Skip to content

Idp initiated SAML Logout - Cannot read property 'childNodes' of undefined #17439

Closed
#17482
Closed
Idp initiated SAML Logout - Cannot read property 'childNodes' of undefined#17439
#17482
Assignees
pierre-lehnen-rc
@linscombe

Description

@linscombe
linscombe
opened on Apr 27, 2020

Description:

I have Rocket.Chat configured with an Idp successfully logging users in. However when initiating a logout sequence from the Idp, Rocket.Chat is throwing an error that isn't clear and ultimately does not sign out the user. This error only appears during a SAML SLO initiated from the Idp and not when logging out from Rocket.Chat directly.

I have read several other SAML SLO issues that do no match the problem I am seeing here (TypeError: Cannot read property 'childNodes' of undefined)

Steps to reproduce:

  1. Login to Rocket.Chat via SAML
  2. Initiate logout from Idp instead of Rocket.Chat

Expected behavior:

User is logged out of Rocket.Chat when Idp initiates SLO

Actual behavior:

User is not logged out. Error thrown in Rocket.Chat. Nginx reverse proxy hits timeout and eventually sends gateway timeout error to browser.

timeout

Server Setup Information:

  • Version of Rocket.Chat Server: 3.1.0
  • Operating System: Docker
  • Deployment Method: Docker Compose
  • Number of Running Instances: 1
  • DB Replicaset Oplog: Engine
  • NodeJS Version: v12.16.1
  • MongoDB Version: 4.0.17

Client Setup Information

  • Desktop App or Browser Version: Google Chrome Version 81.0.4044.122 (Official Build) (64-bit)
  • Operating System: macOS Mojave 10.14.6 (18G4032)

Additional context

Rocket.Chat is running behind nginx reverse proxy and times out with no response

Relevant logs:

server logs

{ actionName: 'logout', serviceName: 'rocket', credentialToken: '' }
[
  {
    provider: 'rocket',
    entryPoint: 'https://idp.example.com/idhub/saml2/sso',
    idpSLORedirectURL: 'https://idp.example.com/idhub/saml2/slo',
    issuer: 'https://chat.example.com/_saml/metadata/rocket',
    cert: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
      'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
    privateCert: false,
    privateKey: false,
    customAuthnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
    authnContextComparison: 'exact',
    defaultUserRole: 'user',
    roleAttributeName: '',
    roleAttributeSync: false,
    allowedClockDrift: 0,
    callbackUrl: 'https://chat.example.com/_saml/validate/rocket',
    id: 'id-tWQMmZfHxuG6v6rs9',
    protocol: 'https://',
    path: '/saml/consume',
    identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    authnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
  }
]
rocket
TypeError: Cannot read property 'childNodes' of undefined
    at InflateRaw.cb (app/meteor-accounts-saml/server/saml_utils.js:384:35)
    at InflateRaw.zlibBufferOnEnd (zlib.js:149:10)
    at InflateRaw.emit (events.js:323:22)
    at InflateRaw.EventEmitter.emit (domain.js:482:12)
    at endReadableNT (_stream_readable.js:1204:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)
Exception in callback of async function: errorClass [Error]: [Unable to Validate Logout Request]
    at app/meteor-accounts-saml/server/saml_server.js:572:14
    at InflateRaw.cb (app/meteor-accounts-saml/server/saml_utils.js:394:11)
    at InflateRaw.zlibBufferOnEnd (zlib.js:149:10)
    at InflateRaw.emit (events.js:323:22)
    at InflateRaw.EventEmitter.emit (domain.js:482:12)
    at endReadableNT (_stream_readable.js:1204:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21) {
  isClientSafe: true,
  error: 'Unable to Validate Logout Request',
  reason: undefined,
  details: undefined,
  message: '[Unable to Validate Logout Request]',
  errorType: 'Meteor.Error'
}

During logout initiated from the Idp, browser is sending the following SLO to Rocket.Chat server at /_saml/logout/rocket/?SAMLRequest=[encoded saml response] when the Idp initiates a sign out. (added whitespace in XML for readability... normally there is. no whitespace)

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest Destination="https://chat.example.com/_saml/logout/rocket/" ID="IDHUB_1c328e3d-d0c8-47f3-8714-cae5239866de" IssueInstant="2020-04-27T09:23:50.784Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        https://idp.example.com/idhub/saml2
    </saml2:Issuer>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        [email protected]
    </saml2:NameID>
    <saml2p:SessionIndex>
        5414f253-6e0a-4db3-8075-3a2f2b1d6e8f
    </saml2p:SessionIndex>
</saml2p:LogoutRequest>

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions