Trouble with SSO authentication: response from OneLogin isn't valid

[EmptyLaughter]

Please make sure that you have checked the boxes:

• Review the Quickstart guide
• Search for both open and closed issues regarding the problem you are experiencing
• For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue:
  AWS, GCP, OpenStack, GitHub

Description of issue:

I've set up the env-config/config.py file with the IdP values, and provided the SP values to the OneLogin test connector. I can see my app via my OneLogin portal, but when I try to access it, I get the following errors:

Error from log file:
ERROR: Error processing invalid_response
Error message from webpage:
{"message": "OneLogin authentication failed."}

After looking at the code in which these error messages have come from, I looked at the OneLogin python libraries to find that the cause is because of the response that I get back from OneLogin. The SP side is rejecting the IdP's response. I sniffed the SAML traffic to see the values sent back from the IdP, but I can't determine what's wrong with it (Destination, SignatureValue, x509Certificate, etc. are provided)

If anyone has integrated Security Monkey with OneLogin and has insight on what could be preventing the SSO verification, it would be appreciated.

[mikegrima]

We don't have OneLogin, so hard for us to test this.

We would love a PR to fix if appropriate.

[fstuck37]

@mikegrima
I have OneLogin and have the same problem. I had this working last August in a dev environment and was delayed with deploying to production. Using the same config as then, I run into the same error as @EmptyLaughter. I'm happy to help debug but unfortunately don't know where to begin myself. If either of you can provide some direction I'll try to find some time to look into it.

@EmptyLaughter
Did you log the IdP's response? If so how and where?

Thanks,
Fred

[mikegrima]

Labeling as a bug. I don't have any real effective way of testing. However, I'm more than happy to merge in PRs.

[EmptyLaughter]

@fstuck37
I use the SAML Message Decoder plugin for Google Chrome. It also has the SAMLResponse field at the bottom that you can use with https://www.samltool.com/validate_response.php to validate the response. Every time you use OneLogin to access a service, there'll be SAML traffic, so it'll get picked up. You can use it to compare the response you get when you go to Security to responses you get from other apps. Even though OneLogin's documentation doesn't require all the IdP fields (Audience, Recipient, RelayState), you should fill those out if you have strict mode turned on.

I dug into the source code and realized that my issues are related to OneLogin and not Security Monkey. For me the above errors are because the idp's x509 certificate value in env-conf/config.py isn't being read correctly as a PEM file. The call where the validation fails happens in python-saml's utils.py:
dsig_ctx.signKey = xmlsec.Key.load(file_cert.name, xmlsec.KeyDataFormatCertPem, None)

I could've butchered the cert when I turned it into a single string, but I didn't like that I had to do that in the first place, so I modified the utils.py file to

# file_cert = OneLogin_Saml2_Utils.write_temp_file(cert)

if validatecert:
    mngr = xmlsec.KeysMngr()
    mngr.loadCert(cert, xmlsec.KeyDataFormatCertPem, xmlsec.KeyDataTypeTrusted)
    dsig_ctx = xmlsec.DSigCtx(mngr)
else:
    dsig_ctx = xmlsec.DSigCtx()
    dsig_ctx.signKey = xmlsec.Key.load(cert, xmlsec.KeyDataFormatCertPem, None)

 # file_cert.close()

commented out the formatting calls in setting.py's init function

def __init__(self, settings=None, custom_base_path=None, sp_validation_only=False):
...
# self.format_idp_cert()
# self.format_sp_cert()

which allowed me to use file names in env-config.py

# SSO SETTINGS:
ACTIVE_PROVIDERS = ["onelogin"]  # "ping", "google" or "onelogin"

# Paths to IdP cert and SP private key and cert
IDP_CERT = '<PATH_TO_idp.crt>'
SP_CERT = '<PATH_TO_sp.crt>'
SP_PRIVATE_KEY = '<PATH_TO_sp.key>'

...

sp: {
    ...
    "x509cert": SP_CERT,
    "privateKey": SP_PRIVATE_KEY
},
idp: {
    ...
    "x509cert": IDP_CERT
}

This hack is specific to onelogin and its python-saml library, and might be discouraged by their creators who want you to input cert and key values as single strings.

[fstuck37]

@mikegrima & @EmptyLaughter
Ok I finally got it working.
Didn't turn out to be a certificate issue for me.
Had some issues in OneLogin that needed to be fixed but I also added some additional logging to views.py that helped identify the issue.

At one point I thought it was the version of the OneLogin SAML code and download python-saml-master.zip from here https://developers.onelogin.com/saml/python and replaced it.

Hoping this can be added to your code. I'm new to Python so there is likely a better way of doing this but the information it logs helps identify why there is an issue.

/usr/local/src/security_monkey/security_monkey/sso/views.py

     def _consumer(self, auth):
        auth.process_response()
        errors = auth.get_errors()

        # Gather information about Authentication Response and Errors if any occur.
        ErrorReason = auth.get_last_error_reason()
        AuthResponse = auth.get_last_response_xml()

        if not errors:
            if auth.is_authenticated:
                return True
            else:
                return False
        else:
            current_app.logger.error('Error processing %s' % (''.join(errors)))

            # Log information about Authentication Response and Errors if any occur.
            current_app.logger.error('Error processing %s' % (''.join(ErrorReason)))
            current_app.logger.error('Error processing %s' % (''.join(AuthResponse)))

            return False

Hope this helps,
Fred

[mikegrima]

Does current_app.logger.error('Error processing %s' % (''.join(AuthResponse))) output anything sensitive?

[EmptyLaughter]

I realized my certificate issue was because of user input error, as opposed to formatting on the python-saml side. I went back to inputting the certificate as single string to make maintaining the project feasible when the python-saml library gets patched.

@mikegrima & @fstuck37
current_app.logger.error('Error processing %s' % (''.join(AuthResponse))) outputs all the fields from the SAML response , which includes all user details. I think it might be a problem if the response was replayed by a different actor before it expired. But it's useful for debugging purposes, especially since there isn't a lot of context to go off of when all the log tells you is Error processing invalid_response. I had to add debugging messages in the python-saml library code to figure out why the response was invalid. I would set the message as debug because it's a lot of text to sift through.

[fstuck37]

@mikegrima ( & @EmptyLaughter)
Is it possible to only print out AuthResponse only if logging is set to debug?
The ErrorReason should be find to print whenever there is an error.

Thanks
Fred

[mikegrima]

I think the best way to do this is to have a configuration variable that is False by default. If it's True, then it can output all the things for you.

[fstuck37]

@mikegrima
I think that's a great idea.
Maybe join errors and ErrorReason into one line.
Would something like this work?
current_app.logger.error('Error processing %s %s' % (''.join(errors),''.join(ErrorReason)))
Then wrap the AuthResponse output with the conditional you specified.
Wish I knew more Python to help further with the code.
Hope what I've provided helps a little.

I have to add, the change to the new model with multiple servers and Elastic Cache greatly improved performance. I have 40 accounts with 77,000 items and so far its working great.

Thanks again for all your help.
Fred

[mikegrima]

Would suggest a PR to check for a config variable.