Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML Auth broken: "Error: key http://schemas.xmlsoap.org/.../name must not contain '.' " #10931

Closed
toughIQ opened this issue May 29, 2018 · 17 comments
Closed

SAML Auth broken: "Error: key http://schemas.xmlsoap.org/.../name must not contain '.' " #10931

toughIQ opened this issue May 29, 2018 · 17 comments
Milestone
0.66.0

Comments

@toughIQ
Copy link

toughIQ commented May 29, 2018
edited
Loading

Description:

Login via SAML results in error:

Sorry, an annoying error occured
Error: key http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name must not contain '.'

Some Details:
We have a single RocketChat instance running via Ubuntu Snap. We connected it to our WinADFS Server using SAML. Everything worked fine until a few days back. We didnt change anything on the ADFS side. But I think there was an automatic update via snap to v 0.64.2. Since around then SAML Auth does not work anymore.

Server Setup Information:

  • Version of Rocket.Chat Server: 0.64.2
  • Operating System: Ubuntu
  • Deployment Method(snap/docker/tar/etc): snap
  • Number of Running Instances: 1

Steps to Reproduce:

  1. Configured SAML according to manual and hints like:
    saml configuration #2770 (comment)

Alternative Way:

  1. Install V 0.64.1
  2. Configure SAML
  3. Login via SAML -> should work
  4. Update V 0.64.2
  5. Login via SAML -> should fail

Expected behavior:

SAML Login window pops up at login and closes with success after username/password.

Actual behavior:

Browser displays error in Login window:

Sorry, an annoying error occured
Error: key http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name must not contain '.'

Relevant logs:

ADFS Server:

MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: null.

RocketChat Server:

2018-05-29T13:49:23Z : { actionName: 'authorize',
2018-05-29T13:49:23Z :   serviceName: 'adfs',
2018-05-29T13:49:23Z :   credentialToken: 'id-4tgTLLjS9zgQ7oAdz' }
2018-05-29T13:49:23Z : [ { provider: 'adfs',
2018-05-29T13:49:23Z :     entryPoint: 'https://login.mydomain.com/adfs/ls',
2018-05-29T13:49:23Z :     idpSLORedirectURL: 'https://chat.mydomain.com/simplesaml/saml2/idp/SingleLogoutService.php',
2018-05-29T13:49:23Z :     issuer: 'https://chat.mydomain.com/',
2018-05-29T13:49:23Z :     cert: 'MIIC2...MoreCertData...H4=',
2018-05-29T13:49:23Z :     privateCert: false,
2018-05-29T13:49:23Z :     privateKey: false,
2018-05-29T13:49:23Z :     callbackUrl: 'https://chat.mydomain.com/_saml/validate/adfs',
2018-05-29T13:49:23Z :     id: 'id-75TL4oTvi4e8boZqG',
2018-05-29T13:49:23Z :     protocol: 'https://',
2018-05-29T13:49:23Z :     path: '/saml/consume',
2018-05-29T13:49:23Z :     identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
2018-05-29T13:49:23Z :     authnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' } ]
2018-05-29T13:49:23Z : adfs
2018-05-29T13:49:23Z : { actionName: 'validate',
2018-05-29T13:49:23Z :   serviceName: 'adfs',
2018-05-29T13:49:23Z :   credentialToken: undefined }
2018-05-29T13:49:23Z : [ { provider: 'adfs',
2018-05-29T13:49:23Z :     entryPoint: 'https://login.mydomain.com/adfs/ls',
2018-05-29T13:49:23Z :     idpSLORedirectURL: 'https://chat.mydomain.com/simplesaml/saml2/idp/SingleLogoutService.php',
2018-05-29T13:49:23Z :     issuer: 'https://chat.mydomain.com/',
2018-05-29T13:49:23Z :     cert: 'MIIC2...MoreCertData...H4=',
2018-05-29T13:49:23Z :     privateCert: false,
2018-05-29T13:49:23Z :     privateKey: false,
2018-05-29T13:49:23Z :     callbackUrl: 'https://chat.mydomain.com/_saml/validate/adfs',
2018-05-29T13:49:23Z :     id: 'id-4tgTLLjS9zgQ7oAdz',
2018-05-29T13:49:23Z :     protocol: 'https://',
2018-05-29T13:49:23Z :     path: '/saml/consume',
2018-05-29T13:49:23Z :     identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
2018-05-29T13:49:23Z :     authnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' } ]
2018-05-29T13:49:23Z : adfs
2018-05-29T13:49:26Z : RESULT :undefined

I am not sure, if this might be a hint, but at first we have 2018-05-29T13:49:23Z : credentialToken: 'id-4tgTLLjS9zgQ7oAdz' } and some lines later we see 2018-05-29T13:49:23Z : credentialToken: undefined }
UPDATE: this credentialToken thing seems to be normal. Also found in working 0.64.1.
@toughIQ
Copy link
Author

toughIQ commented May 30, 2018

I did some quick testing using Docker images:

  1. Setup V0.64.1 with SAML
  2. Tried SAML Login -> works
  3. Upgraded to V0.64.2
  4. Tried SAML Login again -> fails

Anything changed with SAML except for this multi site issue?

@toughIQ
Copy link
Author

toughIQ commented May 30, 2018

The error message really drives me crazy, since I cannot figure out, what is wrong here.
Message:
Error: key http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name must not contain '.'

I looked into the logs of a working (0.64.1) instance and found the following result:
RESULT :{"profile":{"inResponseToId":{"name":"InResponseTo","value":"id-dQRMwkLx7RGroK6iY","prefix":"","local":"InResponseTo","uri":""},"issuer":"https://login.mycompany.com/adfs/services/trust","nameID":"[email protected]","nameIDFormat":{"name":"Format","value":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","prefix":"","local":"Format","uri":""},"sessionIndex":{"name":"SessionIndex","value":"_81149700-9e21-4be9-b245-c7287c1747a8","prefix":"","local":"SessionIndex","uri":""},"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"Surname Firstname","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":"[email protected]","http://schemas.xmlsoap.org/claims/Group":"Domain Users","username":"Surname Firstname","email":"[email protected]"}}

From my understanding the following part triggers the error message:
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"Surname Firstname"

But I cant see any reason, why this result would trigger the must not contain '.' message, since there is no . anywhere.

@misi
Copy link
Contributor

misi commented May 31, 2018

The problem is that mongodb don't support dot in key: https://stackoverflow.com/questions/12397118/mongodb-dot-in-key-name

misi added a commit to misi/Rocket.Chat that referenced this issue May 31, 2018
@misi
Update saml_utils.js
681b456 
Mongo DB don't support "." as key
Fix RocketChat#10931
@toughIQ
Copy link
Author

toughIQ commented May 31, 2018

@misi so this happens since auth keys were moved from memory to mongo in v0.64.2.

@misi misi mentioned this issue May 31, 2018
Merged
@misi
Copy link
Contributor

misi commented May 31, 2018

I have added a PR #10961 that works for me

@ChessSpider
Copy link

still no SAML unit tests eh 😞 👎 ..broken again

@engelgabriel engelgabriel added this to the 0.66.0 milestone Jun 2, 2018
@engelgabriel
Copy link
Member

@ChessSpider @toughIQ @misi can you help us create unit testing for SAML? We don't have anyone in the core team with enough experience to do it.

@ChessSpider
Copy link

@engelgabriel Hi, what kind of help is required ?
I have setup SimpleSAML with OpenLDAP and Rocket.Chat. All running in Docker. I can share (parts of) of the Docker images and configurations, if that helps?

@misi
Copy link
Contributor

misi commented Jun 6, 2018

@engelgabriel Sure. Let me know what kind of help you are expecting..

@ChessSpider
Copy link

ChessSpider commented Jun 11, 2018
edited
Loading

@engelgabriel non-intrusive reminder

Additionally, is there a temporary fix for this? Or when will the next version be launched? No one can log in now, still.. I am running 0.65.1

@misi
Copy link
Contributor

misi commented Jun 12, 2018

@ChessSpider
Could you please describe your issue more here?
Or if you opened a separated issue then add the link here to the issue?

@ChessSpider
Copy link

ChessSpider commented Jun 12, 2018 via email

@ChessSpider
Copy link

ChessSpider commented Jun 12, 2018
edited
Loading 

Sorry, an annoying error occured
Error: key urn:oid:2.5.4.3 must not contain '.'
Close Window

which equals to 'commonName'.

I also saw the same error for this field: http://www.alvestrand.no/objectid/0.9.2342.19200300.100.1.1.html

Any ideas? i am running Version | 0.65.1.

@toughIQ
Copy link
Author

toughIQ commented Jun 12, 2018

@ChessSpider this fix is scheduled for 0.66.0 late of June. Since this was a blocker for my installation too, I went from snap to docker installation and used a custom 0.64.2 image to which I applied the SAML fix manually.

@ChessSpider
Copy link

ChessSpider commented Jun 12, 2018
edited
Loading

Cool. Thx. Guess I'll do that too then 👍

Would you want to share your Dockerfile to save me some work?

@toughIQ
Copy link
Author

toughIQ commented Jun 12, 2018

@ChessSpider I am sorry, but I did this quick and dirty and didnt save my Dockerfile.
But I pushed my image to DockerHub: https://hub.docker.com/r/toughiq/rocketchat/

docker pull toughiq/rocketchat:0.64.2samlfix

@ChessSpider
Copy link

ChessSpider commented Jun 20, 2018
edited
Loading

@toughIQ
Thanks, but I only want to run the official Docker-releases of Gitlab. Can you maybe help me maybe with my Dockerfile?


RUN apt-get update  && apt-get install -y  --no-install-recommends git &&  rm -rf /var/lib/apt/lists/*

RUN curl https://install.meteor.com/ | sh

RUN git clone https://github.com/RocketChat/Rocket.Chat 
WORKDIR Rocket.Chat
RUN git branch 681b456083835a6c87e0ba9d2cea63144fa2e025
RUN npm update
RUN mkdir -p /home/rocketchat && chown -R rocketchat:rocketchat /home/rocketchat/
#USER rocketchat
ENV METEOR_ALLOW_SUPERUSER=yes
RUN ./example-build-run.sh
MAINTAINER [email protected]

#RUN set -x \
# && cd /app/bundle/programs/server \
# && npm install \
# && npm cache clear --force \
RUN  chown -R rocketchat:rocketchat /app

USER rocketchat

VOLUME /app/uploads

WORKDIR /app/bundle

# needs a mongoinstance - defaults to container linking with alias 'mongo'
ENV DEPLOY_METHOD=docker \
    NODE_ENV=production \
    MONGO_URL=mongodb://mongo:27017/rocketchat \
   HOME=/tmp \
    PORT=3000 \
    ROOT_URL=http://localhost:3000 \
    Accounts_AvatarStorePath=/app/uploads

EXPOSE 3000

CMD ["node", "main.js"]

errors with:

on the very first build, meteor build command should fail due to a bug on emojione package (related to phantomjs installation)
the command below forces the error to happen before build command (not needed on subsequent builds)
set +e

  • set +e
    meteor add rocketchat:lib
  • meteor add rocketchat:lib
    /root/.meteor/packages/meteor-tool/.1.7.0_3.u9lhms.hf7k++os.linux.x86_64+web.browser+web.browser.legacy+web.cordova/mt-os.linux.x86_64/tools/cli/main.js:1522
    }).run();
    ^

SyntaxError: Unexpected token y in JSON at position 0
at JSON.parse ()
at /tools/cli/main.js:837:12
set -e

  • set -e

meteor build --server-only --directory $DEPLOY_DIR

  • meteor build --server-only --directory /var/www/rocket.chat
    /root/.meteor/packages/meteor-tool/.1.7.0_3.u9lhms.hf7k++os.linux.x86_64+web.browser+web.browser.legacy+web.cordova/mt-os.linux.x86_64/tools/cli/main.js:1522
    }).run();
    ^

SyntaxError: Unexpected token y in JSON at position 0
at JSON.parse ()
at /tools/cli/main.js:837:12

@ChessSpider ChessSpider mentioned this issue Jun 28, 2018
Closed
@Centzilius Centzilius mentioned this issue Jan 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.66.0
Development

No branches or pull requests
4 participants
@misi @engelgabriel @ChessSpider @toughIQ