Closed Hdom closed 4 months ago
Hi! I really need some logs to troubleshoot the issue. Please refer to https://github.com/morincer/teamcity-plugin-saml?tab=readme-ov-file#troubleshooting
I enabled debug-auth-saml logging preset and there are no logs generated in teamcity-auth.log. I assume this means that its being blocked somewhere before auth.
I enabled debug-all and only logs inside of teamcity-server.log are:
[2024-03-06 10:02:31,605] DEBUG - ver.web.ResponseFragmentFilter - Request started: 336bfd89/25b0169b GET https://server.url/app/saml/login/
[2024-03-06 10:02:31,606] WARN - jetbrains.buildServer.SERVER - Replying with 403 status for the unauthorized request: GET '/app/saml/login/', from client 10.38.212.2 (127.0.0.1:45334), no auth
[2024-03-06 10:02:31,606] DEBUG - ver.web.ResponseFragmentFilter - Request finished: 336bfd89/25b0169b
Are there any other relevant log files?
Here is screenshot of SAML Settings configurations:
Here is the SP metadata:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-03-08T15:09:35Z" cacheDuration="PT604800S" entityID="/app/saml/callback/" ID="ONELOGIN_GUID">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://server.url/app/saml/callback/" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
@morincer We received a response on the issue tracker, looks like it was a problem with our version of Teamcity, after applying a patch from 2022.04 to 2022.04.5 the access denied error went away. I will close this issue.
Applied "Fix CVE-2024-23917, CVE-2024-27198, CVE-2024-27199" to server on "2022.04 (build 108502)" and started receiving "Access denied" eror when attempting to authenticate with the SAML Authentication plugin.
Is there any way to configure teamcity to allow the URL /app/saml/login without auth?
CVE Plugin: Fix CVE-2024-23917, CVE-2024-27198, CVE-2024-27199 (version 1.2) Server Version: 2022.04 (build 108502) SAML Authentication Plugin Version: 1.4.2-SNAPSHOT
Error: [2024-03-05 17:12:36,265] WARN - jetbrains.buildServer.SERVER - Replying with 403 status for the unauthorized request: GET '/app/saml/login/', from client 10.38.212.2 (127.0.0.1:39610), no auth
I also submitted this as a support item on jetbrains' issue tracker https://youtrack.jetbrains.com/issue/TW-86717/403-Access-denied-after-applying-latest-CVE-fixes-and-using-SAML-Authentication