Trouble getting SSO to work
bmccorkle opened this issue · 15 comments
I'm having some issues getting SSO to work.
Logging in manually with username/password works just fine.
-
I have the Chat API plugin installed (Openfire 4.5.1) and OFCHAT is selected as a SASL Mechism.
-
I'm able to go to https://myserver:7443/sso/password. It gives me a prompt. If I enter my credentials, I get what appears to be my token (username:token).
-
In Pade, I have:
Server: myserver.domain.com:7443
Domain: domain.com
"Use Windows Single Sign On" is checked.
Websocket: wss://myserver.domain.com:7443/ws/ -
Chrome has the FQDN of the server whitelisted for auth
However, when I try to login Pade appears to connect (Icon looks okay) but Converse comes up and only shows a white display window and never loads on the machine I'm testing.
I have not used SSO in a while. Let me check just in case I broke it in a recent release
Looks like I have indeed broken it
If you hit F12 for the dev console in chrome, do you see this screen?
It was not me. It was Converse API changes going from 4.x to 5.x
Thanks for reporting. I would need to spend a few hours on this
Yes, I see the same thing. Good to know it's not me, lol. We had been using spark but I started looking for a new client this weekend due to everyone trying to work from home that would be easy to setup and pre-configure. That's when I stumbled across Pade. Just want to say awesome app!
Fixed it. You will have to wait for version 1.6.2 to be become available in the chrome web store or the Microsoft Edge add-ons store.
If you are in a hurry, you can build your own branded extension from source.
Just want to say awesome app!
Thank you. I take a bow :-)
Thank you!
I tried the plugin in developer mode. SSO works if I uncheck 'This is a trusted device" but says authentication failure if I leave it checked. I assume it's something to do with OMEMO encyrption? Is there something that needs setup on openfire?
I have a wildcard certificate in the identity store and have mutual authentication set to "Disabled - Peer certificates are not verified."
I think I got that fixed by enabling pubsub? Now however, when I start it the pade icon is there but when I click on it to bring up converse it pops up and asks for my login credentials.
Trying the plugin in developer mode and I see this...
Uncaught (in promise) Error: autoLogin: If you use auto_login and authentication='login' then you also need to provide a password.
I just tested the fix I made for version 1.6.2 and it works for me like this.
- did a factory reset and did not retain any settings
- changed the default server/domain to my dev pc openfire server
- clicked on Use Windows Single Sign On
Settings window closed and app reloads and does auto-login using my windows desktop credentials
I am now logged in as windows domain administrator. I can now edit my display name and login manually using the login button in the settings page.
Sorry, all this COVID-19 stuff has slowed me down. So if I do a fresh install of your plugin I still have issues.
The background Pade seems to connect, the icon doesn't say 'off' and the Converse window opens but it doesn't login and says "Authentication Failure". If I try to enter my credentials in the converse window, it still fails with an 'Authentication failure". If I uncheck SSO and restart it, I can login manually.
(Removed my domain):
I don't know if this helps but this is what I get in the debug log on openfire when I try to enter my credentials in converse after it initially fails on SSO...
2020.04.07 13:39:20 org.jivesoftware.openfire.spi.RoutingTableImpl - Removing client route DOMAIN.COM/atfflc4i3g
2020.04.07 13:39:20 org.jivesoftware.openfire.spi.RoutingTableImpl - Removing client route DOMAIN.COM/45w2d0uzhr
2020.04.07 13:39:21 org.quartz.core.QuartzSchedulerThread - batch acquisition of 0 triggers
2020.04.07 13:39:24 org.apache.mina.filter.ssl.SslFilter - Session Server123: Message received : HeapBuffer[pos=0 lim=98 cap=128: 17 03 03 00 5D 00 00 00 00 00 00 00 69 02 3B 8D...]
2020.04.07 13:39:24 org.apache.mina.filter.ssl.SslHandler - Session Server123 Processing the received message
2020.04.07 13:39:24 org.apache.mina.filter.ssl.SslFilter - Session Server123: Processing the SSL Data
2020.04.07 13:39:24 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_RECEIVED to session 123
Queue : [MESSAGE_RECEIVED, ]
2020.04.07 13:39:24 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 123
2020.04.07 13:39:24 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 123
2020.04.07 13:39:24 org.apache.mina.filter.ssl.SslFilter - Session Server123: Writing Message : WriteRequest: HeapBuffer[pos=0 lim=84 cap=4096: 3C 69 71 20 74 79 70 65 3D 22 72 65 73 75 6C 74...]
2020.04.07 13:39:24 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_RECEIVED has been fired for session 123
2020.04.07 13:39:24 org.apache.mina.filter.executor.OrderedThreadPoolExecutor - Adding event MESSAGE_SENT to session 123
Queue : [MESSAGE_SENT, ]
2020.04.07 13:39:24 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_SENT event for session 123
2020.04.07 13:39:24 org.apache.mina.core.filterchain.IoFilterEvent - Event MESSAGE_SENT has been fired for session 123
2020.04.07 13:39:25 org.jivesoftware.openfire.spi.RoutingTableImpl - Removing client route DOMAIN.COM/5klfkgudtt
2020.04.07 13:39:29 org.jitsi.videobridge.xmpp.ComponentImpl - (serving component 'JitsiVideobridge') Processing IQ (packetId a47sZ-356436):
2020.04.07 13:39:33 org.quartz.core.QuartzSchedulerThread - batch acquisition of 0 triggers
2020.04.07 13:39:34 org.jivesoftware.openfire.spi.RoutingTableImpl - Removing client route DOMAIN.COM/6v4cfemqzq
2020.04.07 13:39:36 org.jivesoftware.openfire.plugin.rest.sasl.OfChatSaslServer - Parsing data from client response...
2020.04.07 13:39:36 org.jivesoftware.openfire.plugin.rest.sasl.OfChatSaslServer - OFCHAT authentication
HTTP ERROR 500
Problem accessing /sso/password. Reason:
Server Error
Caused by 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - Trying to find a user's RDN based on their username: ' <title>error 500 server error</title>
http error 500
problem accessing /sso/password. reason'. Field: 'sAMAccountName', Base DN: 'OU="ORGANIZATION",DC="DOMAIN",DC="COM"' ... 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - Creating a DirContext in LdapManager.getContext() for baseDN 'OU="ORGANIZATION",DC="DOMAIN",DC="COM"'... 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - Created hashtable with context values, attempting to create context... 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - ... context created successfully, returning. 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - Starting LDAP search for username ' <title>error 500 server error</title>
http error 500
problem accessing /sso/password. reason'... 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - ... search finished for username ' <title>error 500 server error</title>
http error 500
problem accessing /sso/password. reason'. 2020.04.07 13:39:36 org.jivesoftware.openfire.ldap.LdapManager - User DN based on username ' <title>error 500 server error</title>
http error 500
problem accessing /sso/password. reason' not found. 2020.04.07 13:39:36 org.jivesoftware.openfire.net.SASLAuthentication - SASL negotiation failed for session: HttpSession{address=DOMAIN.COM/aku6v7qasx, streamID=aku6v7qasx, status=1 (connected), isSecure=true, isDetached=false, serverName='DOMAIN.COM', isInitialized=false, hasAuthToken=false, peer address='10.10.9.15', presence=' ', hold='1', wait='59', maxRequests='2', maxPause='300', lastActivity='1586281176242', lastAcknowledged='1848407540', inactivityTimeout='30', openConnectionCount='1'} javax.security.sasl.SaslException: OFCHAT authentication failure - org.jivesoftware.openfire.user.UserNotFoundException at org.jivesoftware.openfire.plugin.rest.sasl.OfChatSaslServer.evaluateResponse(OfChatSaslServer.java:115) ~[?:?] at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:357) [xmppserver-4.5.1.jar:4.5.1] at org.jivesoftware.openfire.SessionPacketRouter.route(SessionPacketRouter.java:60) [xmppserver-4.5.1.jar:4.5.1] at org.jivesoftware.openfire.http.HttpSession.sendPendingPackets(HttpSession.java:634) [xmppserver-4.5.1.jar:4.5.1] at org.jivesoftware.openfire.http.HttpSession$HttpPacketSender.run(HttpSession.java:1351) [xmppserver-4.5.1.jar:4.5.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_241] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_241] at java.lang.Thread.run(Unknown Source) [?:1.8.0_241] 2020.04.07 13:39:36 org.jivesoftware.openfire.http.HttpSession - complete event org.eclipse.jetty.server.AsyncContextEvent@1716dec8 for 1848407540 in session aku6v7qasx 2020.04.07 13:39:39 org.jitsi.videobridge.xmpp.ComponentImpl - (serving component 'JitsiVideobridge') Processing IQ (packetId a47sZ-356438):
I never tested this with LDAP. I suspect you are encountering server-side issues as te userProvider and groupProvider are read-only. I will take a look
I think you are right. I seem to have got it working. Not sure exactly what it was but I switched it to LDAPS (636) and uploaded a new server certificate into the trust store then it started working. Thanks for all your help Dele.