OpenID and ADFS 2019 server

Jun 1, 2022
1
0
1
Hello!

Has anyone managed to configure openid logon with ADFS 2019 server? We've been banging our heads against the wall all day without success.

We got it work with Username Claim as "Default" but username is some weird long string with this option.

We would like to use "Username" or "Email" as claim but we got some error messages.

Code:
Jun  1 12:53:11 xxxxxxxxxx pvedaemon[2433391]: openid authentication failure; rhost=::ffff:10.25.21.53 msg=missing claim 'email'

In ADFS server i have tried different kind of transform rules. I thought it would work with the "Send ldap attributes a Claims" rule template with outgoing claim type as email but no success.



Capture.PNG

Capture2.PNG

This wont work..
Capture4.PNG


I wish someone had done this before. Thank you for your help in advance. :)


Best regards,
Mikko
 

Attachments

  • Capture3.PNG
    Capture3.PNG
    14.8 KB · Views: 13
Last edited:
I have faced same issue with proxmox and ADFS.
Here is answer from ADFS when proxmox tries to obtain userinfo
4f560c8a-a8fd-4c01-abfb-b4518a986878 is client Id

HTTP:
GET /adfs/userinfo HTTP/1.1
Host: adfs.service.example.com
User-Agent: ureq/2.4.0
accept: application/json
authorization: Bearer eyJ0eXAi......._53c7w
accept-encoding: gzip
content-length: 0

HTTP/1.1 401 Unauthorized
Content-Length: 0
Content-Type: text/html; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age = 31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self';
WWW-Authenticate: Bearer error="invalid_token", error_description="MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:4f560c8a-a8fd-4c01-abfb-b4518a986878' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'."
Date: Fri, 10 Jun 2022 15:32:21 GMT

pveversion bellow
Code:
# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-4 (running version: 7.2-4/ca9d43cc)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.15.30-2-pve: 5.15.30-3
ceph: 16.2.7
ceph-fuse: 16.2.7
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-2
libpve-storage-perl: 7.2-4
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.1-1
proxmox-backup-file-restore: 2.2.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-8
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
[/ISPOILER]
 
Last edited:
Sorry to revive this old thread, but I am having the exact same issue as the poster above. Doesn't matter what I try, I am always getting the error "Audience 'microsoft:identityserver:<client-id>' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'". As per most tutorials, I have added the "client id" to the "relying party identifiers" within the Web API properties to no avail.

Is it even possible to connect Proxmox to ADFS using OpenID?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!