search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
105 stars 5 forks source link

Generic error with SAML #52

Closed BrentRose closed 2 years ago

BrentRose commented 2 years ago

I deployed OU on a test cluster and successfully plumbed it up the the tremolo SAML2 test lab and I'm ready to reconfigure it to point to my companies SAML provider. I exchanged metadata with my SAML provider and reconfigured my values.yaml with and empty idp_url and populated the metadata_xml_b64. I reran ouctl and it looks like it applies the changes but I get the following error when accessing the site:

image

Using curl I see the following:

image

Here is the decoded SAML response.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://k8sou-vmt.qa.local/auth/saml2" ID="_e3cf999bbd14d2e4" InResponseTo="f6364a6fe7d08f818dc79df6f6f926511c48181ff" IssueInstant="2022-07-13T14:09:14.916Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sfmc-qa.auth.securid.com/saml-fe/sso</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:StatusCode><saml2p:StatusMessage>Server error</saml2p:StatusMessage></saml2p:Status></saml2p:Response>

If you watch closely when you make the connection you can see the redirect but it happens very fast and goes straight to the generic message above.

mlbiam commented 2 years ago

Can you please provide the logs from the openunison-orchestra ? This screen comes with an error in the logs.

mlbiam commented 2 years ago

Also, the Response tells you there was an issue on the remote identity provider:

<saml2p:Status>
  <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
  </saml2p:StatusCode>. 
  <saml2p:StatusMessage>Server error</saml2p:StatusMessage>
</saml2p:Status>
BrentRose commented 2 years ago

Let me know if you need to see more. This is likely what you are looking for since the rest of the log entries look normal.

[2022-07-13 14:58:02,516][XNIO-1 task-1] ERROR UnisonServletFilter - Could not process request
java.net.MalformedURLException: no protocol: 43b1bf4bb5b3a70e49e4849ef02e352f20ac0ee9
        at java.net.URL.<init>(URL.java:645) ~[?:?]
        at java.net.URL.<init>(URL.java:541) ~[?:?]
        at java.net.URL.<init>(URL.java:488) ~[?:?]
        at com.tremolosecurity.config.util.UnisonConfigManagerImpl.findURL(UnisonConfigManagerImpl.java:781) ~[unison-server-core-1.0.31.jar:?]
        at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:239) ~[unison-server-core-1.0.31.jar:?]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.7.Final.jar:3.8.7.Final]
        at java.lang.Thread.run(Thread.java:829) ~[?:?]
mlbiam commented 2 years ago

[2022-07-13 14:58:02,516][XNIO-1 task-1] ERROR UnisonServletFilter - Could not process request

No, that's a cookie issue. In the openunison logs you'll probably see something like "No assertions found". Right now, your identity provider is sending a response with no assertions

BrentRose commented 2 years ago

Do the assertions come after the login or before? I never get a chance to authenticate to the SAML service since it immediately redirects back to OU with the error. Attaching orchestra logs orchestra-logs.txt

mlbiam commented 2 years ago

Do the assertions come after the login or before?

After. The assertion is when the SAML2 identity provider sends to OpenUnison in the POST that says who logged in, how and when.

Here's the error you're looking for in the openunison logs that corresponds with the SAML response included in this issue:

[2022-07-13 13:49:31,172][XNIO-1 task-1] ERROR ConfigSys - Could not process request
javax.servlet.ServletException: error parsing assertion
    at com.tremolosecurity.proxy.auth.SAML2Auth.doPost(SAML2Auth.java:886) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:198) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.31.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:88) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) ~[unison-server-core-1.0.31.jar:?]
    at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) ~[unison-server-core-1.0.31.jar:?]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100) ~[undertow-servlet-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852) ~[undertow-core-2.2.18.Final.jar:2.2.18.Final]
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.7.Final.jar:3.8.7.Final]
    at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: java.lang.Exception: No assertions found
    at com.tremolosecurity.proxy.auth.SAML2Auth.doPost(SAML2Auth.java:759) ~[unison-server-core-1.0.31.jar:?]
    ... 44 more

This means there was an error on your identity provider that caused the assertion to be not generated. You need to reach out to them to understand what the issue is since there are no details in the SAML response.

BrentRose commented 2 years ago

We finally got some additional logging on our SAML server. We just had to configure signing on the SAML idp