search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.4k stars 10.51k forks source link

Invalid SAML logout response #17877

Closed linscombe closed 4 years ago

linscombe commented 4 years ago

Description:

SAML logout response is invalid when logout action is started from the IDP. The <saml2p:StatusCode> element should always be placed inside of a <saml2p:Status> element but this is not happening for the response following the SLO request from an IDP.

The LogoutResponse from Rocket.Chat is not according to the SAML2 specifications which makes it impossible for the IDP to find the StatusCode element in the response. According to the spec, the StatusCode element needs to be within the status element. SAML core spec 3.7.2: LogoutResponse of type StatusResponseType. 3.2.2 StatusResponseType <Status> [Required] 3.2.2.1, Status <StatusCode> [Required]

This would be correct:

<samlp:Status>
                <samlp:StatusCode……….
</samlp:Status>

NOTE: The logout response IS valid when clicking Logout directly within Rocket.Chat... it is not valid when the logout request comes from the IDP. The two logout responses are different based on the origin of the logout.

Steps to reproduce:

  1. Login to Rocket.Chat using SAML
  2. This will prompt for credentials from the IDP
  3. The logout behavior in Rocket.Chat SAML Admin settings should be set to "Terminate SAML-session"
  4. Stay logged into Rocket.Chat and go to another service provider or portal associated with the IDP where your session remains valid
  5. Logout of the IDP which automatically cancels all active sessions with service providers where SLO redirects are defined
  6. During the logout, the IDP will send a SAML Logout Request to Rocket.Chat
  7. Rocket.Chat responds with an invalid SAML Logout Response

Expected behavior:

Format of Logout Response on step 7 should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse Destination="https://idp.example.com/idp/saml2/slo" ID="_id-3a4fbaf50d73bd06f3c5" IssueInstant="2020-06-08T18:36:09.466Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    https://chat.example.com/_saml/metadata/rocket
  </saml:Issuer>
  <saml2p:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
</samlp:LogoutResponse>

Actual behavior:

IDP receives invalid SAML Logout Resonse and cannot logout user completely.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse Destination="https://idp.example.com/idp/saml2/slo" ID="_id-3a4fbaf50d73bd06f3c5" IssueInstant="2020-06-08T18:36:09.466Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    https://chat.example.com/_saml/metadata/rocket
  </saml:Issuer>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:LogoutResponse>

Server Setup Information:

Client Setup Information

Same issues on other operating systems / browsers

Additional context

I first saw this problem after the fix for #17439 which I reported in April. While they are both related to SAML logout, I am not certain they are related and can't confirm if the response was different before.

I wish I knew the codebase better to submit a PR instead but thank you in advance if anyone is able to find a fix for this!

Relevant logs:

No relevant logs in addition to the 2 LogoutResponses noted above

cb3inco commented 4 years ago

@pierre-lehnen-rc is this the same issue as in https://github.com/RocketChat/Rocket.Chat/issues/17919 ?

pierre-lehnen-rc commented 4 years ago

Not the same. This one was fixed on the 3.4 version, so I'll be closing this issue.

linscombe commented 4 years ago

Following up... confirmed v3.4 fixes this issue. It’s extra helpful to be able to see and change the xml of the response in admin settings... although in my case I was able to use the defaults again. Thanks @pierre-lehnen-rc for the fix!

Guile17 commented 4 years ago

@linscombe Do you use ADFS?

linscombe commented 4 years ago

@linscombe Do you use ADFS?

@Guile17 no haven’t used ADFS sorry