DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.71k stars 1.55k forks source link

Wrong redirect on SAML auth #10735

Open Infernogeek1 opened 3 months ago

Infernogeek1 commented 3 months ago

Problem description Hello. I am getting redirected to a wrong place when trying to do SAML auth.

Steps to reproduce Steps to reproduce the behavior:

  1. Go to login page
  2. Click on 'Login with SAML'
  3. Get thrown back to login page

Expected behavior Get logged in

Deployment method (select with an X)

Environment information

Logs and configs NGINX logs:

192.168.1.11 - - [01/Aug/2024:11:16:01 +0000] "POST /saml2/login/ HTTP/1.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "192.168.1.11"
192.168.1.11 - - [01/Aug/2024:11:16:01 +0000] "GET /login?next=/saml2/login/ HTTP/1.0" 200 15709 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "192.168.1.11"
192.168.1.11 - - [01/Aug/2024:11:16:28 +0000] "GET /saml2/login/ HTTP/1.0" 302 0 "https://defect.something.com/login?next=/saml2/login/" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "192.168.1.11"
192.168.1.11 - - [01/Aug/2024:11:16:28 +0000] "GET /login?next=/saml2/login/ HTTP/1.0" 200 15709 "https://defect.something.com/login?next=/saml2/login/" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "192.168.1.11"

local_settings.py

SITE_URL="https://defect.something.com/"
SAML2_ENABLED=True
SAML2_LOGIN_BUTTON_TEXT="Login with Authentik"
SAML2_METADATA_AUTO_CONF_URL="https://auth.something.com/api/v3/providers/saml/18/metadata/"
SAML2_ENTITY_ID='authentik'
SAML2_CREATE_USER=True
SAML2_ATTRIBUTES_MAP={ 
    'dojo_email': 'email',
    'UserName': 'username',
    'dojo_first_name': 'first_name',
    'dojo_last_name': 'last_name'
}
SAML2_ALLOW_UNKNOWN_ATTRIBUTE=True
manuel-sommer commented 3 months ago

@Infernogeek1: did you try the owasp slack channel?

Infernogeek1 commented 3 months ago

I tried #defectdojo channel in OWASP Slack at August 1st.

mtesauro commented 3 months ago

@Infernogeek1 I'm not great or really even good with SAML but the people I do know who are good with SAML use this to debug issues like a bad redirect. Maybe giving it a try would help: https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch or https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

Infernogeek1 commented 3 months ago

According to SAML tracer, the attempt does not even get anywhere near actually issuing the SAML request.

GET https://defect.something.com/saml2/login HTTP/1.1
Host: defect.something.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: https://defect.something.com/login?next=/saml2/login
Connection: keep-alive
Cookie: csrftoken=on3kreBy42vd28u5vpEy8UnY6bogUcit; dojo-sidebar=max
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

HTTP/1.1 302 Found
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Aug 2024 23:08:20 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Location: /login?next=/saml2/login
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Vary: Cookie
Infernogeek1 commented 2 months ago

Here is the snippet from UWSGI logs.

[pid: 31|app: -|req: -/-] 192.168.1.11 (-) {62 vars in 1096 bytes} [Fri Aug 23 11:25:37 2024] GET /saml2/login => generated 0 bytes in 37 msecs (HTTP/1.0 302) 8 headers in 258 bytes (1 switches on core 1)
[pid: 31|app: -|req: -/-] 192.168.1.11 (-) {62 vars in 1119 bytes} [Fri Aug 23 11:25:37 2024] GET /login?next=/saml2/login => generated 15709 bytes in 43 msecs (HTTP/1.0 200) 10 headers in 481 bytes (1 switches on core 0)
[pid: 31|app: -|req: -/-] 192.168.1.11 (-) {62 vars in 1098 bytes} [Fri Aug 23 11:33:50 2024] GET /saml2/login => generated 0 bytes in 42 msecs (HTTP/1.0 302) 8 headers in 258 bytes (1 switches on core 1)
[pid: 31|app: -|req: -/-] 192.168.1.11 (-) {62 vars in 1121 bytes} [Fri Aug 23 11:33:50 2024] GET /login?next=/saml2/login => generated 15709 bytes in 49 msecs (HTTP/1.0 200) 10 headers in 481 bytes (1 switches on core 0)
dsever commented 1 week ago

Have you solved it?