SSO via ADFS 2016

[sschroll]

Infos:

• Docker version: 17.05.0-ce, build 89658be
• Docker-compose version: 1.14.0, build c7bdf9e
• Operating system (Docker host): Ubuntu Server 16.04

Hi there :)

i know there are some open/closed Issues regarding ADFS and zammad but these are regarding the "old" ADFS 2012r2 und SAML. The new ADFS now supports OAUTH2:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-oauth-confidential-clients-with-ad-fs-2016

So i followed the instructions and created an Application Group:

With this Information I filled in the Zammad "Authentication via Generic OAuth2"

Now when I try to logon I get the following "Error-message" with the following Error in "/home/zammad/log/production.log"

I, [2017-07-13T06:04:47.273312 #17]  INFO -- : Started GET "/" for 172.18.0.4 at 2017-07-13 06:04:47 +0000
I, [2017-07-13T06:04:47.276834 #17]  INFO -- : Processing by InitController#index as HTML
I, [2017-07-13T06:04:47.278520 #17]  INFO -- :   Rendered init/index.html.erb within layouts/application (0.0ms)
I, [2017-07-13T06:04:47.280073 #17]  INFO -- : Completed 200 OK in 3ms (Views: 0.9ms | ActiveRecord: 0.5ms)
I, [2017-07-13T06:04:47.711967 #17]  INFO -- : Started POST "/api/v1/signshow" for 172.18.0.4 at 2017-07-13 06:04:47 +0000
I, [2017-07-13T06:04:47.714578 #17]  INFO -- : Processing by SessionsController#show as JSON
I, [2017-07-13T06:04:47.714649 #17]  INFO -- :   Parameters: {"fingerprint"=>"-63209599", "session"=>{"fingerprint"=>"-63209599"}}
I, [2017-07-13T06:04:47.778362 #17]  INFO -- : Completed 200 OK in 64ms (Views: 12.4ms | ActiveRecord: 2.4ms)
I, [2017-07-13T06:04:47.790943 #17]  INFO -- : Started GET "/api/v1/translations/lang/de-de?_=1499925887601" for 172.18.0.4 at 2017-07-13 06:04:47 +0000
I, [2017-07-13T06:04:47.794135 #17]  INFO -- : Processing by TranslationsController#lang as JSON
I, [2017-07-13T06:04:47.794192 #17]  INFO -- :   Parameters: {"_"=>"1499925887601", "locale"=>"de-de", "translation"=>{}}
I, [2017-07-13T06:04:47.822879 #17]  INFO -- : Completed 200 OK in 29ms (Views: 23.5ms | ActiveRecord: 0.5ms)
I, [2017-07-13T06:04:55.329824 #17]  INFO -- : Started GET "/auth/oauth2" for 172.18.0.4 at 2017-07-13 06:04:55 +0000
I, [2017-07-13T06:04:55.425828 #17]  INFO -- : Started GET "/auth/oauth2/callback?code=[FILTERED]&state=f3ea875cde1d576daadabfb8159b220551bdd645bd395d90" for 172.18.0.4 at 2017-07-13 06:04:55 +0000
F, [2017-07-13T06:04:55.440701 #17] FATAL -- :
Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
  /usr/local/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
  /usr/local/lib/ruby/2.3.0/net/http.rb:933:in `connect'
  /usr/local/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
  /usr/local/lib/ruby/2.3.0/net/http.rb:852:in `start'
  /usr/local/lib/ruby/2.3.0/net/http.rb:1398:in `request'
  faraday (0.9.2) lib/faraday/adapter/net_http.rb:82:in `perform_request'
  faraday (0.9.2) lib/faraday/adapter/net_http.rb:40:in `block in call'
  faraday (0.9.2) lib/faraday/adapter/net_http.rb:87:in `with_net_http_connection'
  faraday (0.9.2) lib/faraday/adapter/net_http.rb:32:in `call'
  faraday (0.9.2) lib/faraday/request/url_encoded.rb:15:in `call'
  faraday (0.9.2) lib/faraday/rack_builder.rb:139:in `build_response'
  faraday (0.9.2) lib/faraday/connection.rb:377:in `run_request'
  oauth2 (1.2.0) lib/oauth2/client.rb:93:in `request'
  oauth2 (1.2.0) lib/oauth2/client.rb:138:in `get_token'
  oauth2 (1.2.0) lib/oauth2/strategy/auth_code.rb:29:in `get_token'
  omniauth-oauth2 (1.4.0) lib/omniauth/strategies/oauth2.rb:89:in `build_access_token'
  omniauth-oauth2 (1.4.0) lib/omniauth/strategies/oauth2.rb:73:in `callback_phase'
  omniauth (1.3.1) lib/omniauth/strategy.rb:227:in `callback_call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/builder.rb:63:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.2.7.1) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.2.7.1) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.7.1) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport (4.2.7.1) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport (4.2.7.1) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.7.1) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.7.1) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.7.1) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.7.1) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.7.1) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.7.1) lib/rails/rack/logger.rb:20:in `call'
  actionpack (4.2.7.1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.7.1) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
  railties (4.2.7.1) lib/rails/engine.rb:518:in `call'
  railties (4.2.7.1) lib/rails/application.rb:165:in `call'
  railties (4.2.7.1) lib/rails/railtie.rb:194:in `public_send'
  railties (4.2.7.1) lib/rails/railtie.rb:194:in `method_missing'
  puma (3.6.0) lib/puma/configuration.rb:225:in `call'
  puma (3.6.0) lib/puma/server.rb:578:in `handle_request'
  puma (3.6.0) lib/puma/server.rb:415:in `process_client'
  puma (3.6.0) lib/puma/server.rb:275:in `block in run'
  puma (3.6.0) lib/puma/thread_pool.rb:116:in `block in spawn_thread'

/home/zammad/log #

So the problem seems to be "certificate verify failed". The question is which cert?

Thanks for any help :)

Best regards from Nürnberg,
Sebastian

[hanneshal]

The certificate which is used for your adfs domain you specified in the generic oauth settings could not be verified. Maybe it's self signed?

[sschroll]

All certificates within the company are issued by our internal Root CA. How can i add this trust?

[hanneshal]

@martini we had this before but I can't find it. Can you help?

[sschroll]

We added our RootCA to the trusted CAs on the railsserver using openSSL. After adding the cert we had to HUP the rails-container.

Now we get a new Error, this time on the ADFS:

And this is the zammad-log:

I double checked the ClientID but i'm not sure with the redirect uri. The "code"-part seems to be mistaken?

[sschroll]

Any idea on how to get this working? What part of zammad do we have to edit?

[thorsteneckel]

Hi @sschroll - you might want to take a look at these two issues:

#825
#775

There are different ways to handle OAuth2 results and it seems yours is currently not supported. We managed to get a workaround as described in these issues but it's currently not implemented as a general solution. There is an open issue to address this but we are currently working on other features. Hope it helps. 🤞

[luketosi]

Hi guys, I have the same problem using wso2is. I solved the problem with certificate, the code in
#825
#775
not solve my problem again. It always give me "auth/failure?message=invalid_credentials&origin=http%3A%2F%2F192.168.3.45%2F&strategy=oauth2"

[thorsteneckel]

Any chance we can reproduce this somewhere/somehow?

[thorsteneckel]

No feedback in more than two weeks -> closing. Feel free to provide further information.