search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.66k stars 510 forks source link

SAML: User loses group permissions on login #6147

Open detritus opened 1 month ago

detritus commented 1 month ago

Describe the bug This bug seems to be limited to a single user has occurred on two separate installations of MeshCentral. We previously had this issue on our test system, and now is occurring on our new production system. When a specific user logs in via SSO/SAML the user account appears to lose all assigned devices, as if the user account has been recreated. We do not have this issue with any other users but no evidence that would help us narrow down the issue any further.

To Reproduce Steps to reproduce the behavior:

  1. Assign user to a group
  2. User logs in
  3. User loses all group permissions

Expected behavior User should be able to login and device details should be preserved

Server Software (please complete the following information):

Client Device (please complete the following information):

Remote Device (please complete the following information): N/A

Additional context utc time type action user device message  
2024-06-03T08:56:52.568Z 03/06/2024, 09:56:52 relay relaylog USER DEVICE Ended desktop session tz4sgfg70vc" from x.x.x.x to x.x.x.x - 7 second(s)"  
2024-06-03T08:56:45.426Z 03/06/2024, 09:56:45 node agentlog USER DEVICE Started remote desktop without notification (x.x.x.x)  
2024-06-03T08:56:45.379Z 03/06/2024, 09:56:45 relay relaylog USER DEVICE Started desktop session tz4sgfg70vc" from x.x.x.x to x.x.x.x" # User accesses device
2024-06-03T08:56:26.106Z 03/06/2024, 09:56:26 user accountchange ADMIN   Changed user device rights for USER  
2024-06-03T08:56:26.106Z 03/06/2024, 09:56:26 node changenode ADMIN DEVICE Changed user device rights for DEVICE  
2024-06-03T08:56:13.912Z 03/06/2024, 09:56:13 mesh meshchange USER   Added user USER to device group GROUP # User re-assigned to group
2024-06-03T08:56:13.911Z 03/06/2024, 09:56:13 user accountchange ADMIN   Device group membership changed: USER  
2024-06-03T07:19:36.863Z 03/06/2024, 08:19:36 user login USER   Account login  
2024-06-03T07:19:36.861Z 03/06/2024, 08:19:36 user accountchange USER   Account changed # Account changed? User can no longer access device
2024-05-22T10:56:15.551Z 22/05/2024, 11:56:15 relay relaylog USER DEVICE Ended desktop session i73dwc7kl7" from x.x.x.x to x.x.x.x - 1964 second(s)"  
2024-05-22T10:23:30.775Z 22/05/2024, 11:23:30 node agentlog USER DEVICE Started remote desktop without notification (x.x.x.x)  
2024-05-22T10:23:30.731Z 22/05/2024, 11:23:30 relay relaylog USER DEVICE Started desktop session i73dwc7kl7" from x.x.x.x to x.x.x.x" # User accesses device
2024-05-22T10:23:24.758Z 22/05/2024, 11:23:24 user login USER   Account login  
2024-05-22T08:56:12.318Z 22/05/2024, 09:56:12 mesh meshchange USER   Added user USER to device group GROUP # User assigned to group
2024-05-22T08:56:12.317Z 22/05/2024, 09:56:12 user accountchange ADMIN   Device group membership changed: USER  
2024-05-22T08:48:36.519Z 22/05/2024, 09:48:36 user login USER   Account login  
2024-05-22T08:48:36.517Z 22/05/2024, 09:48:36 user accountcreate USER   Account created - username is USER  

Your config.json file

{
  "settings": {
    "cert": "mymesh.co.uk"
  },
  "domains": {
    "": {
      "authStrategies": {
        "saml": {
          "callbackUrl": "https://mymesh.co.uk/auth-saml-callback",
          "entityid": "mymesh.co.uk",
          "idpurl": "https://mysaml.co.uk/adfs/ls",
          "cert": "mycert.pem"
        }
      },
      "newAccounts": true,
      "showPasswordLogin": false,
      "title": "ORG",
      "title2": "ORG",
      "welcomePicture": "welcome.png",
      "footer": "Contact <a href=\"mailto:xxx\">xxx</a> for technical support."
    }
  }
}
si458 commented 1 month ago

can you run it with the authlog debug at all for me and replicate ur issue in various ways? node node_modules/meshcentral --debug authlog the logs from the console will show login attempts, group permissions from saml, userid, etc

detritus commented 1 month ago

Can this be set in the config anywhere to generate a log file. As the issue occurs intermittently it won't be easy to monitor directly via the console.

si458 commented 1 month ago

in theory

  1. if you set authLog: "/mypath/mylog.log" under settings in your config.json, it should generate an authlog which u can check for auth issues
  2. if you set log: "authlog,web" under settings in your config.json it should create a log.txt file with all the authlog and web events