Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to change the domain when a user is authenticated by SAML #10003

Closed
kiranchavala opened this issue Nov 28, 2024 · 11 comments · Fixed by #10047
Closed

Unable to change the domain when a user is authenticated by SAML #10003

kiranchavala opened this issue Nov 28, 2024 · 11 comments · Fixed by #10047
Assignees
@weizhouapache
Labels
affects:4.18 affects:4.19 affects:4.20 Severity:Critical Critical bug type:bug
Milestone
4.19.2

Comments

@kiranchavala
Copy link
Contributor

ISSUE TYPE

BUG

COMPONENT NAME

Component: Bug

CLOUDSTACK VERSION

Cloudstack version 4.18.2.5, 4.19.1.3

SUMMARY

Unable to change the domain when a user is authenticated by SAML

Steps to reproduce the issue

On 4.19.1.3 environment

  1. Enable SAML authentication
  2. Create 2 domains (domain 1 and domain 2)
  3. Create Account in each domain and authorize Saml

account-creation

account-creation2

  1. Login as single sign-on

single

  1. Change the domain

changedomain

  1. Exception message

exception

Video recording

https://www.loom.com/share/7dd809008a7649e7907bdf10c56af185?sid=86038cae-f441-4d8f-b76a-0db59486bf0b

Followed, the same steps on 4.18.1.1 and found no issue on 4.18.1.1

Video recording

https://www.loom.com/share/6cc8b0625c324976b338965ae679ae26?sid=01b0d96e-5b6d-4d77-bacd-e81c62e66610

Expected Behaviour

Cloudstack saml configured users should be able to change the domain

Actual Behaviour

Cloudstack saml configured users are not able to change the domain
@weizhouapache
Copy link
Member

this seems to be regression of security bug fixes in
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

there are two related fixes
CVE-2024-45462: Incomplete session invalidation on web interface logout
CVE-2024-45693: Request origin validation bypass makes account takeover possible

@kiranchavala
Copy link
Contributor Author

Thanks @weizhouapache Saml authenticatied users can change the domain till the 4.18.2.3 release.

The issue is occurring from the 4.18.2.4 release

@weizhouapache
Copy link
Member

@kiranchavala
thanks

can you change global setting api.sessionkey.check.locations to CookieOrParameter, and retry ?

@DaanHoogland DaanHoogland added this to the 4.20.1 milestone Nov 28, 2024
@kiranchavala
Copy link
Contributor Author

@weizhouapache Getting the same error even after changing the api.sessionkey.check.locations to CookieOrParameter

@DaanHoogland
Copy link
Contributor

@weizhouapache @kiranchavala , I set this to 4.20.1 but am having second thoughts. should (and can!) we move this forward or is it too complicated to solve?

@weizhouapache
Copy link
Member

@weizhouapache @kiranchavala , I set this to 4.20.1 but am having second thoughts. should (and can!) we move this forward or is it too complicated to solve?

@DaanHoogland
I have not looked into this issue yet, so no idea what's the root cause and how to fix it
IMHO, the fix could be very simple.

@kiranchavala
can SAML user log in with specific domain ? (not switch/change domain)

@kiranchavala
Copy link
Contributor Author

@weizhouapache

Currently, there is no option to select a specific domain to during login for saml

Screenshot 2024-12-04 at 5 33 55 PM

Once logged in user's get the option to switch to a specific domain

Screenshot 2024-12-04 at 5 35 31 PM

@weizhouapache
Copy link
Member

@weizhouapache

Currently, there is no option to select a specific domain to during login for saml

Screenshot 2024-12-04 at 5 33 55 PM

Once logged in user's get the option to switch to a specific domain

Screenshot 2024-12-04 at 5 35 31 PM

thanks @kiranchavala
then this becomes a critical issue for SAML users who has accounts in multiple domains.

@DaanHoogland DaanHoogland added Severity:Critical Critical bug and removed Severity:Major labels Dec 4, 2024
@DaanHoogland DaanHoogland modified the milestones: 4.20.1, 4.19.2 Dec 4, 2024
@DaanHoogland
Copy link
Contributor

clear, thanks @weizhouapache @kiranchavala

@weizhouapache
Copy link
Member

clear, thanks @weizhouapache @kiranchavala

I will have a look @DaanHoogland @kiranchavala

@weizhouapache weizhouapache self-assigned this Dec 4, 2024
@weizhouapache weizhouapache mentioned this issue Dec 5, 2024
Merged
14 tasks
@DaanHoogland DaanHoogland linked a pull request Dec 5, 2024 that will close this issue
SAML2: add cookie with HttpOnly too #10047
Merged
14 tasks
@DaanHoogland
Copy link
Contributor

fixed by #10047

@github-project-automation github-project-automation bot moved this from Dev In Progress to Done in Apache CloudStack BugFest - Issues Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weizhouapache weizhouapache

Labels
affects:4.18 affects:4.19 affects:4.20 Severity:Critical Critical bug type:bug
Projects
None yet
Milestone
4.19.2
Development

Successfully merging a pull request may close this issue.

SAML2: add cookie with HttpOnly too weizhouapache/cloudstack
3 participants
@kiranchavala @DaanHoogland @weizhouapache