OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables.
OpenCTI allows SSO via the SAML or OIDC protocols.
First, generate a key/certificate pair for OpenCTI
openssl req -x509 -newkey rsa:4096 -keyout octi-saml-key.pem -out octi-saml-cert.pem -sha256 -days 3650 -nodes
Then, download the LemonLDAP::NG SAML metadata at https://auth.example.com/saml/metadata/idp
In this certificate, extract the ds:X509Certificate element inside the KeyDescriptor use="signing" element, and remove all spaces, you will get a long Base64 string that looks like
# On a single line, with no spaces
MIIFazCCA1OgAwIBAgIUDuUn+nT550rK0Qsej28PlQpZoFkwDQYJKoZIhvcN....
Do the same with octi-saml-key.pem in order to get a long Base64 string representing the OpenCTI signing key.
In your OpenCTI configuration
"saml": {
"identifier": "saml",
"strategy": "SamlStrategy",
"config": {
"issuer": "opencti",
"entry_point": "https://auth.example.com/saml/singleSignOn",
"saml_callback_url": "https://opencti.example.com/auth/saml/callback",
"private_key": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...",
"cert": "MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...",
"roles_management": {
"role_attributes": ["groups"],
"roles_mapping": ["my_lemonldap_group:Administrator"]
}
}
In a docker setup, add the following environment variables
- PROVIDERS__SAML__STRATEGY=SamlStrategy
- "PROVIDERS__SAML__CONFIG__LABEL=Login with SAML"
- PROVIDERS__SAML__CONFIG__ISSUER=opencti
- PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://auth.example.com/saml/singleSignOn
- PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://opencti.example.com/auth/saml/callback
- PROVIDERS__SAML__CONFIG__CERT=MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...
- PROVIDERS__SAML__CONFIG__PRIVATE_KEY=MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...
- "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLE_ATTRIBUTES=[\"groups\"]"
- "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLES_MAPPING=[\"my_lemonldap_group:Administrator\"]"
Edit the following template to create the metadata for OpenCTI
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="opencti"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
###paste the content of octi-saml-cert.pem here, without the BEGIN and END line###
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://opencti.example.com/auth/saml/callback" />
</SPSSODescriptor>
</EntityDescriptor>
Don’t forget to replace the Location= attribute and the content of X509Certificate.
Add a new new SAML Service Provider to the LemonLDAP::NG configuration with the following parameters:
This section describe the OpenID Connect configuration
Here is the basic configuration for a docker installation
Define and replace <clientid> and <clientsecret>, and also adapt issuer and redirect uri:
For an advanced usage, you can also map lemonldap groups to openCTI groups with these paramters:
Configure LemonLDAP as an OpenID Connect provider.
As describe in documentation link above, also define a new Relying Party in LL::NG.
Take care to configure at least these parameters:
Advanced usage, for group mapping: