search

morincer / teamcity-plugin-saml

The plug-in adds ability to authenticate users by SAML-based SSO providers (like Okta, Onelogin etc.)
MIT License
24 stars 16 forks source link

Log out and immediate log in fails when using Okta #60

Closed joe-hutchinson-cko closed 3 years ago

joe-hutchinson-cko commented 3 years ago

Receiving the following error when trying to log in after logging out.

image

I'm using TeamCity 2020.1.5 with Okta.

Steps to reproduce:

  1. log in using SSO either via Okta or by the SSO button on TeamCity log in page
  2. log out
  3. log in using SSO either via Okta or by the SSO button on the TeamCity log in page
  4. Log in fails and you should see the error above
  5. Wait for a few minutes
  6. Log in using SSO either via Okta or by the SSO button on the TeamCity log in page
  7. Log in succeeds

Its strange the issue appears to resolve itself after a period of time. Have you run into this issue before? So far I've tried setting teamcity.csrf.paranoid=false but it didn't seem to make any difference.

morincer commented 3 years ago

Hi Joe,

Are you able to collect logs as specified at https://github.com/morincer/teamcity-plugin-saml#additional-logging and attach them here?

joe-hutchinson-cko commented 3 years ago

Hey, Sure thing this log shows the failed SSO request. teamcity-auth.log

joe-hutchinson-cko commented 3 years ago

@morincer any ideas what could be causing this behavior?

morincer commented 3 years ago

Checking. Very strange behavior, probably something going wrong with session invalidation.

ср, 18 нояб. 2020 г. в 12:21, Joe notifications@github.com:

@morincer https://github.com/morincer any ideas what could be causing this behavior?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/morincer/teamcity-plugin-saml/issues/60#issuecomment-729548279, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEA55RWBBMQAX325P437SODSQOG2NANCNFSM4TXKR62A .

morincer commented 3 years ago

Hi Joe, I was testing with different versions of Teamcity (and Okta provider) - and I didn't spot any issues. Do you have something in the middle like proxy or load balancer which might cache requests? If not - would you please collect log of full sequence (log in, log out, login again).

joe-hutchinson-cko commented 3 years ago

Hey, yes I have an AWS ALB in front of this service. Could that be caching requests?

joe-hutchinson-cko commented 3 years ago

Found the issue, step 5 says use the value returned in the 403 message which for me is the address of the TeamCity server, however it should be the address of Okta. Once set I can repeatedly log in and out without issue. Thank you for your help diagnosing this problem.

Here's my config

teamcity.csrf.paranoid=false rest.cors.origins=https://joe.okta.com

morincer commented 3 years ago

It might be an issue with load balancer - but anyway, glad you have it sorted :)