SAML login error v 0.66.0 #11279
Description
Description:
After pressing the login button to login with SAML I get the following error (personal info changed):
rocketchat_1 | RESULT :{"profile":{"inResponseToId":{"name":"InResponseTo","value":"id-zxQqTspXesiZZN3ss","prefix":"","local":"InResponseTo","uri":""},"issuer":"https://sso.domain.com/simplesaml/saml2/idp/metadata.php","nameID":"_5a7f2da50d48a53fbc9887f73a92b223d022a4a652","nameIDFormat":{"name":"Format","value":"urn:oasis:names:tc:SAML:2.0:nameid-format:transient","prefix":"","local":"Format","uri":""},"sessionIndex":{"name":"SessionIndex","value":"_f136784399ecc621ace66752e2fb9909f214d50c0e","prefix":"","local":"SessionIndex","uri":""},"memberOf":"cn=company,ou=company,dc=domain,dc=com","entryDN":"cn=username,ou=people,dc=domain,dc=com","groups":"anothergroup","urn:oid:2-5-4-3":"username","urn:oid:2-5-4-4":"name","urn:oid:2-16-840-1-113730-3-1-241":"My name","urn:oid:2-5-4-42":"My","urn:oid:0-9-2342-19200300-100-1-3":"[email protected]","urn:oid:0-9-2342-19200300-100-1-1":"username"}}
rocketchat_1 | Exception while invoking method 'login' Error: SAML Profile did not contain an email address
Steps to reproduce:
- Setup rocket.chat for saml login
- Click on the blue butotn to login
- observe error: internal server error
Expected behavior:
Rocket.Chat not crashing on SAML
Actual behavior:
Rocket.Chat not able to login via SAML
Server Setup Information:
- Version of Rocket.Chat Server: 0.66.0
- Operating System: Linux
- Deployment Method: docker
- Number of Running Instances:
- DB Replicaset Oplog:
- NodeJS Version:
- MongoDB Version:
rocketchat_1 | ➔ +-------------------------------------------------+
rocketchat_1 | ➔ | SERVER RUNNING |
rocketchat_1 | ➔ +-------------------------------------------------+
rocketchat_1 | ➔ | |
rocketchat_1 | ➔ | Rocket.Chat Version: 0.66.0 |
rocketchat_1 | ➔ | NodeJS Version: 8.9.3 - x64 |
rocketchat_1 | ➔ | Platform: linux |
rocketchat_1 | ➔ | Process Port: 3000 |
rocketchat_1 | ➔ | Site URL: https://chat.domain.com |
rocketchat_1 | ➔ | ReplicaSet OpLog: Enabled |
rocketchat_1 | ➔ | Commit Hash: 5aa08cb |
rocketchat_1 | ➔ | Commit Branch: HEAD |
rocketchat_1 | ➔ | |
Additional context
Isn't it time to make SAML testcases? Itseems like another rocket.chat another SAML bug ...
If I had to guess, this commit to fix the previous bug: #10931 made it so that the URN for email from oid:0.9.2342.19200300.100.1.3 gets changed to oid:0-9-2342-19200300-100-1-3, which causes rocket.chat not to find the email address in my SAML anymore.
More configuration
SimpleSAML - saml20-sp-remote.php
$metadata['https://{{ simplesaml_rocketchat_domain}}/_saml/metadata/rocketchat'] = array (
'entityid' => 'https://{{ simplesaml_rocketchat_domain}}/_saml/metadata/rocketchat',
'contacts' =>
array (
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://{{ simplesaml_rocketchat_domain}}/_saml/validate/rocketchat',
'index' => 1,
'isDefault' => true,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://{{ simplesaml_rocketchat_domain}}/_saml/logout/rocketchat/',
'ResponseLocation' => 'https://{{ simplesaml_rocketchat_domain}}/_saml/logout/rocketchat/',
),
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' =>'[removed]',
),
),
);
SimpleSAML - saml20-idp-hosted.php
<?php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'domain.com.pem',
'certificate' => 'comain.com.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'ldap',
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
'authproc' => array(
50 => array(
'class' => 'ldap:AttributeAddUsersGroups',
'ldap.basedn' => 'dc=domain,dc=com',
'ldap.product' => 'OpenLDAP',
'authsource' => 'ldap',
'attribute.dn' => 'entryDN',
'attribute.username' => 'entryDN',
'attribute.member' => 'cn',
'attribute.memberof' => 'uniqueMember',
'ldap.username' => '{{ simplesaml_ldap_serviceaccount }}',
'ldap.password' => '{{ simplesaml_ldap_servicepassword }}',
),
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'), # <-- This line changes SAML key ``mail`` to ``oid:0.9.2342.19200300.100.1.3``. Removing this line fixes rocket.chat (but breaks other SAML configured services for my company)
),
);
--
I hope above may help in setting up SAML testcases for rocketchat
Relevant logs:
See above