search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.66k stars 10.66k forks source link

Can't login through SAML since updating to 4.1.0 when two factor auth is activated #23606

Open maeries opened 3 years ago

maeries commented 3 years ago

Description:

When two factor authentication is enabled, I can't login through SAML. When I try to, I get back to the login page of rocket chat

Steps to reproduce:

  1. Enable Two factor authentication (administation -> accounts -> two factor authentication)
  2. log out and go to the login page
  3. click on "SAML" of whatever you labled the button and put in your credentials

Expected behavior:

I'm being redirected back to rocket chat and being asked for the authentication code that I got via mail

Actual behavior:

I'm being redirected back to recket chat's login page without being logged in. I get the mail with the authentication code, though.

Server Setup Information:

Client Setup Information

I reproduced the issue on the Android app, Firefox Android, Firefox on Windows and Linux and Vivaldi on Windows and Linux

Additional context

It worked on 4.0.4. Not sure about 4.0.5

Btw. for me the solution is to just disable two factor as it doesn't make sense in the first place. I login via my google account and get the authentication mail to the very same google account. But I guess for people with different setups it could be a problem

To setup SAML i used this tutorial: https://blog.jarrousse.org/setting-up-saml-for-rocker-chat-with-g-suite/

Relevant logs:

No applicable server logs.

Client: 

Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow] browsing-context.js:391
Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. 2 background.js:2455
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDocShell.domWindow] browsing-context.js:391
spdreg commented 2 years ago

I have similar behavior

Version: 4.1.2 Node Version: v12.22.1 MongoDB: 4.2.15 / wiredTiger (oplog Enabled) Deployment Method: docker Operating System: Ubuntu Server 20.04

SAML with ADFS, Two-factor via Email

On server I see these logs

2021-12-02T17:10:13.783697729Z {"level":50,"time":"2021-12-02T17:10:13.783Z","pid":1,"hostname":"rocketchat","name":"System","msg":"Exception while invoking method login 'TOTP Required [totp-required]'"}
2021-12-02T17:10:13.927087806Z {"level":50,"time":"2021-12-02T17:10:13.926Z","pid":1,"hostname":"rocketchat","name":"System","msg":"Exception while invoking method login 'TOTP Required [totp-required]'"}

Authentication code is received via email, but you get returned to the initial login screen.

On client (chrome) I see these logs 

4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:999 Error: No callback invoker for method 2
    at 4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:772
    at Array.forEach (<anonymous>)
    at M._process_updated (4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:772)
    at M._processOneDataMessage (4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:772)
    at M._livedata_data (4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:772)
    at u (4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:999)
    at 4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:999
    at 4570baead5d2268f7b1b9130e7a3050a0f9cb32a.js?meteor_js_resource=true:1

The only option to login via SAML is to disable two-factor completely at server level