[GitHub] [cloudstack] kohrar opened a new issue #5548: SAML2 authentication with MS Azure AD intermittently fails with error AADSTS7500529

Mon, 04 Oct 2021 12:17:04 -0700 


kohrar opened a new issue #5548:
URL: https://github.com/apache/cloudstack/issues/5548


   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and main branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete 
the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   SAML/SSO
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on main 
branch.
   -->
   
   ~~~
   4.15.2
   ~~~
   
   ##### CONFIGURATION
   Enabled SAML plugin and configured it to authenticate against Azure AD.
   
   ##### STEPS TO REPRODUCE
   SAML authentication fails intermittently depending on the SAML request ID 
that is generated. Depending on your luck, you might get a random request ID 
that begins with something between A-F. In such cases, the authentication 
request goes through as expected. On the chance that the generated number 
begins with 0-9, the authentication request fails with an error similar to:
   > AADSTS7500529: The value '692rv91k6dgmdas33vr3b2keahr4lqjv' is not a valid 
SAML ID. The ID must not begin with a number.
   
   As per Azure AD's documentation, an acceptable request ID must not start 
with a number. 
   > ID must not begin with a number, so a common strategy is to prepend a 
string like "id" to the string representation of a GUID. For example, 
id6c1c178c166d486687be4aaf5e482730 is a valid ID.
   > 
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/single-sign-on-saml-protocol.md
   
   The CloudStack implementation generates the random ID string with the 
following method in SAMLUtils and has no ability to prefix the SAML ID string 
as recommended by Azure AD's documentation.
   ```
   100 public class SAMLUtils {
   101     public static final Logger s_logger = 
Logger.getLogger(SAMLUtils.class);
   102
   103     public static String generateSecureRandomId() {
   104         return new BigInteger(160, new SecureRandom()).toString(32);
   105     }
   ```
   
   ##### EXPECTED RESULTS
   Successful authentication with SAML and Azure AD.
   
   ##### ACTUAL RESULTS
   Intermittent authentication failure with SAML and Azure AD.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to