Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32244

Fix SAML authentication plugin when several SAML authentication plugins are configured in authentication chain

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2023.0
    • Fix Version/s: 2023.8
    • Component/s: SAML
    • Release Notes Summary:
      SAML auth providers can now be chained.
    • Backlog priority:
      900
    • Sprint:
      nxplatform #105
    • Story Points:
      8

      Description

      Since LTS 2023, when defining more than 1 SAML authentication plugin in the authentication chain, it can happen that a SAML authentication plugin processes a request/response that is meant to another SAML authentication plugin, depending on the order they are configured in the authentication chain. This leads to login requests being rejected.

      Contribution of authentication plugins:

        <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
          <authenticationPlugin name="PLUGIN1_SAML_AUTH" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
            <loginModulePlugin>Trusting_LM</loginModulePlugin>
            <needStartingURLSaving>true</needStartingURLSaving>
            <parameters>
              <parameter name="name">Plugin1 Okta SSO</parameter>
              <parameter name="metadata">${plugin1.okta.url}</parameter>
            </parameters>
          </authenticationPlugin>
        </extension>
      
          <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
            <authenticationPlugin name="PLUGIN2_SAML_AUTH" enabled="true" class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
              <loginModulePlugin>Trusting_LM</loginModulePlugin>
              <needStartingURLSaving>true</needStartingURLSaving>
              <parameters>
                <parameter name="name">Plugin2 Okta SSO</parameter>
                <parameter name="metadata">${plugin2.okta.url}</parameter>
              </parameters>
            </authenticationPlugin>
          </extension>
      

      Contribution of authentication chain:

        <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
          <authenticationChain>
            <plugins>
              <plugin>FORM_AUTH</plugin>
              <plugin>BASIC_AUTH</plugin>
              <plugin>PLUGIN1_SAML_AUTH</plugin>
              <plugin>PLUGIN2_SAML_AUTH</plugin>
            </plugins>
          </authenticationChain>
        </extension>
      

      When a user, defined in the SAML server behind authentication plugin PLUGIN2_SAML_AUTH, tries to log in, it fails. As you can see in the curated logs below, authentication plugin PLUGIN1_SAML_AUTH processes to request/response, which is wrong, it is supposed to ignore it and let the next authentication plugin, PLUGIN2_SAML_AUTH process it.

      I guess processorFactory.retrieveInboundProcessor() at https://github.com/nuxeo/nuxeo-lts/blob/6f7a2b5ae7df1b501b7a5ce63862fb9fff6a765e/modules/platform/login/nuxeo-platform-login-saml2/src/main/java/org/nuxeo/ecm/platform/auth/saml/SAMLAuthenticationProvider.java#L186 does not properly filter the request and return a wrong processor instead of a null object.

        Attachments

        1. mock-saml-metadata.xml
          2 kB
          Nour Al Kotob
        2. saml-config.xml
          3 kB
          Nour Al Kotob

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: