Xmlsec

[TechnicLab]

Looks like there is something wrong with xmlsec on alpine as there is no xmlsec command in container and mattermost fails to verify signature after update.

[pichouk]

Do you have any log ? I just tried and it seems that there is a xmlsec1 command, like in the previous non-Alpine based image.

[TechnicLab]

An error occurred while validating the response from the Identity Provider. Please contact your System Administrator. [details: err=error verifing signature: exit status 1]

[pichouk]

Is that log message from the Docker container ? This log won't help, I guess there are some more interesting messages on the Docker container log.

[TechnicLab]

Using existing config file /mattermost/config/config.json Configure database connection...OK Wait until database postgres:5432 is ready... Starting platform

Thats it. I forked this repo and reverted alpine commit, after that saml is working again.

[pichouk]

Oh ok, not cool... @jasonblais I don't know who to ping, but I'll need help from a Mattermost developer. Dspecially someone who knows how SAML works. Because the xmlsec package is present in the Docker image, log messages are not helpful, and I cannot find where it is in the Mattermost code (to understand what's wrong).

[TechnicLab]

Unfortunately, saml code is not open sourced. I think we are stuck with log messages till mattermost developers can take a look at this.

[jasonblais]

@pichouk If you reach out to elias on pre-release.mattermost.com, he should be able to help. He's our SAML expert.

[pichouk]

I have no Enterprise edition so it's difficult to me to test. But maybe you can try using the xmlsec package instead of xmlsec-dev (just replace this line) ?

[TechnicLab]

Already tried, no luck.

[pichouk]

On pre-release.mattermost.com @enahum seems to say that xmlsec is working but the verification is not working for another reason. He suggests to try to run xmlsec manually from inside the container to see what's going on.

[LordVeovis]

I've just tested the :latest alpine version this morning. Current version is 4.6.0 (4.6.1/Tue Jan 30 22:08:22 UTC 2018/cc82749d4f8c47bce201123aedcd8c564ceffcb8/721817a2503c55d24da15aebb0181ec794012058)

Unfortunately, I have no problem login through SAML with the following conf:

• verify signature: true
• saml assertions encrypted: true

Looking in ~/mattermost/logs/mattermost.log inside the container was helpful when I configured SAML. With the following settings on the system console:

• output logs to file: true
• file log level: INFO

[TechnicLab]

Well, I will try to switch my container to alpine version again.

[TechnicLab]

Still no luck. Getting verification error with settings same with LordVeovis's.

[LordVeovis]

@TechnicLab Were the log more verbose ?

[TechnicLab]

I manually disabled signature verification and now there is a help page of xmlsec1 in error. Just to make sure: do you have "-----BEGIN CERTIFICATE-----" in your idp.pem?

[LordVeovis]

hi @TechnicLab

I confirm you that both my certificates (the identity provider public cert and the serevice provider public cert for encryption) begin with the "-----BEGIN CERTIFICATE-----" header.

Out of curiosity what is your identity provider ? Mine is ADFS. I've also enabled encryption but had to disabled it to analyze the xml returned by my identity provider when I configured Mattermost.

[pichouk]

Did you found the problem @TechnicLab ? :)

[TechnicLab]

Still using custom fork.