search

9p4 / jellyfin-plugin-sso

This plugin allows users to sign in through an SSO provider (such as Google, Microsoft, or your own provider). This enables one-click signin.
GNU General Public License v3.0
572 stars 27 forks source link

UniFi ID SAML Error #141

Open huslage opened 1 year ago

huslage commented 1 year ago

Describe the bug

I have set up a new SAML application in UniFi Identity (UID) that points to my Jellyfin instance. At first it was complaining about the ACS URL being wrong. It appears that the current documentation contains the wrong URL to be set up. After analyzing the error response, I put the correct ACS URL into the UID config. Now I'm getting a valid SAML Response, but the Linking page still shows an error: jellyfin log file extract

To Reproduce Steps to reproduce the behavior:

Expected behavior I would expect the successful response from the IdP would be parsed and the linking would succeed.

Screenshots See this Gist

Configuration

See this Gist

Versions (please complete the following information):

Additional context Jellyfin Mac App from the website. Installed plugin from repo listed in README.md.

9p4 commented 1 year ago

Does the certificate in the configuration have linebreaks?

huslage commented 1 year ago

In the SSO-Auth.xml:

<SamlCertificate>MIIEUTCC...qiMiS5dznV1G7lNokEl0gKY</SamlCertificate>

No line breaks.

9p4 commented 1 year ago

Is the Jellyfin server running on Windows, Linux, or something else?

huslage commented 1 year ago

It’s on MacOS 13.5.1 (as mentioned in the ticket) using the Jellyfin.app that I self-signed. It works great other than this issue.

On Aug 31, 2023, at 14:16, 9p4 @.***> wrote:

Is the Jellyfin server running on Windows, Linux, or something else?

— Reply to this email directly, view it on GitHub https://github.com/9p4/jellyfin-plugin-sso/issues/141#issuecomment-1701542225, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADFBK4XHV5DVIGAD42RE23XYDIGRANCNFSM6AAAAAA4FK2TFY. You are receiving this because you authored the thread.

9p4 commented 1 year ago

Is the SAML assertion you are using encrypted or just signed?

huslage commented 1 year ago

It’s just signed.

On Sep 1, 2023, at 09:27, 9p4 @.***> wrote:

Is the SAML assertion you are using encrypted or just signed?

— Reply to this email directly, view it on GitHub https://github.com/9p4/jellyfin-plugin-sso/issues/141#issuecomment-1702748555, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADFBKY7TYDUJQBA4GMIZHTXYHPCTANCNFSM6AAAAAA4FK2TFY. You are receiving this because you authored the thread.

9p4 commented 1 year ago

Does SAML login function correctly?

huslage commented 1 year ago

The binding never completes, so no.

On Sep 1, 2023, at 09:43, 9p4 @.***> wrote:

Does SAML login function correctly?

— Reply to this email directly, view it on GitHub https://github.com/9p4/jellyfin-plugin-sso/issues/141#issuecomment-1702771955, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADFBK6Q6LPWSYK3OBO6HMTXYHRANANCNFSM6AAAAAA4FK2TFY. You are receiving this because you authored the thread.

9p4 commented 1 year ago

Not the linking, but if you just go to jellyfin/sso/SAML/p/UID, does the login succeed?

huslage commented 1 year ago

No, I get the same error in the logs:

[2023-09-01 10:14:54.227 -04:00] [ERR] [53] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/sso/SAML/p/UID".
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
   at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
   at System.Convert.FromBase64String(String s)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.SamlPost(String provider, String relayState)
   at lambda_method1221(Closure , Object , Object[] )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Jellyfin.Server.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Server.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Server.Middleware.IpBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Server.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Server.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Server.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Server.Middleware.ExceptionMiddleware.Invoke(HttpContext context)
9p4 commented 1 year ago

Just to check the characters used in your SAML certificate, can you put the certificate into a file, then run cat certificatefile.txt | grep -o . | sort | uniq? This will give me a list of the characters. You might have a non-standard Base64 certificate that uses slightly different characters.

9p4 commented 1 year ago

Furthermore, are the assertions signed or documents signed?

huslage commented 1 year ago

Here's the character list:

+
0
1
2
3
4
5
6
8
9
=
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z

Nothing strange there. The assertions and documents are both signed.

9p4 commented 1 year ago

In my testing environment (and in the docs), only the document should be signed. Try turning off signed assertions?

huslage commented 1 year ago

I don’t have the option to customize any of the assertions. Is there a reason you don’t just accept the xml metadata and act accordingly?

On Sep 2, 2023, at 09:00, 9p4 @.***> wrote:

In my testing environment (and in the docs), only the document should be signed. Try turning off signed assertions?

— Reply to this email directly, view it on GitHub https://github.com/9p4/jellyfin-plugin-sso/issues/141#issuecomment-1703826506, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADFBKYBWQRXGISP7OEM62TXYMUV3ANCNFSM6AAAAAA4FK2TFY. You are receiving this because you authored the thread.

9p4 commented 1 year ago

Enabling signed assertions in Keycloak still works for me. Unfortunately, I can't seem to get access to Unifi Identity, and it may make it harder for me to reproduce your issue. If you are willing, can you email me the unredacted public certificate that you are using? My contact information is at https://ersei.net/en/contact-me

9p4 commented 11 months ago

Is there any update?