keycloak authentication successful but not authorized to use cbioportal

[Yuki]

I encountered a strange problem: after successfully logged in via Keycloak (as keycloak shows the user has logged in), it redirects back to cbioportal at :

https://[my cbioportal domain]/login.jsp?login_error=true

I installed cbioportal with keycloak authentication via docker, then placed them both behind an apache reverse proxy which enables SSL. 

The portal.property  configuration I have is:

## SAML settings
    filter_groups_by_appname=false
    saml.sp.metadata.entityid=cbioportal
    saml.idp.metadata.location=classpath:/client-tailored-saml-idp-metadata.xml
    saml.idp.metadata.entityid=https://[my keycloak sub domain]/auth/realms/cbioportal
    saml.sp.metadata.entitybaseurl=https://[my cbioportal sub domain]
    saml.keystore.location=classpath:/samlKeystore.jks
    saml.keystore.password=[mypassowrd]
    saml.keystore.private-key.key=secure-key
    saml.keystore.private-key.password=[mypassowrd]
    saml.keystore.default-key=secure-key
    saml.idp.comm.binding.settings=defaultBinding
    saml.idp.comm.binding.type=
    saml.idp.metadata.attribute.email=email
    saml.idp.metadata.attribute.role=Role
    saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl
    # global logout (as opposed to local logout):
    saml.logout.local=false
    saml.logout.url=/

I also tried to set 

saml.sp.metadata.entitybaseurl=https://[my cbioportal sub domain]:443

But neither of them works.

Is there something else I should change on the portal.properties? Thanks very much

[Yuki]

PS: they were working before change all the setting to https.

For example,

    saml.idp.metadata.entityid=http://[my keycloak sub domain]/auth/realms/cbioportal
    saml.sp.metadata.entitybaseurl=#{null}

And of course, the client-tailored-saml-idp-metadata.xml file was also exported from http://[my keycloak sub domain]/.... 

[Pim van Nierop]

Dear Yuki,

I would leave saml.sp.metadata.entitybaseurl=#{null} untouched.

I am afraid the description of your setup and differences between setup with and without proxy are not enough for me to help you effectively. Could you post contents of:

1. client-tailored-saml-idp-metadata.xml
   
2. Apache configuration
3. Tail of logs of cBioPortal service after login
4. Tail of logs of keycloak service related to login

Because you say cBioPortal registers you login, I think the cBioPortal logs are most important here. They can be found in /tmp/cbioportal.log in your container.

All the best,

Pim

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/39178a54-96c9-4769-9b20-7f6ea7630490o%40googlegroups.com.

[Pim van Nierop]

I suspect that you did not update the client-specific-idp-metadata.xml. What are the URLs listed in this file?

On Monday, June 29, 2020 at 10:42:44 AM UTC+2, Yuki wrote:

Dear Pim, 

Thanks so much for your reply. I check my cbioportal log, and found out it's an endpoint miss-matching problem. 

2020-06-29 08:10:04 [http-nio-8080-exec-8] INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;172.19.0.1;cbioportal;https://[my keycloak domain]/auth/realms/cbioportal;;;

2020-06-29 08:10:13 [http-nio-8080-exec-10] INFO  org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response

2020-06-29 08:10:13 [http-nio-8080-exec-10] ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'https://[my cbioportal domain]/saml/SSO' did not match the recipient endpoint 'http://[my cbioportal domain]/saml/SSO'

So I think the problem is in the recipient endpoint 'http://

Do you know where is the configuration for the recipient endpoint? I suppose it should be a configuration for cbioportal?

Thanks very much, 

Yuki

[Yuki]

Hi Pim, 

Here is my  client-specific-idp-metadata.xml. One thing I did differently from the instruction  is that I used the lasted version of keyloak docker instead of 4.8.3 Final, as 4.8.3 does not generate its endpoint properly. 

<?xml version="1.0" encoding="UTF-8"?>


<EntitiesDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
 <EntityDescriptor entityID="https://[my keycloak domain]/auth/realms/cbioportal">
 <IDPSSODescriptor WantAuthnRequestsSigned="true"
 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                        <KeyDescriptor use="signing">
                          <dsig:KeyInfo>
                            <dsig:KeyName>oXjC...hide...gmE</dsig:KeyName>
                            <dsig:X509Data>
                              <dsig:X509Certificate>MIICozCCAYsCBgFy9lV...hide....kA==</dsig:X509Certificate>
                            </dsig:X509Data>
                          </dsig:KeyInfo>
                        </KeyDescriptor>


 <SingleLogoutService
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Location="https://[my keycloak domain]/auth/realms/cbioportal/protocol/saml" />
 <SingleLogoutService
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 Location="https://[my keycloak domain]/auth/realms/cbioportal/protocol/saml" />
 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Location="https://[my keycloak domain]/auth/realms/cbioportal/protocol/saml" />
 <SingleSignOnService
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 Location="https://[my keycloak domain]/auth/realms/cbioportal/protocol/saml" />
 <SingleSignOnService
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
 Location="https://[my keycloak domain]/auth/realms/cbioportal/protocol/saml" />
 </IDPSSODescriptor>
 </EntityDescriptor>
</EntitiesDescriptor>

[Pim van Nierop]

Ok, this looks good. Is your reverse proxy correctly forwarding X-Forwarded-Proto header?

RequestHeader set X-Forwarded-Proto https

[Yuki]

Thanks Pim, 

Yes, I do have the header in apache set up

<VirtualHost *:80>

 ServerName mysubdomain

 Redirect permanent  / https://mysubdomain/

</VirtualHost>

<VirtualHost *:443>

ServerName mysubdomain

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

SSLCertificateFile path\to\myssl.crt

SSLCertificateKeyFile  path\to\myssl.key

#   Server Certificate Chain:

<FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

</FilesMatch>

<Directory /usr/lib/cgi-bin>

SSLOptions +StdEnvVars

</Directory>

ProxyRequests Off

ProxyVia Off

ProxyPreserveHost On

<Proxy *>

Require all granted

</Proxy>

        RemoteIPHeader X-Forwarded-For

        RemoteIPInternalProxy [my server ip] 127.0.0.0

RequestHeader set  X-Forwarded-Proto "https"

RequestHeader set X-Forwarded-Port "443"

#       forwarding to keycloak

        ProxyPass /auth/ http://0.0.0.0:8180/auth/

        ProxyPassReverse /auth/ http://0.0.0.0:8180/auth/

#       forwarding to cbioportal

ProxyPass / http://0.0.0.0:8081/

ProxyPassReverse / http://0.0.0.0:8081/

</VirtualHost>

[Pim van Nierop]

I am afraid that I am not able to spot any obvious problems from here. I guess from here you are on your own.

Sorry to not be of more help,

Pim

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/618f649b-facf-405b-b66d-20c39f504fc0o%40googlegroups.com.

[Yuki]

Thanks very much for you help, Pim.  The cbioportal.log is very helpful.

I tried to change

 

saml.sp.metadata.entitybaseurl=#{null}

Then 

it works on Chrome and Firefox, but still not working on Firefox or Safari.

I found this log after trying to log in from Firefox and Safari one after another:

2020-06-29 14:53:17 [http-nio-8080-exec-1] INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNResponse;SUCCESS;[ip];cbioportal;https://mydomain/auth/realms/cbioportal;te...@email.com;;

2020-06-29 14:53:46 [http-nio-8080-exec-8] INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;[ip];cbioportal;https://mydomain/auth/realms/cbioportal;;;

The differences are in AuthNResponse and AuthNRequest, the successful (firefox) has user's email returned.

But both of them warn of sending the authentication information (including user credentials) are sent unencrypted.

On the redirecting page from keycloak, I can see:

<form name="saml-post-binding" method="post" action="http://mycbioportaldomain:80/saml/SSO">

                <input type="hidden" name="SAMLResponse" value=".....">

With Chrom, I don't get such a message,  so I didn' get a chance to check what's the URL in the redirecting page's form. 

With Chrom log in, I have an extra line of log

2020-06-29 15:14:29 [http-nio-8080-exec-5] INFO  org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response


2020-06-29 15:14:29 [http-nio-8080-exec-5] INFO  org.springframework.security.saml.log.SAMLDefaultLogger - AuthNResponse;SUCCESS;[ip];cbioportal;https://[mydoamin]/auth/realms/cbioportal;te...@email.com;;

I'm sure why this happens. 

[Yuki]

Found out the solution from another post. https://groups.google.com/forum/#!searchin/cbioportal/tomcat$20docker%7Csort:date/cbioportal/FAr3DhfDXS8/42eFZFp6BgAJ

As all my Apache logs and SAML showed correct https://  URL, but from /tmp/cioportal.log I found "SAML message intended destination endpoint 'https://[mydocmain]/saml/SSO' did not match recipient endpoint 'http://[mydocmain]/saml/SSO'.  When I changed the portal.properties :

 saml.sp.metadata.entitybaseurl=#{null} 

I didn't get this error because all the destination URLs are automatically set be http://[my domain]:80/saml/SSO

The reason is that Tomcat for cbioportal did not interpret https properly. So the following solution solved the problem

/bin/sh -c 'java ${JAVA_OPTS} -jar webapp-runner.jar --proxy-base-url https://URL_WHERE_YOU_ARE_RUNNING_CBIOPORTAL /cbioportal-webapp'