From e9a2c4c721901e1e9262648bbaefb2d4840b5b40 Mon Sep 17 00:00:00 2001 From: monjiapawne <187591672+monjiapawne@users.noreply.github.com> Date: Tue, 23 Jun 2026 15:27:47 -0400 Subject: [PATCH 1/2] initial testing with forced auth passthrough --- core/files/entrypoint.sh | 1 + core/files/etc/misp-docker/initialisation.envars.json | 3 +++ docker-compose.yml | 1 + template.env | 6 ++++++ 4 files changed, 11 insertions(+) diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 96071127..47de5e17 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -52,6 +52,7 @@ export GPG_PASSPHRASE=${GPG_PASSPHRASE:-passphrase} export MISP_MODULES_FQDN=${MISP_MODULES_FQDN:-http://misp-modules} export ATTACHMENTS_DIR=${ATTACHMENTS_DIR:-/var/www/MISP/app/files} +export AUTH_ENFORCED=${AUTH_ENFORCED:-false} export AUTOCONF_GPG=${AUTOCONF_GPG:-true} export AUTOGEN_ADMIN_KEY=${AUTOGEN_ADMIN_KEY:-${AUTOCONF_ADMIN_KEY:-true}} export OIDC_ENABLE=${OIDC_ENABLE:-false} diff --git a/core/files/etc/misp-docker/initialisation.envars.json b/core/files/etc/misp-docker/initialisation.envars.json index 4a75175e..d28c15e9 100644 --- a/core/files/etc/misp-docker/initialisation.envars.json +++ b/core/files/etc/misp-docker/initialisation.envars.json @@ -27,5 +27,8 @@ "default_value": "${SALT}", "command_args": "-f", "blank_protection": true + }, + "Security.auth_enforced": { + "default_value": "${AUTH_ENFORCED}" } } diff --git a/docker-compose.yml b/docker-compose.yml index 075b38c6..019180a3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -150,6 +150,7 @@ services: - "DISABLE_IPV6=${DISABLE_IPV6}" - "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}" - "ENABLE_DB_SETTINGS=${ENABLE_DB_SETTINGS}" + - "AUTH_ENFORCED=${AUTH_ENFORCED}" - "ENABLE_BACKGROUND_UPDATES=${ENABLE_BACKGROUND_UPDATES}" - "ENCRYPTION_KEY=${ENCRYPTION_KEY}" - "SALT=${SALT}" diff --git a/template.env b/template.env index 304c26b9..ee6513ab 100644 --- a/template.env +++ b/template.env @@ -181,6 +181,11 @@ SYNCSERVERS_1_PULL_RULES= # Disable CA refresh # DISABLE_CA_REFRESH=true +# Enforce external authentication, disabling the builtin login form. +# Applies to any external provider (OIDC/LDAP/AAD/CustomAuth) +# WARNING: enable only after the external method is verified working, else you'll need to disable via the cli (cake) +# AUTH_ENFORCED=true + # Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.5/app/Plugin/OidcAuth/README.md # OIDC_ENABLE=true # OIDC_PROVIDER_URL= @@ -250,6 +255,7 @@ SYNCSERVERS_1_PULL_RULES= # LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" # Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md +# Note: AAD has no per plugin mixedAuth toggle. For AAD-only login set AUTH_ENFORCED=true # AAD_ENABLE=true # AAD_CLIENT_ID= # AAD_TENANT_ID= From 6444cb8ffc7d0873d7c94539dacd53eea2f92ff7 Mon Sep 17 00:00:00 2001 From: monjiapawne <187591672+monjiapawne@users.noreply.github.com> Date: Wed, 24 Jun 2026 17:41:02 -0400 Subject: [PATCH 2/2] docs: add AUTH_ENFORCED and AAD authentication --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index a9680e37..830a8279 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,14 @@ GUARD_ARGS=--ssl-insecure -v ### Authentication +By default MISP shows its builtin email/password login form alongside any external provider. To disable the form and enforce external authentication, set: + +```bash +AUTH_ENFORCED=true +``` + +This maps to MISP's `Security.auth_enforced` setting and applies to any configured external provider (OIDC/LDAP/AAD/CustomAuth). + #### LDAP Authentication You can configure LDAP authentication in MISP using 2 methods: @@ -274,6 +282,27 @@ Valid options for `OIDC_AUTH_METHOD` are: - `client_secret_jwt`: _not tested_ - `private_key_jwt`: _not tested_ +#### AAD (Entra) Authentication + +AAD (Azure AD / Microsoft Entra) authentication is implemented through the MISP AaAAuth plugin. See upstream plugin docs for the full [Entra app registration walkthrough](https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md). + +```bash +AAD_ENABLE=true +AAD_CLIENT_ID="" +AAD_TENANT_ID="" +AAD_CLIENT_SECRET="" +AAD_REDIRECT_URI="https://misp.mydomain.com/users/login" # (same value in Azure AD) +AAD_PROVIDER="https://login.microsoftonline.com/" +AAD_PROVIDER_USER="https://graph.microsoft.com/" +# Entra group names mapped to MISP roles +AAD_MISP_USER="Misp Users" +AAD_MISP_ORGADMIN="Misp Org Admins" +AAD_MISP_SITEADMIN="Misp Site Admins" +AAD_CHECK_GROUPS=false +``` + +> Unlike OIDC/LDAP, AAD currently has no per-plugin auth toggle. For AAD only login combine the above with `AUTH_ENFORCED=true` (see above). + #### CustomAuth You can add authentication using the `Plugin.CustomAuth` plugin as described here https://www.circl.lu/doc/misp/appendices/#appendix-a-external-authentication. It will use a user provided http header to authenticate the user. This is useful where MISP runs behind an authenticating reverse proxy server.