{"id":2211,"date":"2026-06-05T22:29:17","date_gmt":"2026-06-05T20:29:17","guid":{"rendered":"https:\/\/cln.io\/blog\/?p=2211"},"modified":"2026-06-05T22:30:01","modified_gmt":"2026-06-05T20:30:01","slug":"misp-authentik-oidc","status":"publish","type":"post","link":"https:\/\/cln.io\/blog\/misp-authentik-oidc\/","title":{"rendered":"Hooking MISP up to Authentik (OIDC) + trusting an internal CA"},"content":{"rendered":"\n

Notes to future me: getting MISP<\/a> to do SSO against Authentik<\/a> over OIDC, on an internal network where the IdP cert is signed by a corporate CA. Two halves \u2014 the OIDC wiring (with one env-var gotcha that cost me an afternoon) and getting MISP to trust the CA (a cURL #60<\/code> that survives “but I mounted the cert”).<\/p>\n\n\n\n

Stack: official ghcr.io\/misp\/misp-docker\/misp-core<\/code> (we run a mirror of v2.5.32<\/code>), Authentik as the IdP, Traefik out front, Docker Swarm.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Authentik side<\/h2>\n\n\n\n

Create an Application<\/strong> + an OAuth2\/OpenID Provider<\/strong> (confidential):<\/p>\n\n\n\n

    \n
  • Redirect URI<\/strong>: https:\/\/misp.example\/users\/login<\/code> (MISP comes back here)<\/li>\n\n\n\n
  • Scopes<\/strong>: openid<\/code>, profile<\/code>, email<\/code>, and add the groups<\/strong> scope mapping so the groups<\/code> claim is actually emitted \u2014 that\u2019s what MISP maps roles from<\/li>\n\n\n\n
  • Grab the Client ID<\/strong> and Client secret<\/strong><\/li>\n\n\n\n
  • Your issuer<\/strong> is https:\/\/auth.example\/application\/o\/<app-slug>\/<\/code> (the slug is the application slug)<\/li>\n<\/ul>\n\n\n\n

    That\u2019s it on the IdP. Everything else is MISP env.<\/p>\n\n\n\n

    MISP side: the env vars that actually matter<\/h2>\n\n\n\n

    The footgun: the official misp-docker<\/code> image reads the OIDC_*<\/code><\/strong> namespace, gated behind OIDC_ENABLE=true<\/code><\/strong>. There\u2019s a different<\/em> image build floating around that uses SECURITY_AUTH: \"OidcAuth.Oidc\"<\/code> + OIDCAUTH_*<\/code> \u2014 those are silently inert<\/strong> on the official image. No error, SSO just never engages.<\/p>\n\n\n\n

    It comes down to one switch in the entrypoint:<\/p>\n\n\n\n

    # core\/files\/configure_misp.sh -> set_up_oidc()\nif [[ \"$OIDC_ENABLE\" == \"true\" ]]; then\n    ...\n    # writes OidcAuth.* into config.php via modify_config.php\n    echo \"... OIDC authentication enabled\"\nfi<\/pre>\n\n\n\n
    No OIDC_ENABLE=true<\/code> \u2192 that block never runs \u2192 Security.auth<\/code> stays empty. So make sure you\u2019re on OIDC_*<\/code>, not OIDCAUTH_*<\/code>.<\/p>\n\n\n\n
    A working block:<\/p>\n\n\n\n
    OIDC_ENABLE: \"true\"\nOIDC_PROVIDER_URL: \"https:\/\/auth.example\/application\/o\/misp\/\"\nOIDC_ISSUER: \"https:\/\/auth.example\/application\/o\/misp\/\"\nOIDC_CLIENT_ID: \"misp\"\nOIDC_CLIENT_SECRET: \"<from-authentik>\"\nOIDC_AUTH_METHOD: \"client_secret_post\"\nOIDC_CODE_CHALLENGE_METHOD: \"S256\"\nOIDC_ROLES_PROPERTY: \"groups\"\nOIDC_ROLES_MAPPING: '{\"SOC_Admins\": 1, \"SOC_Analysts\": 3}'\nOIDC_DEFAULT_ORG: \"ACME\"\nOIDC_MIXEDAUTH: \"true\"\nOIDC_SCOPES: '[\"openid\", \"profile\", \"email\", \"groups\"]'\nOIDC_REDIRECT_URI: \"https:\/\/misp.example\/users\/login\"\nOIDC_LOGOUT_URL: \"https:\/\/auth.example\/application\/o\/misp\/end-session\/\"<\/pre>\n\n\n\n
    OIDC_MIXEDAUTH: \"true\"<\/code> keeps local admin login working alongside SSO (instead of force-redirecting to Authentik) \u2014 handy when you\u2019re still setting it up.<\/p>\n\n\n\n
    OIDC_ROLES_MAPPING<\/code> is JSON, not key=value<\/code><\/h3>\n\n\n\n
    The value is dropped raw<\/em> into a JSON document:<\/p>\n\n\n\n
    \"role_mapper\": ${OIDC_ROLES_MAPPING},<\/pre>\n\n\n\n
    So it must be a valid JSON object, group \u2192 MISP role id:<\/p>\n\n\n\n
    {\"SOC_Admins\": 1, \"SOC_Analysts\": 3}<\/pre>\n\n\n\n
    MISP role ids: 1<\/code> = admin (site admin), 2<\/code> = org admin, 3<\/code> = user, 4<\/code> = publisher. Feed it the A=2,B=4<\/code> form from that other image and you just get broken JSON.<\/p>\n\n\n\n
    Trusting the internal CA<\/h2>\n\n\n\n
    OIDC\u2019s wired, you click through, and:<\/p>\n\n\n\n
    [CertMichelin\\OpenIDConnectClientException] cURL error #60: SSL certificate problem: unable to get local issuer certificate\nRequest URL: \/users\/login?OidcAuth=enable<\/pre>\n\n\n\n
    The IdP cert is signed by our internal CA and MISP doesn\u2019t trust it. First question: which<\/em> trust store does the OIDC client even use? It\u2019s certmichelin\/openid-connect-php<\/code> \u2192 plain PHP cURL, and in the image:<\/p>\n\n\n\n
    php -i | grep -iE \"curl.cainfo|openssl.cafile\"\n# curl.cainfo  => no value\n# openssl.cafile => no value<\/pre>\n\n\n\n
    No override, no setCertPath()<\/code> in MISP\u2019s Oidc.php<\/code> \u2014 so it\u2019s cURL\u2019s default = the system bundle \/etc\/ssl\/certs\/ca-certificates.crt<\/code><\/strong>. (Not CakePHP\u2019s cacert.pem<\/code>, so DISABLE_CA_REFRESH<\/code> is a red herring.)<\/p>\n\n\n\n
    That bundle is rebuilt at boot by update-ca-certificates<\/code>, which pulls .crt<\/code> files from \/usr\/local\/share\/ca-certificates\/<\/code>. The image runs it on startup, so just drop the CA in there:<\/p>\n\n\n\n
    secrets:\n  INTERNAL_ROOT_CA:\n    external: true\n  INTERNAL_SUB_CA:\n    external: true\nservices:\n  misp:\n    secrets:\n      - source: INTERNAL_ROOT_CA\n        target: \/usr\/local\/share\/ca-certificates\/INTERNAL_ROOT_CA.crt\n      - source: INTERNAL_SUB_CA\n        target: \/usr\/local\/share\/ca-certificates\/INTERNAL_SUB_CA.crt<\/pre>\n\n\n\n
    One cert per file (this is the bit that bit me)<\/h3>\n\n\n\n
    I first mounted a single concatenated bundle (root + sub-CA in one .crt<\/code>). Still #60. A multi-cert file does<\/em> get its certs into ca-certificates.crt<\/code>, but update-ca-certificates<\/code> warns and skips the rehash:<\/p>\n\n\n\n
    rehash: warning: skipping bundle.pem, it does not contain exactly one certificate or CRL\n1 added, 0 removed<\/pre>\n\n\n\n
    Splitting it into two separate .crt<\/code> files \u2014 root and sub-CA each on their own \u2014 fixed it.<\/strong> The chain needs both the root and<\/em> the issuing sub-CA trusted, and one-cert-per-file is what update-ca-certificates<\/code> actually wants. 🎉<\/p>\n\n\n\n
    Confirm trust before blaming MISP:<\/p>\n\n\n\n
    MISP=$(docker ps -q --filter \"name=misp_misp\")\ndocker exec $MISP sh -c 'echo | openssl s_client -connect auth.example:443 -servername auth.example \\\n  -CAfile \/etc\/ssl\/certs\/ca-certificates.crt 2>\/dev\/null | grep -i \"Verify return code\"'\n# Verify return code: 0 (ok)   <- you want this<\/pre>\n\n\n\n
    0 (ok)<\/code> \u2192 the OIDC handshake works. If you still get “unable to get local issuer certificate” while your CAs are in the bundle, your server isn\u2019t sending the intermediate \u2014 which is exactly why you trust both the root and<\/em> the sub-CA.<\/p>\n\n\n\n
    \n\n\n\n
    This post was written with the help of Claude (Opus 4), Anthropic\u2019s AI assistant.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Wiring MISP to Authentik over OIDC on the official misp-docker image (OIDC_* vs OIDCAUTH_*, JSON role mapping) and getting it to trust an internal CA \u2014 the cURL #60 fix is one cert per .crt file.<\/p>\n","protected":false},"author":1,"featured_media":2221,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,48,26],"tags":[],"class_list":["post-2211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-authentication","category-security","category-it"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=2211"}],"version-history":[{"count":5,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2211\/revisions"}],"predecessor-version":[{"id":2224,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2211\/revisions\/2224"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/2221"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=2211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=2211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=2211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}