search

ubuntu / aad-auth

Azure AD authentication module for Ubuntu
GNU Lesser General Public License v3.0
141 stars 22 forks source link

Issue: SAML Version mismatch on Entra ID Federated Users #443

Open sgregorioTC opened 9 months ago

sgregorioTC commented 9 months ago

Is there an existing issue for this?

Describe the issue

Users that are sourced from a third-party IDP (in this case Okta) are not able to use AAD-Auth to login to the Ubunutu desktop environment. On the login page it says "Sorry. Password Authentication didn't work", in the Entra ID app there is no record of a login attempt, but in Okta it shows a successful login.

A cloud-only user is able to authenticate successfully using the same exact config file.

Steps to reproduce it

Ubuntu users: System information and logs

libpam_report.txt libnss_report.txt

Non Ubuntu users: System information and logs

Log files ### Here is a failed auth for a federated user and a successful auth for a cloud-only account

Jan 24 13:12:23 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): aad auth debug enabled Jan 24 13:12:23 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): PAM AAD DEBUG enabled Jan 24 13:12:23 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Loading configuration from /etc/aad.conf Jan 24 13:12:23 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Connecting to "https://login.microsoftonline.com/TENANT_ID", with clientID "CLIENT_ID" for user "USER@DOMAIN.com" Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): acquiring token failed: problem getting SAML token info: couldn't parse SAML assertion, version unknown: "" Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Cache initialization Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Opening cache in /var/lib/aad/cache Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/shadow.db Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): check file permissions on /var/lib/aad/cache/passwd.db Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Shadow db mode: 2 Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Cleaning up db. Removing entries that last authenticated online more than 180 days ago Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): try to authenticate "USER@DOMAIN.com" from cache Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): getting user information from cache for "USER@DOMAIN.com" Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): authenticating user "USER@DOMAIN.com" from cache failed: error when getting user "USER@DOMAIN.com" from cache: no entries. Denying access. Jan 24 13:12:25 LinuxTestMachine gdm-password][2664]: pam_aad(gdm-password:auth): Close database request

Application settings

Please redact/remove sensitive information: Config file is default, only the tenant id and app id were placed in. homedir set to /home/%u

Relevant information

No response

Double check your logs

zacharyfleck commented 7 months ago

Same issue here - Also federated with Okta. I'm trying to see if I can capture the SAML response to make sense of it, but no luck so far.

EDIT: I enabled public client flows for a second and got a mildly different error: acquiring token failed: problem getting SAML token info: unknown WS-Trust version. Doesn't really help solve anything but worth noting I suppose.