[CI] SamlAuthenticatorIT. testLoginUserWithAuthorizingRealm failed

[bizybot]

SamlAuthenticatorIT. testLoginUserWithAuthorizingRealm failed on https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+multijob-unix-compatibility/os=ubuntu-16.04&&immutable/297/console

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+7.x+multijob-unix-compatibility/os=ubuntu-14.04&&immutable/71/console

14:08:04 FAILURE 7.55s | SamlAuthenticationIT.testLoginUserWithAuthorizingRealm <<< FAILURES!
14:08:04    > Throwable #1: java.lang.AssertionError: 
14:08:04    > Expected: <302>
14:08:04    >      but: was <200>
14:08:04    >   at __randomizedtesting.SeedInfo.seed([5906EE65A5BC7239:B7BE11A01110081]:0)
14:08:04    >   at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
14:08:04    >   at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT.lambda$submitLoginForm$2(SamlAuthenticationIT.java:376)
14:08:04    >   at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT.execute(SamlAuthenticationIT.java:498)
14:08:04    >   at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT.submitLoginForm(SamlAuthenticationIT.java:375)
14:08:04    >   at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT.loginViaSaml(SamlAuthenticationIT.java:260)
14:08:04    >   at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT.testLoginUserWithAuthorizingRealm(SamlAuthenticationIT.java:249)
14:08:04    >   at java.lang.Thread.run(Thread.java:748)

Locally could not reproduce on 7.x or master with following command: For master:

./gradlew :x-pack:qa:saml-idp-tests:integTestRunner \
  -Dtests.seed=5906EE65A5BC7239 \
  -Dtests.class=org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT \
  -Dtests.method="testLoginUserWithAuthorizingRealm" \
  -Dtests.security.manager=true \
  -Dtests.locale=et-EE \
  -Dtests.timezone=America/Miquelon \
  -Dcompiler.java=11 \
  -Druntime.java=8

For 7.x:

./gradlew :x-pack:qa:saml-idp-tests:integTestRunner \
-Dtests.seed=15C1EC2DCBCEAFF \
-Dtests.class=org.elasticsearch.xpack.security.authc.saml.SamlAuthenticationIT \
-Dtests.method="testLoginUserWithAuthorizingRealm" \
-Dtests.security.manager=true \
-Dtests.locale=ga \
-Dtests.timezone=America/Araguaina \
-Dcompiler.java=11 \
-Druntime.java=8

@jkakavas do you think https://github.com/elastic/elasticsearch/pull/39948 might have caused this intermittent failure?

[elasticmachine]

Pinging @elastic/es-security

[jkakavas]

@jkakavas do you think #39948 might have caused this intermittent failure?

Yes probably, I'll look into it

[jkakavas]

The error means that the browser got a 200 when submitting the form instead of a 302 to the consent page.

This can happen in a few cases :

• The SAML Response would contain no attributes so consent is not required
• There was a previous request with the same client and the consent is stored in the browsers local storage ( not possible with HttpClient I guess ) ( For both the above that page returned with 200 would contain Javascript to make the browser POST the SAMLResponse back to the mock - SP. )
• There was an error in the IDP and we got redirected to the error page.

Not sure what happened here and this doesn't reproduce locally so I'll push a commit to print the HttpEntity that is returned with that 200 to get more insights

[jkakavas]

I added a log entry in https://github.com/elastic/elasticsearch/commit/18d6499432b0975a5163149476ee5202625c1da3, next time this happens we can see what the issue is and resolve it

[jkakavas]

This failed in a PR : https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request-2/10043/console and it looks like the reason is

The SAML Response would contain no attributes so consent is not required

The reason is that the following two values are supposed to be set in milliseconds (not seconds :/ ) and the attribute resolving phase was timing out while the authentication was successful.

idp.attribute.resolver.LDAP.connectTimeout = 5
idp.attribute.resolver.LDAP.responseTimeout = 5