Trying to load orchestra and failing with saml xml about openunison-k8s-login-saml2 HOT 41 CLOSED

@mlbiam never mind my bad, accidently didnt pull the right image - closing it

from openunison-k8s-login-saml2.

can you post your metadata? feel free to change urls/certs

from openunison-k8s-login-saml2.

@mlbiam
sure ill post
anything senstive was changed to redacted keep in mind

<?xml version="1.0" encoding="UTF-8"?>

<EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P0Y0M30DT0H0M0.000S" entityID="https://redacted/SAAS/API/1.0/GET/metadata/idp.xml" validUntil="2030-01-20T07:45:32.000Z">
	<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<KeyDescriptor use="signing">
			<KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<X509Data>
					<X509Certificate>
						Redacted
					</X509Certificate>
				</X509Data>
			</KeyInfo>
		</KeyDescriptor>
		<KeyDescriptor use="encryption">
			<KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<X509Data>
					<X509Certificate>
						Redacted
					</X509Certificate>
				</X509Data>
			</KeyInfo>
		</KeyDescriptor>
		<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://redacted/SAAS/auth/saml/artifact/resolve" index="0" isDefault="true" />
		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://redacted/SAAS/auth/logout" ResponseLocation="https://redacted/SAAS/auth/logout" />
		<NameIDFormat>
			urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
		</NameIDFormat>
		<NameIDFormat>
			urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
		</NameIDFormat>
		<NameIDFormat>
			urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
		</NameIDFormat>
		<NameIDFormat>
			urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
		</NameIDFormat>
		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://redacted/SAAS/auth/federation/sso" />
		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://redacted/SAAS/auth/federation/sso" />
	</IDPSSODescriptor>
	<AdditionalMetadataLocation namespace="urn:oasis:names:tc:SAML:2.0:metadata">
		https://redacted/SAAS/API/1.0/GET/metadata/sp.xml
	</AdditionalMetadataLocation>
</EntityDescriptor>

from openunison-k8s-login-saml2.

The metadata seems fine. When I base64 encoded it and set saml.idp_url: "" and saml.metadata_xml_base64: ... in my values it parsed OK.

The error its self is saying it can't find the EntityDescriptor tag, which is the first one so either the metadata URL isn't correct or the metadata isn't getting downloaded properly. Is the metadata URL's TLS connection using a commercially signed cert? if not, have you added that cert to the trusted_certs section of your values.yaml file?

from openunison-k8s-login-saml2.

yes i have added the trusted certs onto the values yaml, does it have to conatin the whole chain?
like cer-->inter-->ca?
again this error - null has no such function "getAttribute - doesnt seem to be certificate based, from the code i saw, can u give me a metadata i can check? just a random one or an example if you have

from openunison-k8s-login-saml2.

either the server's cert or the intermediate+ca would work. I would expect another error. Here;s one that will work: https://portal.apps.tremolo.io/idp-test/metadata/dfbe4040-cd32-470e-a9b6-809c8f857c40. You can go to https://portal.apps.tremolo.io/ and register to use our SAMl2 testing idp as well.

from openunison-k8s-login-saml2.

its an air gapped environment, ill have to try tommorow and will update if it will succeed

from openunison-k8s-login-saml2.

ahh, if i produce a container that logs the xml downloaded will you be able to pull it in?

from openunison-k8s-login-saml2.

yes, that will be great, if i had more debug on that section to view on whats it getting

from openunison-k8s-login-saml2.

Here's an image that will output the downloaded metadata - docker.io/tremolosecurity/betas:operator-debug use this image in the openunison-operator Deployment in the openunison namespace.

from openunison-k8s-login-saml2.

I will test this out tomorrow and will let you know what i recieved
does it paste the xml from also from when i put idp_uri?

from openunison-k8s-login-saml2.

Yes. It will look something like:

Remote Identity Providers : [object Object]
Downloading metadata from : https://portal.apps.tremolo.io/idp-test/metadata/dfbe4040-cd32-470e-a9b6-809c8f857c40'
XML Metadata :
--------------
<?xml version="1.0" encoding="UTF-8"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="f7ae3428b1f2328d310d0979e0b13db767aa52a02" entityID="https://portal.apps.tremolo.io/idp-test"><IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor use="signing"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIDxzCCAq+gAwIBAgIGAXGJqW6qMA0GCSqGSIb3DQEBCwUAMHwxDjAMBgNVBAYTBUVhcnRoMREwDwYDVQQIEwhPZiBCZWluZzESMBAGA1UEBxMJVGhlIENsb3VkMR8wHQYDVQQKExZUcmVtb2xvIFNlY3VyaXR5LCBJbmMuMQwwCgYDVQQLEwNkZXYxFDASBgNVBAMTC2lkcC1zaWduaW5nMB4XDTIwMDQxNjE5NDE1NFoXDTMwMDQxNTE5NDE1NFowfDEOMAwGA1UEBhMFRWFydGgxETAPBgNVBAgTCE9mIEJlaW5nMRIwEAYDVQQHEwlUaGUgQ2xvdWQxHzAdBgNVBAoTFlRyZW1vbG8gU2VjdXJpdHksIEluYy4xDDAKBgNVBAsTA2RldjEUMBIGA1UEAxMLaWRwLXNpZ25pbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWbWfik28ufio0t5jUdKWJzXyxpJ8hGHg8l3Xw3TS5DuT0L4EqKcwRw/6l/JimdKW9wdfwlVXtq5pKgLYy5xWsrEuw8vY5yCXK1I/+wqRa8ch/wXabQiHiApwC6WrRtCUEREfL/M1vyd5FUWY/ZD6kFS0TOVguWNCul+Pt6qjDg8egnoR5I/X0Cp7jy80173/J0gnsD+3pdUDpe63ixbb0Y9JVsUzy9WqP1tyMEbgvcLl9XjvKGbcYweEHxbVfxAdENcHHAM9QH0NHYpdRJ+Vc63QuphblQ0k36gI0MoKHs7JLDrrhKMPeh6NLZebPX29VaPIucMCGxAxvP0z/Oky5AgMBAAGjTzBNMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMBIGA1UdJQEB/wQIMAYGBFUdJQAwFgYDVR0RBA8wDYILaWRwLXNpZ25pbmcwDQYJKoZIhvcNAQELBQADggEBAH1Xd/dDSkhmQL52+OlZN6XyUiTCnvyu7IusfxB0IlBAPDMai4vsX9v94OTXs6HIYH+75217l42k94gUVqEAAVqcSfOQz819XHukJgPOEe9EMaApfLgxMFe74fdM0vVLvw48KxPXnlZBscZejFaQwAUN9pfhYiw01SMbXcQ8bHxxR2AEtH1v0lN8GxLtd4FF6xmNdWiZrY5rqY4OqOULw/cJumEX2vODwwOhxZH+nhXxe6XCjT7N5+QVa7i/auWpy4owAE2Irb2QJnVapJokxorzgg6F5rIWXZbhf1IiC137hhNZFFWkWHZbo/5qE1kV84/Q1IS+14omt0HVHKIGe7U=</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.apps.tremolo.io/idp-test/index.jsp"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.apps.tremolo.io/idp-test/index.jsp"/></IDPSSODescriptor></EntityDescriptor>
--------------
Downloaded
Saving fingerprints
{idpCertificateFingerprints=[object Object]}
DIGEST : nS+yDqdNXsgcwMxqSR2jbP66/pxHvOI0hAgFKmcpemM=

from openunison-k8s-login-saml2.

Okay so i tested the idp you gave me, it works
when i try to download it says error due to certificate
when i try putting the base64 xml

Fatal Error] :1:4825: The markup in the document following the root element must be well-formed.
Error on watch - /apis/openunison.tremolo.io/v1/namespaces/openunison/openunisons?watch=true&resourceVersion=2929342
java.lang.RuntimeException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 4825; The markup in the document following the root element must be well-formed.

from openunison-k8s-login-saml2.

okay i added the trusted certs, now it downloads - it prints the xml , but still same error
Downloaded
Error on watch - /apis/openunison.tremolo.io/v1/namespaces/openunison/openunisons?watch=true&resourceVersion=2929342
javax.script.ScriptException: TypeError: null has no such function "getAttribute" in at line number 430

from openunison-k8s-login-saml2.

Can you post the XML it shows? redacted of course

from openunison-k8s-login-saml2.

okay @mlbiam i think i found the problem i thing, the entitiydescriptor has an md: before every item
so it should search for md:entitydescriptor and then it will find it, along with all of the other items
the one i sent before was after vscode formatted it, now i see the difference

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P0Y0M30DT0H0M0.000S" entityID="https://Redacted/SAAS/API/1.0/GET/metadata/idp.xml" validUntil="2030-01-20T07:45:32.000Z"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>Redacted</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>Redacted</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://Redacted/SAAS/auth/saml/artifact/resolve" index="0" isDefault="true"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Redacted/SAAS/auth/logout" ResponseLocation="https://Redacted/SAAS/auth/logout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Redacted/SAAS/auth/federation/sso"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Redacted/SAAS/auth/federation/sso"/></md:IDPSSODescriptor><md:AdditionalMetadataLocation namespace="urn:oasis:names:tc:SAML:2.0:metadata">https://Redacted/SAAS/API/1.0/GET/metadata/sp.xml</md:AdditionalMetadataLocation></md:EntityDescriptor>

from openunison-k8s-login-saml2.

that does explain it. thats a bug for the operator. we should be able to handle that. (we test against Active Directory Federation Services that doesn't include the namespace tags). Ill open up an issue, should have something you can try later tonight/romorrow.

from openunison-k8s-login-saml2.

so basicly also the key info has ds before and each one has a different data type, its not just and md
just for mentioning
I will wait for a fix though, Thanks!

from openunison-k8s-login-saml2.

@mlbiam oh and just an fyi

Love the application (ldap was really easy to deploy), really covered up the whole k8s api and dashboard security, much more easier experience than other products i tried.

from openunison-k8s-login-saml2.

Much appreciated!

from openunison-k8s-login-saml2.

@mlbiam
is there a way to connect with you on a priavte channel? we are having difficulties using the saml and we think it could be much easier then a github issue

from openunison-k8s-login-saml2.

We reserve private communications for commercial customers. Working through github for opensource customers helps create awareness and helps other opensource customers find solutions to issues they might be having. If you're interested in becoming a commercial customer reach out to us at https://www.tremolosecurity.com/contact/contact-us and someone will get back to you quickly.

PS: I have the operator working. Hoping to get the metadata update working shortly.

from openunison-k8s-login-saml2.

Okay I will consult my team.
i have removed all the namespaces each item in the xml
it works
but now im receiving

[2020-07-21 16:13:56,940][XNIO-1 task-7] ERROR SAML2Auth - Error Parsing Assertion
java.lang.Exception: No assertion signature
at com.tremolosecurity.proxy.auth.SAML2Auth.doPost(SAML2Auth.java:731) [unison-server-core-1.0.18.jar:?]

and then this
javax.servlet.ServletException: error parsing assertion
at com.tremolosecurity.proxy.auth.SAML2Auth.doPost(SAML2Auth.java:800) ~[unison-server-core-1.0.18.jar:?]
aused by: java.lang.Exception: No assertion signature

also, does the app work with non english characters? such as hebrew?

from openunison-k8s-login-saml2.

[2020-07-21 16:13:56,940][XNIO-1 task-7] ERROR SAML2Auth - Error Parsing Assertion
java.lang.Exception: No assertion signature
at com.tremolosecurity.proxy.auth.SAML2Auth.doPost(SAML2Auth.java:731) [unison-server-core-1.0.18.jar:?]

This means the inbound assertion had no signature attached to the assertion. Are you signing the assertion or the response?

also, does the app work with non english characters? such as hebrew?

I haven't tested specifically with Hebrew but we encode/decode everything as UTF-8 and have users in Israel and Hong Kong and haven't received any issues around invalid character issues so it should work.

from openunison-k8s-login-saml2.

yes we do, but i think its the same problem as the operator issue.
that it has a ds: before
so it searches for Signature, but no for ds:Signature
affects the same way
again it is vidm provider, if not tested before

from openunison-k8s-login-saml2.

yes we do, but i think its the same problem as the operator issue.

Which one, are you signing the assertion or the response (its usually configurable in the identity provider). If you can use Firefox, there's a great plugin called saml tracer I use (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) to see if the signature is in the assertion tag or the response tag.

Also, I don't believe it has to do with the xml namespace, different tools for parsing the saml (OpenSAML parses the assertions, the operator uses raw XML DOM)

from openunison-k8s-login-saml2.

He is signing the response and not the assertion, ive talked with him to add, ill post an update once ill have
if its in the response it will not work?

from openunison-k8s-login-saml2.

openunison supports it. to make it easier we saml2 config is defaulted to assertion signing but it shouldn't. should be configurable via the CR. i'll update so you can configure. I've got the metadata import and check working so i can add this to the test build too.

from openunison-k8s-login-saml2.

okay, i asked him to sign the assertion
now it works.
now just customizing the api server and the ca key, and were good to go

from openunison-k8s-login-saml2.

Awesome! here are the instructions for customizing the keys - https://github.com/TremoloSecurity/OpenUnison/wiki/troubleshooting#how-do-i-change-openunisons-certificates

from openunison-k8s-login-saml2.

ye, done that part with my test on ldap
working awesome
btw dont know if matters but the groups i receive are groupname@domain
so when i create the cluster role binding i need to put that name, and not the dn
the reademe is referenced to a dn, might need to fix or add a part for that kind

from openunison-k8s-login-saml2.

that's a good point. written for ADFS that returns it as a DN. we should mention that in the readme that it will depend on the identity provider.

from openunison-k8s-login-saml2.

Updated continers. For the operator - docker.io/tremolosecurity/betas:operator-debug That will let the metadata updates work from the URL. Update your openunison image to use docker.io/tremolosecurity/betas:k8s-login-saml2-1020 in the orchestra OpenUnison object. This will keep checking the metadata for when the certificate rolls over.

from openunison-k8s-login-saml2.

Great docker.io/tremolosecurity/betas:operator-debug - is that with the namespace before fix?
docker.io/tremolosecurity/betas:k8s-login-saml2-1020 - whats the difference? are we talking about the response certificiation instead of assertion?

from openunison-k8s-login-saml2.

Great docker.io/tremolosecurity/betas:operator-debug - is that with the namespace before fix?
Yes, it will parse the original metadata from the url so you don't have to clean it.

docker.io/tremolosecurity/betas:k8s-login-saml2-1020 - whats the difference? are we talking about the response certificiation instead of assertion?

Two items:

1. There's a scheduled Job that downloads the metadata and checks to see if its certificates have changed (most idps will change their certs automatically each year). that code had the same issue as the operator. With the new image it will be able to parse the metadata directly from the URL just like the operator.
2. Yes on validating the response. If you add

  - name: SAML2_ASSERTION_SIGNED
    value: "false"
  - name: SAML2_RESPONSE_SIGNED
    value: "true"

to the non_secret_data section of your orchestra OpenUnison object then you'll be validating a signature in the response instead of the assertion.

from openunison-k8s-login-saml2.

got it, so its just a beta until next version is out
on what frequency do you guys release a new version?

from openunison-k8s-login-saml2.

For the operator, once we do some more QA it will be out shortly (probably less then a week). For openunison/orchestra its every 2-3 months. Next release is slated for early August which will include these updates.

from openunison-k8s-login-saml2.

cool, so you can close this issue or leave this issue open if you are waiting for the next release

from openunison-k8s-login-saml2.

great, lets close it out and thanks for your patience!

from openunison-k8s-login-saml2.

Hi, So I tried installing today again and recieved the same issue, was this solved in previous version?
@mlbiam

from openunison-k8s-login-saml2.

The code thats in there should work around the issue. can you provide the metadata thats causing an issue?

from openunison-k8s-login-saml2.