search

jeffwils / grails-spring-security-saml

Grails Spring Security SAML2.0 Plugin for Grails 3
8 stars 25 forks source link

Endless authentication loop after log in, no errors being thrown. #75

Open RogelioCodes opened 1 year ago

RogelioCodes commented 1 year ago

Hello, I am having an issue with an endless authentication loop after logging in. We will get redirected to the saml login page provided by our provider, we even get a two factor authentication push, and after the login it will keep looping us through that same login page. Does anyone have experience with this?

We do not get any errors. I am kind of stumped. Here is my application.yml

| Grails Version: 4.0.3 | JVM Version: 1.8.0_292

` grails:

 plugin:
    springsecurity:
       userLookup:
                userDomainClassName: 'test.TestSamlUser'
                usernamePropertyName: 'username'
                enabledPropertyName: 'enabled'
                passwordPropertyName: 'password'
                authorityJoinClassName: 'test.TestUserRole'
       authority:
                className: 'test.testRole'
       #requestMap:
       #         className: 'test/TestRequestmap'
       #         urlField: 'urlPattern'
       #         configAttributeField: 'rolePattern'
       #securityConfigType: 'Requestmap'
       controllerAnnotations:
          staticRules: [
                          [pattern: '/',               access: ['permitAll']],
                          [pattern: '/error',          access: ['permitAll']],
                          [pattern: '/index',          access: ['permitAll']],
                          [pattern: '/index.gsp',      access: ['permitAll']],
                          [pattern: '/shutdown',       access: ['permitAll']],
                          [pattern: '/assets/**',      access: ['permitAll']],
                          [pattern: '/**/js/**',       access: ['permitAll']],
                          [pattern: '/**/css/**',      access: ['permitAll']],
                          [pattern: '/**/images/**',   access: ['permitAll']],
                          [pattern: '/**/favicon.ico', access: ['permitAll']]
                        ]
       filterChain:
          chainMap: [
                          [pattern: '/assets/**',      filters: 'none'],
                          [pattern: '/**/js/**',       filters: 'none'],
                          [pattern: '/**/css/**',      filters: 'none'],
                          [pattern: '/**/images/**',   filters: 'none'],
                          [pattern: '/**/favicon.ico', filters: 'none'],
                          [pattern: '/**',             filters: 'JOINED_FILTERS']
                    ]
       providerNames: ['samlAuthenticationProvider', 'daoAuthenticationProvider', 'anonymousAuthenticationProvider']

`

`

     saml:
        active: true
        afterLoginUrl: 'https://itdmportal01.itdm.az.mycompany.com:8443/saml_test_final/'
        afterLogoutUrl: '/'
        responseSkew: 300
        signatureAlgorithm: 'rsa-sha256'
        digestAlgorithm: 'sha256'
        userGroupAttribute: 'memberOf'
        autoCreate:
           active: false # //If you want the plugin to generate users in the DB as they are authenticated via SAML
           key: 'id'
           assignAuthorities: false  #//If you want the plugin to assign the authorities that come from the SAML message.
        metadata:
           defaultIdp: 'http://signin.mycompany.com/hiddenurl'
           url: '/saml/metadata'
           providers: 
               itdmportal01: 'security/ITDMS-test-PROD_metadata.xml'
           sp:
              file: "security/sp_metadata.xml"
              defaults:
                 local: true
                 entityId: 'https://itdmportal01.itdm.az.mycompany.com:8443/saml_test_final'
                 alias: 'itdmportal01'
                 securityProfile: 'pkix'
                 signingKey: 'itdmportal01'
                 encryptionKey: 'itdmportal01'
                 tlsKey: 'itdmportal01'
                 requireArtifactResolveSigned: true
                 requireLogoutRequestSigned: true
                 requireLogoutResponseSigned: true
        keyManager:
           storeFile: "classpath:security/itdmportal01.jks"
           storePass: 'password'
           passwords:
               itdmportal01: 'password'
           defaultKey: 'itdmportal01'

`

valentingoebel commented 1 year ago

That looping usually means that the application is generating an exception during login but the error page it is redirecting to itself is being blocked by your interceptUrlMap so it tries to login again which results in the looping behavior.

Try enabling debug logging and you will see the error (and a lot of unrelated noise).

    <logger name="org.springframework.security.saml2" level="debug" additivity="false">
        <appender-ref ref="STDOUT"/>
    </logger>

    <logger name="org.springframework.web.authentication" level="debug" additivity="false">
        <appender-ref ref="STDOUT"/>
    </logger>

    <logger name="org.grails.plugin.springsecurity.saml" level="debug" additivity="false">
        <appender-ref ref="STDOUT"/>
    </logger>
//logger("org.opensaml", DEBUG, ['STDOUT'])
//logger("org.springframework.security.saml", DEBUG, ['STDOUT'])
//logger("org.grails.plugin.springsecurity.saml", DEBUG, ['STDOUT'])
//logger("grails.plugin.springsecurity", TRACE, ['STDOUT'])

You may need to enable the opensaml package too but I usually leave it out because opensaml errors are rare for me.

RogelioCodes commented 1 year ago

Sorry if this is a stupid question but for the code you linked, where exactly would that go? It looks like markup language. @valentingoebel

RogelioCodes commented 1 year ago

@valentingoebel we do have some logging indicating that we are having success. Any ideas on what else could be causing an authentication loop? 2022-11-01 17:51:02,310 INFO org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;HIDDEN_IP;HIDDEN_LINK;HIDDEN_SIGNIN_LINK;;;