // The url where the passbolt instance will be reachable to your end users.
        // This information is need to render images in emails for example
        'fullBaseUrl' => '$url',
    ],

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            'port' => '3306',
            'username' => '$username',
            'password' => '$pass',
            'database' => '$db',
        ],
    ],

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => '$host',
            'port' => 25,
            'username' => '$username,
            'password' => '$pass',
            // Is this a secure connection? true if yes, null if no.
            'tls' => null,
            //'timeout' => 30,
            'client' => '$server',
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => [$email' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],
    'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
        'gpg' => [
            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '$server_key',
                'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],
        'registration' => [
            'public' => false,
        ],
        'ssl' => [
            'force' => true,
        ],
        'security' => [
                'smtpSettings' => [
                        'endpointsDisabled' => true,
                ]
        ],
        'email' => [
                'validate' => [
                        'mx' => true,
                ]
        ],
        'sso' => [
                'enabled' => true
        ],
    ],
];

Here is the Administration page:

And here you are the healthcheck command:


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------

Passbolt commands should only be executed as the web server user.

The command should be executed with the same user as your web server. By instance:
su -s /bin/bash -c "$folder/bin/cake COMMAND" HTTP_USER
where HTTP_USER match your web server user: www-data, nginx, apache, http

 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to $link
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 46 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to $folder/.gnupg.
 [PASS] The directory $folder/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in $folder/config/passbolt.php and readable.
 [PASS] The private key file is defined in $folder/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in $folder/config/passbolt.php.
 [PASS] The server public key defined in the $folder/config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.9.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Host availability will be checked.
 [PASS] Serving the compiled version of the javascript app.
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The $folder/config/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [PASS] The SMTP Settings plugin endpoints are disabled.

 [PASS] No error found. Nice one sparky!

Can you help me to activate it in order to test it?
Thank you

remy · January 24, 2023, 12:41pm

Sorry there is a mistake in the doc, it should be

        'plugins' => [
            'sso' => [
                'enabled' => true
            ],
        ],

Fixing the doc right now.

Termindiego25 · January 24, 2023, 12:50pm

Hello @remy, that plugins section is inside passbolt section or out of it?

   'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
        'gpg' => [
            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '$key',
                'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],
        'registration' => [
            'public' => false,
        ],
        'ssl' => [
            'force' => true,
        ],
        'security' => [
                'smtpSettings' => [
                        'endpointsDisabled' => true,
                ]
        ],
        'email' => [
                'validate' => [
                        'mx' => true,
                ]
        ],
        'plugins' => [
                'sso' => [
                        'enabled' => true,
                ]
        ],
    ],

remy · January 24, 2023, 12:51pm

It should be inside the passbolt section.

Termindiego25 · January 24, 2023, 12:53pm

That worked, thank you for quick helping

remy · January 24, 2023, 12:54pm

Enjoy! Looking forward your feedback!

Termindiego25 · January 24, 2023, 1:19pm

Hello again, I followed up the steps through Azure AD and when I try to log-in to save the data, it shows this message to me:

I tried with other signInAudience values, like PersonalMicrosoftAccount, and sometimes it shows another error:

Do you know why I can’t set it up?

remy · January 24, 2023, 1:29pm

The first message indicates that the email is not part of the access token what is returned by Azure AD. It should be part of the default claims or the email cannot be validated by passbolt.

The second message indicates that the code is not returned by Azure AD, most likely because it’s returning an Error instead, because of the configuration.

Can you confirm you have:

Email set in the user record in Azure AD
The same email in Azure AD and in Passbolt username

Did you follow the same procedure described in the help site to configure Azure AD, did you set some additional options? Maybe the email claim is not included in your configuration?

You can reach out to me at contact@passbolt.com, maybe we can do a quick call to get to the bottom of this.

Termindiego25 · January 24, 2023, 1:41pm

I followed the steps in the guide quite closely and just changed the supported account type, but then I checked with the same mentioned, which gave me the same error.
The account I’m using on Azure AD and Passbolt have the same email, and I think it is correctly set-up in the user record, but it is my first time with Azure AD so maybe I did something wrong.
Also, I tried to add email as an optional claim at the app but still not working.
I’m going to write you to the provided email to see what is happening

remy · January 24, 2023, 1:42pm

What do you see under the “API permissions”? Maybe it’s configured to have different default?

Termindiego25 · January 24, 2023, 1:44pm

This is what I have:

remy · January 24, 2023, 2:21pm

Ok we had a call with @Termindiego25 and we saw the “email” was not specified for the user:
Screenshot 2023-01-24 at 15.19.58

Termindiego25 · January 24, 2023, 2:25pm

Yep, the user created by default when I created the tenant had this field blank, so you have to check that have the same email as your Passbolt account in order to work properly.
Thank you again @remy for your quick helping!