search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
39.51k stars 10.13k forks source link

SAML Assertion Signature WRONG with Azure IdP #19682

Open spshar opened 3 years ago

spshar commented 3 years ago

Description:

After setting up SAML SSO with Azure IdP, I cannot login to the Rocket.Chat after authorizing with Azure, the login window appears again and again, there is a line with error in the Rocket.Chat logs: steffo:meteor-accounts-saml ➔ info Assertion Signature WRONG

Steps to reproduce:

  1. Install Rocket.Chat server 3.8.1
  2. Configure SAML SSO with Azure IdP
  3. Try to login.

Expected behavior:

Successful login

Actual behavior:

Login form request loop.

Server Setup Information:

Client Setup Information

Additional context

Relevant logs:

Rocket.Chat server of validating Assertion Signature:

I20201126-16:55:27.810(6) steffo:meteor-accounts-saml ➔ info Got response 
I20201126-16:55:27.811(6) steffo:meteor-accounts-saml ➔ info Verify status 
I20201126-16:55:27.812(6) steffo:meteor-accounts-saml ➔ info Status ok 
I20201126-16:55:27.813(6) steffo:meteor-accounts-saml ➔ info Verify Assertion Signature 
I20201126-16:55:27.852(6) steffo:meteor-accounts-saml ➔ info [   'invalid signature: the signature value cIKqXlxoZ4yFkaosuViWIGXP5D9UFfouWllO9AHiQOJuWkkP5Bo9Mmi6CoQ6WNdoX1N9Htd98zSxmI7t4xd+8OSo9a6U2hOslU2DlNMGnJkvteLPDWIvd4rkQtCuZTqQdsCjalz2GBqlgnRN31WhSwsEOIB/wE+NGZhsnNQu5vZbOGI9KyVd8o0teQLcJh+zNMSE0+7g4sKUb/oKPH7fcAp5UeifFVeCLR9E/8TUktHJ4CT4VwBiHX8OZBU0cGbF80h9gOHIhK/6fw6ZIo/4QTrqsX/uLaChxsHf1t/sulmCaEeW6xZiqgW6lNMqUy338VhUvM/jUVynMCKWxv75OQ== is incorrect' ] 
I20201126-16:55:27.854(6) steffo:meteor-accounts-saml ➔ info Assertion Signature WRONG 
I20201126-16:55:27.855(6) server.js:204 steffo:meteor-accounts-saml ➔ error Error: Invalid Assertion signature     at ResponseParser.verifySignatures (app/meteor-accounts-saml/server/lib/parsers/Response.ts:238:12)     at ResponseParser.validate (app/meteor-accounts-saml/server/lib/parsers/Response.ts:64:9)     at SAMLServiceProvider.validateResponse (app/meteor-accounts-saml/server/lib/ServiceProvider.ts:188:17)     at Function.processValidateAction (app/meteor-accounts-saml/server/lib/SAML.ts:379:19)     at Function.processRequest (app/meteor-accounts-saml/server/lib/SAML.ts:51:17)     at middleware (app/meteor-accounts-saml/server/listener.ts:61:8)     at app/meteor-accounts-saml/server/listener.ts:79:3 
I20201126-16:55:27.855(6) server.js:204 steffo:meteor-accounts-saml ➔ error Error: Unable to validate response url     at app/meteor-accounts-saml/server/lib/SAML.ts:383:12     at ResponseParser.validate (app/meteor-accounts-saml/server/lib/parsers/Response.ts:66:11)     at SAMLServiceProvider.validateResponse (app/meteor-accounts-saml/server/lib/ServiceProvider.ts:188:17)     at Function.processValidateAction (app/meteor-accounts-saml/server/lib/SAML.ts:379:19)     at Function.processRequest (app/meteor-accounts-saml/server/lib/SAML.ts:51:17)     at middleware (app/meteor-accounts-saml/server/listener.ts:61:8)     at app/meteor-accounts-saml/server/listener.ts:79:3
jangaraj commented 3 years ago

Don't include the -----BEGIN/END CERTIFICATE----- headers/footers into Custom Certificate

spshar commented 3 years ago

@jangaraj thanks for the hint, but I can't check anymore, because due to changes in Rochetchat licensing, we had to switch to another messenger. The ticket may be closed

geekgonecrazy commented 3 years ago

@spshar can you clarify what you mean? Our source code has not changed license. It’s been MIT licensed since it was open sourced. This has not changed

spshar commented 3 years ago

This is offtopic. Yes, the license has not changed, but the terms of service have changed. Everyone is interested in push notifications, but they are provided as part of other additional services and licenses that are not interesting to us. I thing in this case the cost of a license for an on-premise server is very high, so this was an incentive to change the messenger.