Internal Server Error on SAML Login

[Terminatorthre]

Hi all,

since updating to 1.0.26 today (running in docker) I am facing an Internal Server error as soon as the IdP return to auth-saml-callback.
Following error is given in the server log:

Installing passport...
Installing passport-saml...
Installing otplib@10.2.3...
MeshCentral HTTP redirection server running on port 80.
MeshCentral v1.0.26, WAN mode, Production mode.
MeshCentral Intel(R) AMT server running on<domain>:4433.
MeshCentral HTTPS server running on <domain>:443, alias port 443.
MeshCentral HTTPS agent-only server running on <domain>:444.
ERR: Error: SAML assertion expired: clocks skewed too much
    at SAML.checkTimestampsValidityError (/opt/meshcentral/node_modules/passport-saml/lib/node-saml/saml.js:936:24)
    at SAML.processValidlySignedAssertionAsync (/opt/meshcentral/node_modules/passport-saml/lib/node-saml/saml.js:820:46)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async SAML.validatePostResponseAsync (/opt/meshcentral/node_modules/passport-saml/lib/node-saml/saml.js:586:24)
ERR: TypeError: req.session.regenerate is not a function
    at SessionManager.logIn (/opt/meshcentral/node_modules/passport/lib/sessionmanager.js:28:15)
    at IncomingMessage.req.login.req.logIn (/opt/meshcentral/node_modules/passport/lib/http/request.js:39:26)
    at Strategy.strategy.success (/opt/meshcentral/node_modules/passport/lib/middleware/authenticate.js:256:13)
    at verified (/opt/meshcentral/node_modules/passport-saml/lib/passport-saml/strategy.js:54:22)
    at Strategy._verify (/opt/meshcentral/node_modules/meshcentral/webserver.js:6326:44)
    at validateCallback (/opt/meshcentral/node_modules/passport-saml/lib/passport-saml/strategy.js:60:22)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

Unfortunately I don't know the previos version that was working, might be I skipped 1 or 2 releases.

How can I help debugging this issue? What further information can I provide?

Edit: I can of course see there might be some issue with time but can not understand how this happens during the update with the IdP running on the same host (so same time-source). Any hints?

Thanks!

[Terminatorthre]

Update: After some further digging it seems, the time error is unrelated and can only happen if I restart the container to fast with my brwoser supplying and old assertion. On most tests, only the
ERR: TypeError: req.session.regenerate is not a function
error remains.

[Ylianst]

In the settings section of the config.json, add this:

"sessionSameSite": "none",
"cookieIpCheck": "none"

Let me know if it makes any difference.

[Terminatorthre]

Added both in the settings section of config.json but could not find any difference. Same message about req.session.regenerate is not a function.
I could however confirm that login is working with a local account at https://meshcentral/login . So it seems to be somehow SAML related. Any other debugging information that might help you?

config.json

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "cert": "<mycert>",
    "WANonly": true,
    "_sessionKey": "<>",
    "port": 443,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80,
    "AgentPort":444,
    "agentPing":20,
    "sessionSameSite": "none",
    "cookieIpCheck": "none"
  },
  "domains": {
    "": {
      "title": "<Title>",
      "title2": "Remote Control",
      "minify": false,
      "newAccounts": false,
      "_userNameIsEmail": true,
      "unknownUserRootRedirect": "https://<domain>/auth-saml",
      "authStrategies": {
        "saml": {
          "callbackurl": "https://<domain>/auth-saml-callback",
          "entityid": "https://<domain>",
          "idpurl": "https://login.<domain>/auth/realms/<realm>/protocol/saml",
          "cert": "saml.pem",
          "NewAccounts": true
          }
        }
    }
  }
}

[Ylianst]

Ok, this is not an issue with MeshCentral, but one with Password. The latest version of Password which I use for SAML is broken when used with cookie-session. Looking into a workaround now.

[Ylianst]

Solution for now is to not use Passport v0.6.0 and use Passport v0.5.3 instead. I am going to fix MeshCentral to install that version.

To fix this, delete the node_modules/passport folder, go in the folder above node_modules and run npm install passport@0.5.3

[Terminatorthre]

Thanks so much for your efforts on this ! Got the system up again with passport 0.5.3 for now.

[Ylianst]

I filed a bug with Password. Thanks for reporting this.