search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.11k stars 431 forks source link

`server_url_prefix` breaks SSO #1063

Open ar0dd opened 3 years ago

ar0dd commented 3 years ago

Fleet version 3.13.0

Fleet Basic

🧑‍💻  Expected behavior

When server_url_prefix is configured, it can be visible in settings panel of the web UI.

image

When users configure SSO, the reply_url is must match in the IdP and the SP (Fleet).

💥  Actual behavior

Fleet is appending the server_url_prefix twice from the looks of the request.

Important thing to note is that the fleet should specifies the AssertionConsumerServiceUrl in SAML Request sent to the IdP (Azure AD in my testing).

Fleet application location: https://testdomain.com/hunt/ IdP reply url value: https://testdomain.com/hunt/api/v1/fleet/sso/callback Fleet reply url value: https://testdomain.com/hunt/hunt/api/v1/fleet/sso/callback <- THE ISSUE

Since my server_url_prefix value is set to /hunt, the reply URLs do not match the IdP configuration as seen below.

image

To replicate

  1. set server_prefix_url value to something
  2. configure SAML
  3. attempt to use SSO
🐩
ZW		 🦙
MP		 🦉
SG		 🦘
RP		 🦇
NT		 🐍
MM
- [ ] 1 - [x] 2 - [ ] 3 - [ ] 5 - [ ] 8 - [ ] 13 - [ ] 21 - [ ] 35 - [ ] 1 - [x] 2 - [ ] 3 - [ ] 5 - [ ] 8 - [ ] 13 - [ ] 21 - [ ] 35 - [ ] 1 - [x] 2 - [ ] 3 - [ ] 5 - [ ] 8 - [ ] 13 - [ ] 21 - [ ] 35 - [ ] 1 - [x] 2 - [ ] 3 - [ ] 5 - [ ] 8 - [ ] 13 - [ ] 21 - [ ] 35 - [ ] 1 - [x] 2 - [ ] 3 - [ ] 5 - [ ] 8 - [ ] 13 - [ ] 21 - [ ] 35 - [ ] 1 - [x] 2 - [ ] 3 - [ ] 5 - [ ] 8 - [ ] 13 - [ ] 21 - [ ] 35
ar0dd commented 3 years ago

In the last image, I meant to say "It duplicates the server_prefix_url which makes the actual reply_url incorrect"

RachelElysia commented 3 years ago

Thanks for letting us know!

zwass commented 3 years ago

I just tested locally and it looks like Fleet is making the correct request. With the URL prefix set to /fleet, I get the following request (after decoding):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_2f553a42f79ebbf52ec55744acc4eeb6732a1642d3" Version="2.0" IssueInstant="2021-06-21T22:55:43Z" Destination="https://localhost:8080/fleet/api/v1/fleet/sso/callback" InResponseTo="idfUIlXsj3q5zuq5FC"><saml:Issuer>http://localhost:9080/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#_2f553a42f79ebbf52ec55744acc4eeb6732a1642d3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>lWVMUgr/wCPyeSrqYPqdldmUTYuu/afVeWfSE+QCGNc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>qLioTYBJKPAJ5d35wr2jszrHyuXE+GSzbwGUqoXw7vvEIdMUuFfTmP8pehyaEyEoPk5rZ7io4L/zC5pk3p0nQPcih7VKUwc4HA3CyELpx9BZq30v/XC4KjgpTjMewMFBKeh1DBFYeIPUcPA9RQgQUaZDkhFr6fskDG5JbU1AqtmXkyeVBZIYI/n6p3TDSm5U+84MxMDPng5nU7e7q6LkWGpz6+Bus+tnk+Fv0jnNOqzboviYXLWk2PqVMDaSJr87wT4iKOGygzEFWYlWV+xzP4vw3LXJM5hyp0jHY46AZcJFXgjIsJnc8NELjUgrAlfj9wzP9ymBXGYDbfk0h2XbFQ==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_1532cdc3f943aed7fcc55ca2fdc0351da1473209be" Version="2.0" IssueInstant="2021-06-21T22:55:43Z"><saml:Issuer>http://localhost:9080/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#_1532cdc3f943aed7fcc55ca2fdc0351da1473209be"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XSGgWl7CE9q4Ae1eXuPBbbdGsHWlLuo0J4GjpIOp6uI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>yVlEYRGDRUJon2iKhGDqZdjif+YJboGgD10ZAvbUXynotvHl56ZUAsfE8Ub0QadXbAvKXO/CnC4yXpAWK4voHDpndrBKHDT4YWvAFvkJs+cSjdp4w/6LZkj8Y+JNpyjqBjBFV0RymWpPqP4x4f1IC9Aa/LbQFSPRjD4Qs5lZKPn1f41gzWUepSirc1BM+Oi57oaCW1UggZWXx05vEbfQLJpxl9RL3VYoEvaj+tntLlmJ63loiis4r6rtlthGtKihojhnMHczoc7UjjbPXS9kPzpHZqcVF+36jfQ0qKc5FxxCKpj3sQuZGO1Ff2UuMhi5yCCbMErZI2tF5AtN5ZM/SA==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="https://localhost:8080" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">sso_user@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2021-06-21T23:00:43Z" Recipient="https://localhost:8080/fleet/api/v1/fleet/sso/callback" InResponseTo="idfUIlXsj3q5zuq5FC"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2021-06-21T22:55:13Z" NotOnOrAfter="2021-06-21T23:00:43Z"><saml:AudienceRestriction><saml:Audience>https://localhost:8080</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2021-06-21T22:52:21Z" SessionNotOnOrAfter="2021-06-22T06:52:21Z" SessionIndex="_7b6706f6ced4d8a4cca267466173343c626405f6d6"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">1</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">group1</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">sso_user@example.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

@ar0dd Is it possible that you have duplicated the prefix in your IdP configuration?

zwass commented 3 years ago

Apologies, that was the response.

Here's the request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="idfUIlXsj3q5zuq5FC" Version="2.0" AssertionConsumerServiceURL="https://localhost:8080/fleet/api/v1/fleet/sso/callback" Destination="http://localhost:9080/simplesaml/saml2/idp/SSOService.php" IssueInstant="2021-06-21T22:55:43Z" ProviderName="Fleet"><saml:Issuer>https://localhost:8080</saml:Issuer></samlp:AuthnRequest>

This also looks correct to me.

ar0dd commented 3 years ago

@zwass Sure. I retested what I was experiencing.

IdP configuration

image

Fleet configuration

image

Burp Suite Request

image

ar0dd commented 3 years ago

This causes the following error with the IdP I was testing for.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'fleet-saml'.

image

To fix this, I need to remove the /hunt prefix from the Fleet App URL value

zwass commented 3 years ago

Ah yes, I see now that you have the prefix in the "Fleet web address" field. That would be what's causing the duplication. Remove the prefix there and you should be good.

cc @noahtalerman thoughts on how we can make this experience better?

ar0dd commented 3 years ago

Will it break the fleet server or communication with my agents if I change it?

@zwass

image

zwass commented 3 years ago

No it should not. Fleet appends the prefix everywhere that URLs are generated.

ar0dd commented 3 years ago

@zwass Gotcha!

I thought that would break things 😅

I'm good then. It works if I don't add the /prefix to that variable in the UI.

noahtalerman commented 3 years ago

If I'm understanding correctly, the string entered in the Fleet App URL should only ever have two / characters (for https://).

@zwass if I'm correct above, I propose adding frontend validation that renders the error state for the Fleet App URL input field if more than 2 / characters are detected. The error message above the input field can render text "Include the base path only."

EDIT: This validation would also exist on the "Set Fleet URL" portion of the Set up flow.

ar0dd commented 3 years ago

@noahtalerman

Might be worth mentioning that we added the /prefix into our setup sequence.

./fleetctl config set --address "https://$FLEET_HOST/prefix" --config $FLEET_CONFIG --url-prefix "/prefix"

So essentially that was not needed.

noahtalerman commented 3 years ago

@ar0dd great point. Thank you for clarifying.