search

horizon3ai / vcenter_saml_login

A tool to extract the IdP cert from vCenter backups and log in as Administrator
MIT License
487 stars 90 forks source link

Error 400: No matching request found for WebSSO response #10

Open BodekMashu opened 2 years ago

BodekMashu commented 2 years ago

Hi guys. First things first - this is a very cool method! I'm facing a problem in the login part where instead of getting a redirect, I'm getting an error: "[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: No matching request found for WebSSO response" Any idea what could have gone wrong? Edit: it's a 7.0.3 version vCenter

scopedsecurity commented 2 years ago

Hello!

We've received similar reports that there seems to be a different authentication flow for this vCenter version (7.0.3). I don't anticipate that I will have time to dig into this myself anytime soon, but if you are able to trace the flow of authentication by logging in with valid credentials via the /ui endpoint and inspecting the redirects and parameters to compare with what our script is doing that is where I'd start. If you do find a solution feel free to report back!

Thanks!

TechnoNotice commented 2 years ago

Was searching for the cause of this error as well and found an article on vmware relating to this error.

https://kb.vmware.com/s/article/88714

To Quote vmware for a fuller reply

"This occurs if a user keeps the UI login screen (the same happens with the timeout banner) and stays there without performing an actual login. This is a security protection feature to make sure that login request originates from this browser."

storkinsj commented 1 year ago

The KB reminds me of many sort of foolish answers I've seen from the vmware security team. I know- I was on that team for a while.

No other administrative interface I use suffers from having to click though this extra red warning (and immediately being able to log in). It's sort of, "this is not secure"... then a single click gets you in?

Someone needs to learn about cache_control. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

The tech support article alludes to CSRF protection. However, the problem that the content from that page is old is easily handled in several ways.

1) All content can be expired immediately. This could unfortunately slow down the overall performance 2) When the page auto-logs out, simply redirect back to a login page that expires cache and then refreshes

The main thing is that this problem is solvable, but someone chose to have other problems solved. The priority on this one should be high. It is a constant reminder, every morning, that vmware is not taking its quality seriously.