velociraptor
velociraptor copied to clipboard
Velocidex
I am getting a This site can’t provide a secure connection after enabling SSO
Hello
After working with our SSO team I was able to get Velociraptor to talking to Azura but, there seemed to be an issue with my account on their side. Once this was resolved I enabled SSO again and got the following message.
I was able to talk to the authenticator at first but now i can not, is there something I need to adjust in the server.config file to resolve this?
It looks like some of the urls are using plain http. Maybe the redirect url in the oauth config ?
Or maybe the server is configured to use plain http instead of tls?
I saw the following read.me file: https://github.com/Velocidex/velociraptor/tree/master/docs/saml
Do I need to set up my server config file to resemble what is in the link?
It depends what authentication method you want to use. I would recommend against saml because it seems a bit more complex to set up. Azure can provide both saml and oauth so I would recommend to just use oauth.
Here is how to enable it in azure
https://docs.velociraptor.app/blog/2020/2020-08-17-velociraptor-sso-authentication-6dd68d46dccf/#microsoft-azure-oauth2-flow
Hello @scudette Thank you so much for that information. We followed the steps in that documentation you provided and it looks like everything is set up on the Azure side, just looks like I may be missing something on the Velociraptor side, just not sure what the issue could be at the moment.
From velociraptor there are only a couple of steps. First, when you go to the site, velociraptor should redirect to azure. Then after you do the oauth steps on the azure servers, the browser redirects back to velociraptor.
In your case do you get the first redirect? Are you seeing the azure oauth dialog?
You can capture the second redirect in the dev tools and see the url is using tls, then the auth cookies should be present.
It looks like it is hitting Azure page then after i enter my credentials it redirects to the application. that's when i get the "this site can't provide a secure connection error.
It looks like the browser is trying to access an SSL page but the server is not serving over SSL at all. Did you add the use_plain_http option to the config file? Do you have some kind of reverse proxy in front?
Does the redirect URL start with https?
I didn't know the use_plain_http option existed so no I did not add it to the config file. Greatly appreciate you bringing that up though. We do have a proxy but it is using https.
Can you check with curl that you can hit the URL the oauth is redirecting to?
Something like curl -vv https://<redirect_url>/
I wonder if the protocol error is specific to chrome or if curl can shed some light? If you have a proxy in front of the Velociraptor server then it might be misconfigured and unable to server SSL properly.
Hello @scudette it looks like we may have solved the redirect issues but now the application is saying the user we have added to the system already is not registered.
Here you can see that account is registered on the system
Any idea why we might be getting this error?
Check that you have a role assigned as well to that user for example:
velociraptor-v0.6.6-dev-linux-amd64 acl show mic
{"roles":["administrator"]}
You can add acls using velociraptor acl grant mic --role administrator
I would check the file permissions of the acl files to make sure something didnt go wrong in creating the acl. You need to become the velociraptor user whenever running any commands like above:
sudo -u velociraptor bash
velociraptor acl show mic
if you do not it is like that the acl files take the wrong permission then the server can not read them.
We finally got it to work!! It looks like it was just a case sensitivity issue, we needed to make the username exactly as it was in Azura. I do have one last question, is there away to adjust the session timeout for the GUI of Velociraptor? I have been looking for away to adjust it but I haven't had any luck so far. Would greatly appreciate any insight on this.
Sessions are set to 24 hours before a reauth. Do you want to make it less or more?