morincer
commented
4 years ago Got it , thanks for reporting - I will test on 2020.1 and update docs with necessary info OR probably update the plugin implementation.
Closed supergibbs closed 4 years ago
morincer
commented
4 years ago Got it , thanks for reporting - I will test on 2020.1 and update docs with necessary info OR probably update the plugin implementation.
supergibbs
commented
4 years ago Great, ya later I was having issues again so I just disabled with teamcity.csrf.paranoid=false. Okta can't send headers and the attribute statements stopped working. Maybe a code change can fix?
morincer
commented
4 years ago Will check it and get back with results :)
morincer
commented
4 years ago The documentation is updated with possible workaround. At the moment I don't see quick and elegant way to fix the original issue and need to do some experiments - created #45 to track this activity.
morincer
commented
4 years ago @supergibbs , sorry for re-opening the issue but I've got some questions. Which Teamcity version do you use, which SSO provider and what exactly was broken in your installation? I did some testing with 2020.1.2 and observed that the broken part was the admin UI - fixing it now as part of #45 . But I didn't see the CSRF token check applied for the login procedure itself.
In fact, observing the CsrfTokenCheck code I can see that it begins with
if (session != null && ACTION_METHODS.contains(request.getMethod())) { }Meaning the check is not enabled in case of the non-logged in user. But even for the logged in user I didn't see the issue.
If you still see the issue - are you able to send me the dump of the POST request sent to Teamcity.
supergibbs
commented
4 years ago TeamCity Professional 2020.1.2, Okta and I just updated to the v1.2 SAML plugin. I get this:
403 Forbidden: Responding with 403 status code due to failed CSRF check: authenticated POST request is made, but neither tc-csrf-token parameter nor X-TC-CSRF-Token header are provided.. For a temporary workaround, you can set internal property teamcity.csrf.paranoid=false and provide valid Origin=https://teamcity.alg.corp.tc header with your requestI have rest.cors.origins=https://company.okta.com set but not the teamcity.csrf.paranoid=false internal property.
morincer
commented
4 years ago Hi @supergibbs , thanks for your help. Now I think I found the solution for the problem - I added CORS filter exception for SAML login endpoint.
If the filter exception is enabled (by default), a SAML assertion response sent to the callback URL is considered CORS-safe. The update (1.2.1) has been already pushed and you may give it a try (you'll need to restart the server to make it working).
If by some reason you don't need this behavior - it can be turned off in the plugin configuration page (Misc -> SAML Callback CORS Filter Exception checkbox). Side effect of this exception is that you don't have to whitelist IdP in CORS origin anymore (if you only whitelisting it for SAML of course).
supergibbs
commented
3 years ago Sorry for the delay but I can confirm latest version (v1.3-20200814122806) is working now without the need to disable CSRF or add Okta to CORS. Thanks!!
Updating to latest TeamCity broke my SAML login because a CSRF token was added. Fix for Okta was pretty simple. Visit
https://<teamcity host>/authenticationTest.html?csrfand add value as an attribute statement: