search

calcom / cal.com

Scheduling infrastructure for absolutely everyone.
https://cal.com
Other
31.77k stars 7.75k forks source link

(bug) Updating the SAML Certificate doesn't work properly #16154

Closed flcno closed 1 month ago

flcno commented 2 months ago

Issue Summary

We are currently self-hosting cal.com on version 4.2.3. We are utilizing the cal.com web and api apps and hosting using kubernetes containers and AWS. We have setup SAML login functionality on all our environments successfully and have been using it for users to authenticate with Azure as the idp. We used the saml admin user to add our new certificate when setting up SAML initially. Code reference: SAMLConnection.tsx

This all worked fine once we configured the Azure SAML connection properly to provide cal.com with the right information to authenticate and complete the callback to cal.com web in the right environment.

However, we recently needed to update the SAML certificate and we encountered some issues. When adding the SAML certificate using the saml admin user and navigating the SAML configuration component in cal.com web, it doesn't seem to update properly.

Attempting to login after we update the SAML certificate loop backs to the login page with this url https://.org/auth/login?callbackUrl=https%3A%2F%2F[self-hosted-domain] .org%2Fauth%2Flogin&error=Callback

We noticed that our SAML connection no longer worked and it states our signature is invalid.

@calcom/web:start: prisma:query SELECT COUNT(*) FROM (SELECT "public"."users"."id" FROM "public"."users" WHERE 1=1 OFFSET $1) AS "sub"
@calcom/web:start: prisma:query SELECT COUNT(*) FROM (SELECT "public"."users"."id" FROM "public"."users" WHERE 1=1 OFFSET $1) AS "sub"
@calcom/web:start: prisma:query SELECT COUNT(*) FROM (SELECT "public"."users"."id" FROM "public"."users" WHERE 1=1 OFFSET $1) AS "sub"
@calcom/web:start: prisma:query SELECT COUNT(*) FROM (SELECT "public"."users"."id" FROM "public"."users" WHERE 1=1 OFFSET $1) AS "sub"
@calcom/web:start: [next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR] 
@calcom/web:start: https://next-auth.js.org/errors#oauth_callback_handler_error access_denied {
@calcom/web:start: error: {
@calcom/web:start: message: 'access_denied',
@calcom/web:start: stack: 'Error: access_denied\n' +
@calcom/web:start: ' at oAuthCallback (/calcom/node_modules/next-auth/core/lib/oauth/callback.js:39:19)\n' +
@calcom/web:start: ' at Object.callback (/calcom/node_modules/next-auth/core/routes/callback.js:52:39)\n' +
@calcom/web:start: ' at AuthHandler (/calcom/node_modules/next-auth/core/index.js:208:41)\n' +
@calcom/web:start: ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
@calcom/web:start: ' at async NextAuthApiHandler (/calcom/node_modules/next-auth/next/index.js:22:19)\n' +
@calcom/web:start: ' at async NextAuth._args$ (/calcom/node_modules/next-auth/next/index.js:106:14)',
@calcom/web:start: name: 'Error'
@calcom/web:start: },
@calcom/web:start: error_description: 'tiny_sun_artist: Invalid assertion. invalid signature: the signature value <signature redacted> is incorrect',
@calcom/web:start: providerId: 'saml',
@calcom/web:start: message: 'access_denied'
@calcom/web:start: }

A potentially relevant error:

@calcom/web:start: 15:33:23:388 DEBUGgetServerSession Getting server session {"token":null}
@calcom/web:start: 15:33:23:388 DEBUGgetServerSession Couldnt get token
@calcom/web:start: 15:33:23:390 DEBUGgetServerSession Getting server session {"token":null}
@calcom/web:start: 15:33:23:390 DEBUGgetServerSession Couldnt get token
@calcom/web:start: 15:33:23:390 DEBUGgetServerSession Getting server session {"token":null}
@calcom/web:start: 15:33:23:390 DEBUGgetServerSession Couldnt get token
@calcom/web:start: 15:33:23:391 DEBUGgetServerSession Getting server session {"token":null}
@calcom/web:start: 15:33:23:391 DEBUGgetServerSession Couldnt get token
@calcom/web:start: 15:33:23:391 DEBUGPerf:t.isAuthed 1.2097779512405396
@calcom/web:start: 15:33:23:391 DEBUGPerf:t.sessionMiddleware 1.3656489849090576
@calcom/web:start: 15:33:23:391 DEBUGPerf:t.isAuthed 1.4524660110473633
@calcom/web:start: 15:33:23:395 DEBUGgetServerSession Getting server session {"token":null}
@calcom/web:start: 15:33:23:395 DEBUGgetServerSession Couldnt get token

Steps to Reproduce

  1. Navigate to cal.com web
  2. login as the SAML_ADMIN user
  3. Navigate to the SAML configuration page
  4. Click the button to update/add the new SAML certificate
  5. Log out
  6. Attempt to login with SAML

Expected behavior

Once the new certificate is activated in the idp (Azure), I'd expect the cal.com self-hosted application to update SAML certificate correctly and work with the new certificate.

Other information

No response

Screenshots

No response

Environment

Desktop (please complete the following information)

- OS:   MacOS Sonoma 14.6.1
- Node: 18.19.1
- npm:  10.2.4
flcno commented 1 month ago

We determined the issue with updating the SAML certificate. Our IDP (Azure) was maintaining the old cert in the Federated XML metadata that we were uploading to cal.com SAMLConnection.tsx component on the front end.

We had to delete the inactive cert before dowloading the xml, or remove the x509 cert manually from the xml to keep the inactive certs available in Azure portal.