Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v5] Integration between OKTA and RP doesn't work #1474

Closed
Kanaduchi opened this issue Jul 20, 2021 · 20 comments
Closed

[v5] Integration between OKTA and RP doesn't work #1474

Kanaduchi opened this issue Jul 20, 2021 · 20 comments
Labels
Check: Test Issue that should be reproduced on our envs resolution:fixed
Milestone
5.6

Comments

@Kanaduchi
Copy link

Describe the bug
Integration between OKTA and RP doesn't work. I'm trying to configure integration between Okta and RP. Unfortunately it doesn't work.
When I try to login I get 403 access denied error

Okta side:
okta1

RP side:
okta

Log:

uat_1             | 2021-07-20 15:00:32.400 DEBUG 6 --- [nio-9999-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/saml/sp/SSO/alias/report-portal-sp'; against '/saml/sp/SSO/**'
uat_1             | 2021-07-20 15:00:32.400 DEBUG 6 --- [nio-9999-exec-3] s.p.s.a.SamlAuthenticationResponseFilter : Request is to process authentication
uat_1             | 2021-07-20 15:00:32.564 DEBUG 6 --- [nio-9999-exec-3] s.p.s.a.SamlAuthenticationResponseFilter : Authentication request failed: org.springframework.security.authentication.InsufficientAuthenticatio
nException: Validation Errors: 
uat_1             | 1. Destination mismatch: https://qa-reportportal.domain.com/uat/saml/sp/SSO/alias/report-portal-sp
uat_1             | 
uat_1             | org.springframework.security.authentication.InsufficientAuthenticationException: Validation Errors: 
uat_1             | 1. Destination mismatch: https://qa-reportportal.domain.com/uat/saml/sp/SSO/alias/report-portal-sp
uat_1             | 	at org.springframework.security.saml.provider.service.authentication.SamlAuthenticationResponseFilter.attemptAuthentication(SamlAuthenticationResponseFilter.java:89) ~[spring-security-saml2-cor
e-2.0.0.M31.jar!/:2.0.0.M31]
uat_1             | 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2
.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.saml.provider.service.SamlAuthenticationRequestFilter.doFilterInternal(SamlAuthenticationRequestFilter.java:89) ~[spring-security-saml2-core-2.0.0.M31.jar!/:2.0.
0.M31]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.saml.provider.SamlMetadataFilter.doFilterInternal(SamlMetadataFilter.java:75) ~[spring-security-saml2-core-2.0.0.M31.jar!/:2.0.0.M31]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.saml.provider.config.ThreadLocalSamlConfigurationFilter.doFilterInternal(ThreadLocalSamlConfigurationFilter.java:42) ~[spring-security-saml2-core-2.0.0.M31.jar!/
:2.0.0.M31]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.2.4.RELEASE.jar!/:5
.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
uat_1             | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
uat_1             | 	at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:64) ~[spring-security-oauth2-2.4.0.RELEASE.jar!/:na]
uat_1             | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
uat_1             | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
uat_1             | 2021-07-20 15:00:32.565 DEBUG 6 --- [nio-9999-exec-3] s.p.s.a.SamlAuthenticationResponseFilter : Updated SecurityContextHolder to contain null Authentication
uat_1             | 2021-07-20 15:00:32.565 DEBUG 6 --- [nio-9999-exec-3] s.p.s.a.SamlAuthenticationResponseFilter : Delegating to authentication failure handler com.epam.reportportal.auth.AuthFailureHandler@23c388c2
uat_1             | 2021-07-20 15:00:32.566 DEBUG 6 --- [nio-9999-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web
.header.writers.HstsHeaderWriter$SecureRequestMatcher@3adb227f
uat_1             | 2021-07-20 15:00:32.566 DEBUG 6 --- [nio-9999-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
uat_1             | 2021-07-20 15:00:32.567 DEBUG 6 --- [nio-9999-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
uat_1             | 2021-07-20 15:00:32.569 ERROR 6 --- [nio-9999-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
uat_1             | 
uat_1             | java.lang.IllegalArgumentException: Invalid characters (CR/LF) in header Location
uat_1             | 	at org.springframework.security.web.firewall.FirewalledResponse.validateCrlf(FirewalledResponse.java:72) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:42) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR]
uat_1             | 	at org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:135) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR]
uat_1             | 	at org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:135) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at com.epam.reportportal.auth.AuthFailureHandler.onAuthenticationFailure(AuthFailureHandler.java:36) ~[classes!/:na]
uat_1             | 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication(AbstractAuthenticationProcessingFilter.java:352) ~[spring-security-web-5.2.4
.RELEASE.jar!/:5.2.4.RELEASE]
uat_1             | 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:230) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2
.4.RELEASE]

Meta file:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor entityID="http://www.okta.com/exk8sdfsdfsdfsfPWUf2p7" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>cXtw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://domain.okta.com/app/domain_qareportportal_1/exk8sdfsdfsdfsfPWUf2p7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://domain.okta.com/app/domain_qareportportal_1/exk8sdfsdfsdfsfPWUf2p7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

What did I wrong?
@evjlobanova
Copy link
Contributor

@VolhaKarenko could you please check

@evjlobanova evjlobanova added the Check: Test Issue that should be reproduced on our envs label Aug 19, 2021
@VolhaKarenko
Copy link

Hi @Kanaduchi, try with providing value of "Audience Restriction" from Okta to "Identity provider name ID" field

@Kanaduchi
Copy link
Author

Hi @VolhaKarenko. This doesn't help me. After saving this value is changed automatically back to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

@VolhaKarenko
Copy link

@Kanaduchi I've noticed "Destination mismatch" errors in logs you provided, seems like you're using incorrect URLs in SAML settings. Please provide your URL before the "/uat/saml/sp/SSO/alias/report-portal-sp" part

@Kanaduchi
Copy link
Author

Kanaduchi commented Aug 30, 2021
edited

@VolhaKarenko
I decorated it with "domain" word because it shouldn't be public. Domain is the same as in Okta

Here is full config:
image

@VolhaKarenko
Copy link

@Kanaduchi try with providing valid port after the domain like: https://qa-reportportal.domain.com:8080/uat/saml/sp/SSO/alias/report-portal-sp

@Kanaduchi
Copy link
Author

@VolhaKarenko When I try to open link with 8080 port I get an error: This site can’t be reached

Configuration of docker container for UI:

  ui:
    image: reportportal/service-ui:5.5.0
    environment:
      - RP_SERVER_PORT=8080
    labels:
      - "traefik.http.middlewares.ui-strip-prefix.stripprefix.prefixes=/ui"
      - "traefik.http.routers.ui.middlewares=ui-strip-prefix@docker"
      - "traefik.http.routers.ui.rule=PathPrefix(`/ui`)"
      - "traefik.http.routers.ui.service=ui"
      - "traefik.http.services.ui.loadbalancer.server.port=8080"
      - "traefik.http.services.ui.loadbalancer.server.scheme=http"
      - "traefik.expose=true"
    restart: always

netstat command shows that 8080 port is used by docker-proxy:
image

@Yumfriez
Copy link

@Kanaduchi Try to provide env variable for UAT(authorization) container:
RP_AUTH_SAML_BASE_PATH=/uat

Where host of the deployed RP

@Kanaduchi
Copy link
Author

Kanaduchi commented Aug 31, 2021
edited

@Yumfriez

I tried 2 variants:
RP_AUTH_SAML_BASE_PATH=/uat
and
RP_AUTH_SAML_BASE_PATH=https://qa-reportportal.domain.com/uat

I still see error:
Aug 31 12:01:58 362c47d92d69 uat 1. Destination mismatch: https://qa-reportportal.domain.com/uat/saml/sp/SSO/alias/report-portal-sp Aug 31 12:01:58 362c47d92d69 uat org.springframework.security.authentication.InsufficientAuthenticationException: Validation Errors: Aug 31 12:01:58 362c47d92d69 uat 1. Destination mismatch: https://qa-reportportal.domain.com/uat/saml/sp/SSO/alias/report-portal-sp Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.saml.provider.service.authentication.SamlAuthenticationResponseFilter.attemptAuthentication(SamlAuthenticationResponseFilter.java:89) ~[spring-security-saml2-core-2.0.0.M31.jar!/:2.0.0.M31] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.saml.provider.service.SamlAuthenticationRequestFilter.doFilterInternal(SamlAuthenticationRequestFilter.java:89) ~[spring-security-saml2-core-2.0.0.M31.jar!/:2.0.0.M31] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:113) ~[spring-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]

Also I noticed another error:
Aug 31 12:01:58 362c47d92d69 uat java.lang.IllegalArgumentException: Invalid characters (CR/LF) in header Location Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.firewall.FirewalledResponse.validateCrlf(FirewalledResponse.java:72) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:42) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:135) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.util.OnCommittedResponseWrapper.sendRedirect(OnCommittedResponseWrapper.java:135) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE] Aug 31 12:01:58 362c47d92d69 uat at com.epam.reportportal.auth.AuthFailureHandler.onAuthenticationFailure(AuthFailureHandler.java:36) ~[classes!/:na] Aug 31 12:01:58 362c47d92d69 uat at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication(AbstractAuthenticationProcessingFilter.java:352) ~[spring-security-web-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]

@Yumfriez
Copy link

Yumfriez commented Aug 31, 2021
edited

@Kanaduchi I see, we should make an improvement regarding this env variable.
Could you please post ur docker config here? (traefik + ssl config + uat will be enough)
Also would be great to connect to uat using remote debug to see the values that are compared and failed because of mismatch

@Kanaduchi
Copy link
Author

@Yumfriez Here is my config:
docker-compose-qa.txt

Unfortunately it is impossible to connect to uat remotely - it works in VPN

@PSchnurbus24
Copy link

Hi

I have exactly the same issue. Reportportal installed in GKE Cluster with Contour HTTPProxy. Everything working fine except SSO with Okta. Same error message.

@PSchnurbus24
Copy link

Any news on this?

@Yumfriez
Copy link

Yumfriez commented Oct 5, 2021

@Kanaduchi @PSchnurbus24 We’ve made a PR with possibility to provide a redirect base path from the UI.
The problem was that in some cases RP auth service was unable to resolve request protocol correctly, so it was decided to allow users provide RP host directly in SAML integration settings or using env variable that was mentioned earlier (env priority was also fixed and now it’s higher than request protocol resolving).

So there will be 2 ways ordered as follows:

  1. value passed in the integration params from the UI (optional)
  2. value provided in env variable (if was provided)
  3. logic of resolving using request

This fixes are planned for 5.6 release

@evjlobanova evjlobanova added this to the 5.6 milestone Oct 5, 2021
@Kanaduchi
Copy link
Author

Issue was resolved in 5.6. Thank you!

@mjnohai
Copy link

mjnohai commented Dec 16, 2021
edited

For some reason, even though I have RP_AUTH_SAML_BASE_PATH=/uat set, I'm getting routed to localhost in prod. If I paste in the actual URL instead of localhost, I get logged in correctly via Okta. I am also configured to use nginx instead of `traefik. Is there anything else I may be missing?

https://localhost/ui/#authSuccess?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2Mzk3MzE5ODYsInVzZXJfbmFtZSI6Im1ub2hhaSIsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiJdLCJqdGkiOiJmZjg0NzYxNi02MzAwLTRkZDUtODllNS1iZjUxZmZjYjQ5YjUiLCJjbGllbnRfaWQiOiJ1aSIsInNjb3BlIjpbInVpIl19.M403qrOxjN36N_F7bBRgO5hPc6sszwLGrpYjFwaJuMg&token_type=bearer

I am currently on RP 5.6.0

@jsokol805 jsokol805 mentioned this issue Jan 11, 2022
Closed
@skorobogatydmitry
Copy link

I still see the same issue on 5.6.2. I tried to put a wrong value to the callbackUrl: {"details": {"callbackUrl": "https://REDACTED/ui/#administrate/plugins/installed"}}. But it (1) still redirects to the UAT and (2) UAT throws the following error:


2022-07-05 18:03:55.238 DEBUG 1 --- [nio-9999-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/saml/sp/SSO/alias/report-portal-sp'; against '/saml/sp/SSO/**'
2022-07-05 18:03:55.238 DEBUG 1 --- [nio-9999-exec-6] s.p.s.a.SamlAuthenticationResponseFilter : Request is to process authentication
2022-07-05 18:03:55.266 DEBUG 1 --- [nio-9999-exec-6] s.p.s.a.SamlAuthenticationResponseFilter : Authentication request failed: org.springframework.security.authentication.InsufficientAuthenticationException: Validation Errors:
1. Destination mismatch: https://REDACTED/uat/saml/sp/SSO/alias/report-portal-sp

org.springframework.security.authentication.InsufficientAuthenticationException: Validation Errors:
1. Destination mismatch: https://REDACTED/uat/saml/sp/SSO/alias/report-portal-sp
	at org.springframework.security.saml.provider.service.authentication.SamlAuthenticationResponseFilter.attemptAuthentication(SamlAuthenticationResponseFilter.java:89) ~[spring-security-saml2-core-2.0.0.M31.jar!/:2.0.0.M31]

@skorobogatydmitry
Copy link

Same on the latest version.

@Yumfriez
Copy link

Yumfriez commented Jul 6, 2022

@skorobogatydmitry do you have the same error if you fill RP callback URL field in the following format?
https://your_host/uat

@skorobogatydmitry
Copy link

No, I am able to login if I specify just https://your_host/uat as callback URL. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Check: Test Issue that should be reproduced on our envs resolution:fixed
Projects
None yet
Milestone
5.6
Development

No branches or pull requests
8 participants
@mjnohai @Kanaduchi @evjlobanova @Yumfriez @VolhaKarenko @PSchnurbus24 @skorobogatydmitry and others