LibreChat, ADFS and Certificate

[KiS-please]

Hi everyone.

What happened

I can't configure authorization via ADFS. When I configure OpenID (based on the Azure instructions) and run backend, I get a certificate error: "error: [openidStrategy] unable to get local issuer certificate".

My Setup:

I have LibreChat (v 0.7.0 and v 0.7.1) with MongoDB Replica Set. I also have AD and ADFS servers with their own certificate authority.OS: Ubuntu 22.04. Manual instalation.HAproxy for https.

What I tried:

I added certificates to the system itself - it didn't help.
I added an entry for certificates (root and ADFS) to .npmrc file - it did not help.

cafile=/home/user/certs/adfs_cert.crt
cafile=/home/user/certs/root_cert_auth.crt

I added an entry to disable SSL checking in .npmrc file - it did not help.

strict-ssl=false

Perhaps I do not understand the ADFS authorization setting correctly, this is my first time. But I believe that first I need to get rid of the error: "error: [openidStrategy] unable to get local issuer certificate".
Perhaps someone has already set this up. Any ideas? I will be glad for any help.

Thnx.

[ervet]

Hello @KiS-please

ADFS mostly uses SAML based implementation. LibreChat uses OpenID which is different. Normally ADFS should able to do also OpenID. You can find multiple HowTo out their for implementing OpenID - SSO and ADFS.

Technically it must be possible. For example here some HowTo's for other ADFS <-> OpenID implementations.

https://support.just.social/hc/de/articles/12713877575186-SSO-mit-ADFS-und-OpenID-Connect-OIDC
https://wiki.resolution.de/doc/openid-oauth-authentication/latest/setup-guides/adfs-setup-guide

Greetings
Erik

[KiS-please]

Yes, it's similar to how I set it up. It seems to me that my main problem is that Node.js (or npm? I’m not very well versed in terminalology yet) reports a certificate error. Typically Java requires the addition of third party root certificates. And I reasoned by analogy.

[danny-avila]

I'm not too versed in this but some quick research seems like OAuth2 is available via ADFS v3.

https://stackoverflow.com/questions/72304173/oauth-with-passport-js-for-adfs-instead-of-google
https://stackoverflow.com/questions/16650792/best-adfs-protocol-support-for-node-js

If you're having issues with OpenID Connect, it could be that an OAuth2 specific strategy could be needed.

Found this example on github, and could use some pointers on setting up ADFS to test it myself:
https://github.com/chrisprice/adfs-example-integration/blob/master/index.js

[KiS-please]

Thank you. I couldn't find these examples.
I'll try it on the weekend when the server is free.
Anyway, thanks for the friendly community.

[KiS-please]

Hi everyone.
I solved the error with certificates.
The instructions at https://stackoverflow.com/questions/23788564/npm-add-root-ca helped me.
I uploaded all global root-certificates to a file and added my root certificate.

curl -o ~/.npm.certs.pem https://curl.se/ca/cacert.pem
cat my-ca-cert.pem >> ~/.npm.certs.pem

Then added an environment variable to the LibreChat service

[Service]
Environment="NODE_EXTRA_CA_CERTS=/home/adm_infra/.npm.certs.pem"

A little more tweaking and I was up again with a new error.
After logging into ADFS I get an internal server error 500.
In the logs "ValidationError: User validation failed: email: can't be blank".
I mean that I need to configure the mapping and I did it (it seems so to me).
My AD has a "mail" attribute and I need to convert it to "email". But somewhere I'm wrong in the mapping. Anyone familiar with this?

[veix90]

@KiS-please, did you solve it?

[KiS-please]

@veix90 , Unfortunately, I could not configure AD FS connection. But fortunately, the developers added LDAP support and I configured it. Of course, these are not the same thing.