Upgrading from 3.0.12 to 3.1.2 causes "Login forbidden" on SAML logins #17539
Description
Description:
We use SAML authentication to authenticate our employees against our Shibboleth IdP for providing access to our self-hosted Rocket Chat instance. This is working on our 3.0.12. This morning, I proceeded to upgrade our server to 3.1.2. The upgrade appears to be successful. However, after the upgrade, login attempts are successfully directed to our Shibboleth IdP and redirected back to Rocket Chat. The IdP is successfully releasing attributes to Rocket Chat. However, the user is then presented with a red box in the upper right corner that reads: "Login forbidden". I tried removing our SAML configuration from Rocket Chat, saving the changes, and then adding the SAML configuration back in. That didn't work. Thankfully, I had backups of our mongo databases and a backup of the previous /opt/Rocket.Chat folder. I was able to restore everything and get logins working again.
Steps to reproduce:
I'm afraid that I don't really know how to reproduce this issue. Today, I've built another Rocket Chat server with a fresh install of 3.1.2, and SAML logins worked fine. Then, I built another Rocket Chat server with 3.0.12, with SAML logins working, and then upgraded to 3.1.12, and logins continued to work. The place where it breaks, is in our production instance.
Expected behavior:
I expect that after the Rocket Chat server successfully receives released attributes from the IdP, that the user will be logged in.
Actual behavior:
Login attempts are successfully directed to our Shibboleth IdP and redirected back to Rocket Chat. The IdP is successfully releasing attributes to Rocket Chat. However, the user is then presented with a red box in the upper right corner that reads: "Login forbidden".
Server Setup Information:
- Version of Rocket.Chat Server: 3.0.12 (pre-upgrade), 3.1.2 (post-upgrade).
- Operating System: Centos 7.8
- Deployment Method: tar
- Number of Running Instances: 2
- DB Replicaset Oplog: enabled
- NodeJS Version: 12.16.1
- MongoDB Version: 3.6.18
Client Setup Information
- Desktop App or Browser Version: Happens in all clients, regardless of the OS.
Relevant logs:
Here is the Rocket Chat log showing the attributes being released to it, from the IdP. I've remove the cert, private cert, and private key from these logs.
May 5 06:18:23 chat rocketchat1: {
May 5 06:18:23 chat rocketchat1: actionName: 'authorize',
May 5 06:18:23 chat rocketchat1: serviceName: 'rocketchat',
May 5 06:18:23 chat rocketchat1: credentialToken: 'id-f3Qx2urGDWWCjbEea'
May 5 06:18:23 chat rocketchat1: }
May 5 06:18:23 chat rocketchat1: [
May 5 06:18:23 chat rocketchat1: {
May 5 06:18:23 chat rocketchat1: provider: 'rocketchat',
May 5 06:18:23 chat rocketchat1: entryPoint: 'https://idp.xxx.com/idp/profile/SAML2/Redirect/SSO',
May 5 06:18:23 chat rocketchat1: idpSLORedirectURL: 'https://idp.xxx.com/idp/profile/SAML2/Redirect/SLO',
May 5 06:18:23 chat rocketchat1: issuer: 'https://chat.xxx.com/_saml/metadata/rocketchat',
May 5 06:18:23 chat rocketchat1: cert: 'CERT REMOVED FOR BUG REPORT**',
May 5 06:18:23 chat rocketchat1: privateCert: '-----BEGIN CERTIFICATE-----\n' +
May 5 06:18:23 chat rocketchat1: 'PRIVATE CERT REMOVED FOR BUG REPORT' +
May 5 06:18:23 chat rocketchat1: '-----END CERTIFICATE-----',
May 5 06:18:23 chat rocketchat1: privateKey: '-----BEGIN PRIVATE KEY-----\n' +
May 5 06:18:23 chat rocketchat1: 'PRIVATE KEY REMOVED FOR BUG REPORT' +
May 5 06:18:23 chat rocketchat1: '-----END PRIVATE KEY-----',
May 5 06:18:23 chat rocketchat1: customAuthnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
May 5 06:18:23 chat rocketchat1: authnContextComparison: 'exact',
May 5 06:18:23 chat rocketchat1: defaultUserRole: 'user',
May 5 06:18:23 chat rocketchat1: roleAttributeName: '',
May 5 06:18:23 chat rocketchat1: roleAttributeSync: false,
May 5 06:18:23 chat rocketchat1: allowedClockDrift: 0,
May 5 06:18:23 chat rocketchat1: signatureValidationType: 'Either',
May 5 06:18:23 chat rocketchat1: protocol: 'https://',
May 5 06:18:23 chat rocketchat1: path: '/saml/consume',
May 5 06:18:23 chat rocketchat1: identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
May 5 06:18:23 chat rocketchat1: authnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
May 5 06:18:23 chat rocketchat1: }
May 5 06:18:23 chat rocketchat1: ]
May 5 06:18:23 chat rocketchat1: rocketchat
May 5 06:18:23 chat rocketchat1: {
May 5 06:18:23 chat rocketchat1: actionName: 'validate',
May 5 06:18:23 chat rocketchat1: serviceName: 'rocketchat',
May 5 06:18:23 chat rocketchat1: credentialToken: undefined
May 5 06:18:23 chat rocketchat1: }
May 5 06:18:23 chat rocketchat1: [
May 5 06:18:23 chat rocketchat1: {
May 5 06:18:23 chat rocketchat1: provider: 'rocketchat',
May 5 06:18:23 chat rocketchat1: entryPoint: 'https://idp.xxx.com/idp/profile/SAML2/Redirect/SSO',
May 5 06:18:23 chat rocketchat1: idpSLORedirectURL: 'https://idp.xxx.com/idp/profile/SAML2/Redirect/SLO',
May 5 06:18:23 chat rocketchat1: issuer: 'https://chat.xxx.com/_saml/metadata/rocketchat',
May 5 06:18:23 chat rocketchat1: cert: 'CERT REMOVED FOR BUG REPORT*',
May 5 06:18:23 chat rocketchat1: privateCert: '-----BEGIN CERTIFICATE-----\n' +
May 5 06:18:23 chat rocketchat1: '**PRIVATE CERT REMOVED FOR BUG REPORT' +
May 5 06:18:23 chat rocketchat1: '-----END CERTIFICATE-----',
May 5 06:18:23 chat rocketchat1: privateKey: '-----BEGIN PRIVATE KEY-----\n' +
May 5 06:18:23 chat rocketchat1: '*PRIVATE KEY REMOVED FOR BUG REPORT' +
May 5 06:18:23 chat rocketchat1: '-----END PRIVATE KEY-----',
May 5 06:18:23 chat rocketchat1: customAuthnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
May 5 06:18:23 chat rocketchat1: authnContextComparison: 'exact',
May 5 06:18:23 chat rocketchat1: defaultUserRole: 'user',
May 5 06:18:23 chat rocketchat1: roleAttributeName: '',
May 5 06:18:23 chat rocketchat1: roleAttributeSync: false,
May 5 06:18:23 chat rocketchat1: allowedClockDrift: 0,
May 5 06:18:23 chat rocketchat1: signatureValidationType: 'Either',
May 5 06:18:23 chat rocketchat1: protocol: 'https://',
May 5 06:18:23 chat rocketchat1: path: '/saml/consume',
May 5 06:18:23 chat rocketchat1: identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
May 5 06:18:23 chat rocketchat1: authnContext: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
May 5 06:18:23 chat rocketchat1: callbackUrl: 'https://chat.xxx.com/_saml/validate/rocketchat',
May 5 06:18:23 chat rocketchat1: id: 'id-f3Qx2urGDWWCjbEea'
May 5 06:18:23 chat rocketchat1: }
May 5 06:18:23 chat rocketchat1: ]
May 5 06:18:23 chat rocketchat1: rocketchat
May 5 06:18:26 chat rocketchat2: RESULT :{"profile":{"inResponseToId":"id-f3Qx2urGDWWCjbEea","issuer":"https://xxx/idp/xxx","nameID":"[email protected]","nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","sessionIndex":"xxx","mail":"[email protected]","email":"[email protected]","cn":"xxx xxx","urn:oid:0-9-2342-19200300-100-1-1":"xxx","urn:oid:2-16-840-1-113730-3-1-4":"employee","urn:oid:0-9-2342-19200300-100-1-3":"[email protected]","urn:oid:2-5-4-3":"xxx xxx"}}