SAML Problem

[Waryszak Marcin]

Hey again,

I've successfully deployed the application without using docker (so raw code), imported the data etc. but having issues with SAML authentication in our University Provider.

I've added all necessary values to application.properties but it seems that the Saml2SecurityConfig.java cannot see that stored configuration as it's giving the error below.

15:02:07.027 [main] WARN o.s.b.w.s.c.AnnotationConfigServletWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChains' parameter 0: Error creating bean with name 'samlFilterChain' defined in class path resource [org/cbioportal/security/config/Saml2SecurityConfig.class]: Unsatisfied dependency expressed through method 'samlFilterChain' parameter 1: No qualifying bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

The workaround that partially worked included adding a Bean (line 76) but that carries only the value specified, and again, not looking at the entire application.properties.

@Bean

    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(

        @Value("${saml.idp.metadata.location}") String metadataLocation) {

        RelyingPartyRegistration registration = RelyingPartyRegistrations

                .fromMetadataLocation(metadataLocation)

                .registrationId("cbioportal")

                .build();

        return new InMemoryRelyingPartyRegistrationRepository(registration);

    }

Thank you

[Charles Haynes]

Can you share your application.properties (atleast the properties for SAML)

Here is an example.

spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=http://localhost:8081/realms/cbioportal/protocol/saml/descriptor
spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=cbioportal-saml
spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/localdb.crt
spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/localdb.key

[Waryszak Marcin]

Thanks Charles,

Here's the snippet below following the manual: https://docs.cbioportal.org/deployment/authorization-and-authentication/authenticating-users-via-saml/

The domain sits behind double proxy which is serving https for the VM.

## SAML settings

saml.sp.metadata.entityid=cbioportal

saml.sp.metadata.wantassertionsigned=true

saml.sp.metadata.location=classpath:/cbioportal.xml

saml.idp.metadata.location=classpath:/shibboleth.xml

saml.idp.metadata.entityid=https://shib.raven.cam.ac.uk/shibboleth

saml.idp.metadata.registrationid=cbioportal

saml.keystore.location=classpath:/samlKeystore.jks

saml.keystore.password=mypass

saml.keystore.private-key.key=keyname

saml.keystore.private-key.password=mypass

saml.keystore.default-key=keyname

# How to send SAML request messages to the IDP.

# Set to "specificBinding" to configure specific binding:

saml.idp.comm.binding.settings=defaultBinding

# Configure the specific binding if above is specificBinding. Leave empty if defaultBinding.

# Options: bindings:HTTP-POST, bindings:HTTP-Redirect, bindings:PAOS, profiles:holder-of-key:SSO:browser

saml.idp.comm.binding.type=

# If true it means that the user will be forced to re-authenticate, even if they have a valid session with the IDP

# it's useful when you don't have control over IDP and the IDP caches user data for to long

# causing cbioportal to CredentialsExpiredException Authentication statement is too old to be used with value <DATE>

saml.idp.metadata.attribute.email=User.email

saml.idp.metadata.attribute.userName=User.name

saml.idp.metadata.attribute.role=Role

# Change this to configure your custom UserDetails parser (default: org.cbioportal.security.spring.authentication.saml.SAMLUserDetailsServiceImpl)

saml.custom.userservice.class=org.cbioportal.security.spring.authentication.saml.SAMLUserDetailsServiceImpl

# global logout (as opposed to local logout):

#saml.logout.local=false

#saml.logout.url=/

# Change this to configure to configure a custom logout URL: (default: /login.jsp?logout_success=true)

saml.logout.url=/login.jsp?logout_success=true

# change this url if behind reverse proxy that handles SSL, see docs/Authenticating-Users-via-SAML.md

saml.sp.metadata.entitybaseurl=https://mydomainname:443

logging.level.org.springframework.security.saml2=DEBUG

[Charles Haynes]

Unfortunately those docs are out of date since V6 upgrade.

Here is the link to new security properties with v6. https://docs.cbioportal.org/deployment/customization/security.properties-reference/

These are the properties you would use to configure SAML now

authenticate=saml
spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=http://localhost:8081/realms/cbioportal/protocol/saml/descriptor

spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=cbioportal-saml
spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/localdb.crt
spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/localdb.key

Apologies for the inconvenience. We should have updated docs soon.

[Waryszak Marcin]

Thank you Charles,

I actually had a massive breakthrough since your message yesterday and was testing this rigorously.

My security properties are below, but there's still an issue with the data being post over http rather than https

spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=https://shib.raven.cam.ac.uk/shibboleth

spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=mynameoftheapp

spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/local.crt

spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/local.key

spring.security.saml2.relyingparty.registration.cbio-saml-idp.singlelogout.binding=POST

spring.security.saml2.relyingparty.registration.cbio-saml-idp.singlelogout.response-url=https://mywebsiteurl/logout/saml2/slo

# TODO add to docs (in minutes; default 1)

spring.security.oauth2.allowed-clock-skew=

logging.level.org.springframework.security.saml2=DEBUG

spring.security.saml2.relyingparty.registration.cbio-saml-idp.base-url=https://mywebsiteurlwithoutportafterthecolon

The request made to IdP is made over http so decoded base64 message has

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://mywebsiteurl/login/saml2/sso/cbio-saml-idp" Destination="https://shib.raven.cam.ac.uk/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="ARQa10c25d-996b-4323-b095-1b8fc7ff8bd8" IsPassive="false" IssueInstant="2024-03-12T17:20:46.018Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">mynameoftheapp</saml2:Issuer></saml2p:AuthnRequest>

I've tried various things, but not sure why this is behaving like that - since it's over HTTP, I've updated my SP XML metadata to have http location but then, since the website sits on university servers behind double proxy, there are automatic redirection for https resulting in "login?error", screenshot attached.

Thank you :)

[Waryszak Marcin]

I've also tried adding "--proxy-base-url https://domainname" to the command but with no avail

[Benjamin Gross]

I haven’t completely digested this thread, but there may be multiple aspects to this issue.  For starters, are you trying to run the cBioPortal behind a proxy using webapp-runner and passing —proxy-base-url to the command?  If so, I would try adding the port: —proxy-base-url https://domainname:443.  Having said that, if you are using the new Spring Boot codebase, I think Spring Boot provides its own web container.

Regarding the SAML issue.  Am I correct in that your university IDP requires an https connection but your instance of the cBioPortal is running over http?  The AssertionConsumerServiceURL you highlighted below.  That should be coming from your service provider (cBioPortal) metadata.  How are you generating it?

Regards,

-Benjamin

-- 
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/80f86f02-aa73-4cdf-9648-4f99f1b9815bn%40googlegroups.com.

[Waryszak Marcin]

Thanks Benjamin,

I'm running v6 of the portal and tried different configurations of --proxy-base-url (with 443 this morning) and none of them works. What did work was when I installed the p12 cert on the VM and served tomcat via https then all of the cbioportal redirection started to work just fine - the only global configuration change was I had to request reverse proxy listening on port 443 rather than 8080.

We generated the metadata via https://www.samltool.com/sp_metadata.php which is being accepted and working fine.

So the only problem that I understand was cbio redirection behind reverse proxy - it just doesn't work.

Many thanks for all your help!

[Benjamin Gross]

Glad to hear it is working.

Best,

-Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/3d9bb17d-dc78-40f4-b3c9-f8dfea5843edn%40googlegroups.com.

[Waryszak Marcin]

Yes, thank you once again Benjamin.

I know it's a long shot but the idp attributes doesn't seem to work/map for the below:

saml.idp.metadata.attribute.email=urn:oid:0.9.2342.19200300.100.1.3

saml.idp.metadata.attribute.userName= urn:oid:1.3.6.1.4.1.5923.1.1.1.6

The metadata is returned base64encoded which carries the right information but frontend shows "Logged In as assertionnameidhash" which I'm unsure how to remap - any advise? :)

[Benjamin Gross]

Do you know if you are you getting the data back from IDP encoded or is the cBioPortal (spring - security) sending the data encoded to the frontend?  I would turn some logging on to see if it offers any additional info:

https://docs.cbioportal.org/deployment/authorization-and-authentication/authenticating-users-via-saml/#troubleshooting-tips

This SAML Chrome plugin can show you what is being sent back to the browser

https://chromewebstore.google.com/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace

Let me know how it goes.

-B

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/5bac2001-6f81-40d2-b4ba-07065acb8a0en%40googlegroups.com.

[Waryszak Marcin]

Hey Benjamin,

I'm doing some debugging and can confirm that the data is being correctly returned and logged in the console and SAML plugins as mapped in application.properties (so I can see my decoded email address and username), however front-end refuses to display that correctly and instead is fetching subject from SAML.

I'm checking right now the front end (and even tried to restore to the latest stable version via pom assertion) and found main.app.js to have that line:

"Logged in as"," ",this.props.appStore.userName

so need to understand why appStore.userName is not getting the right information from the application.properties - any idea?

[Benjamin Gross]

I think we have to pull in a front-end engineer to help answer this.  Aaron, any idea how the SAML attributes are mapped to frontend fields using the v6 codebase?  Has anything changed?

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/71ed8cba-dc47-415e-ae58-d665cacb4e35n%40googlegroups.com.

[Waryszak Marcin]

Thank you Benjamin - I've observed that once SAML authenticated, all api calls to session service are returning in 500 response and logged as 404 on the server, i.e.

https://myurl/api/session/settings/fetch - returning 404

https://myurl /api/session/custom_data/fetch - returning 500

I've originally left this line as instructed (I've been told v6 doesn't need session service):

session.service.url=https://cbioportal-session-service.herokuapp.com/session_service/api/sessions/heroku_portal/

and then tried changing to localhost:8090 with session service up and running (as instructed https://github.com/cBioPortal/session-service#run-without-docker) which was working before and now it stopped with v6. Potentially this is not caching the necessary data?

[Waryszak Marcin]

I had to rebuild and start all session service dependencies (mongod + session-service) and all api/session/ calls are going through - still no luck with the username/email authentication though and cross checking against users table and permissions to see specific studies

[Waryszak Marcin]

Hey Aaron - just from the hindsight, I noticed, AppStore is looking for any key with the name of either "email" or "name" or those derivatives, so even with mapping custom URNs via application.properties, this won't help - is there any quick win I can do or potentially transform the response in any java class so principal is correctly read via front-end?

[Aaron L]

Hey Marcin, 

Not sure I totally follow.  You are logged in but the email/username fields are not populated and thus the frontend doesn't consider you logged in?

--Aaron

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/507ce253-c6e3-4821-872c-c3d33e38bf81n%40googlegroups.com.

[Waryszak Marcin]

Hey Aaron

Yes, that's correct - I'm authenticated but there are 2 issues:

"Logged in as..." Shows saml2.0 assertion subject's hash instead of email or username that I mapped in application propertirs

The email is not checked against the table and I cannot see the studies that should be visible with my email address.

The return response is following urn:kid: naming convention as outlined here: https://docs.raven.cam.ac.uk/saml2-attributes/

Best wishes

I’m sorry for any typos in my email - it’s been sent from an app

On 21 Mar 2024, at 20:42, Aaron L <lisman...@gmail.com> wrote:



[Aaron L]

Marcin, 

Unfortunately I'm going to have to enlist a more knowledgeable person who isn't available until Tuesday.  Let's communicate then.

[Charles Haynes]

Ah, yes I know when using Keycloak for SAML you need to make sure the Name id format in Keycloak is set to email and toggle `force name ID format`

[Waryszak Marcin]

thanks Charles but I'm not using keycloak - it's Raven and urn standard.

I’m sorry for any typos in my email - it’s been sent from an app

On 2 Apr 2024, at 20:01, Charles Haynes <cha...@d3b.center> wrote:

Ah, yes I know when using Keycloak for SAML you need to make sure the Name id format in Keycloak is set to email and toggle `force name ID format`

You received this message because you are subscribed to a topic in the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cbioportal/lPk-_NxaggU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/27fdfb30-4226-4995-8803-72833991466bn%40googlegroups.com.

<Screenshot 2024-04-02 at 2.56.39 PM.png>

[Waryszak Marcin]

Hi again,

I'm trying the keycloak approach which I've installed on the server (port 8080) and cBio is now served on 8081.

I've followed all steps from the instruction: https://docs.cbioportal.org/deployment/authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak/#create-a-signing-key-for-cbioportal but getting Invalid Request error with:
2024-04-08 16:05:01,979 WARN  [org.keycloak.events] (executor-thread-137) type="LOGIN_ERROR", realmId="a88d9bec-fabc-408d-98b8-efbacd36d6f0", clientId="null", userId="null", ipAddress="127.0.0.1", error="invalid_signature"

Have the endpoints changed from "/saml" since the manual has been updated last time?

[Charles Haynes]

This documentation is outdated since the upgrade of V6 and the latest version of keycloak. We need to update this documentation
https://docs.cbioportal.org/deployment/authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak/#create-a-signing-key-for-cbioportal

But if you have a local keycloak instance up and running I can assist with that.

CbioPortal Properties
--authenticate=saml
--security.cors.allowed-origins=*
--spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=http://localhost:8081/realms/cbioportal/protocol/saml/descriptor
--spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=cbioportal-saml
--spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/localdb.crt
--spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/localdb.key
--filter_groups_by_appname=false

I have attached an export of my SAML client in keycloak (It is under realm cbioportal)

For SAML logout to work this property needs to be set (In keycloak its under advanced tabs)
saml_single_logout_service_url_post="http://localhost:8080/login?logout_success"

Also, to create the cert you can use this ex. https://docs.cbioportal.org/deployment/customization/security.properties-reference/#example-to-generate-cert-and-key
You must upload the cert to the SAML client in keycloak.

Here is an example of passing the cert and key via the file path if you do not have the ability to put it on the class path
--spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=file:/cbioportal/local.crt
--spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=file:/cbioportal/local.key

Let me know if I can assist with anything else.

[Waryszak Marcin]

Thank you Charles - it looked like all the time the issue was with the imported certificate!

I was uploading the samlKeystore.jks with alias and password, whereas I should've uploaded the local.crt as Certificate PEM.

Thank you!

Follow up question re advice on the configuration - we have a reverse proxy set up at the university to listen on port 443 - would the cbioportal be configured for 443 and it'd make a call for keycloak on port 8080 or it's a different setup that must be implemented (I need keycloak to talk to university's IDP).

Thank you

[Charles Haynes]

Just to make sure I am understanding the question. Is this referring to one of your previous issues with the cbioportal app sending http -> raven instead of https?

Your question below.

Thank you Charles,

I actually had a massive breakthrough since your message yesterday and was testing this rigorously.

My security properties are below, but there's still an issue with the data being post over http rather than https

spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=https://shib.raven.cam.ac.uk/shibboleth

spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=mynameoftheapp

spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/local.crt

spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/local.key

spring.security.saml2.relyingparty.registration.cbio-saml-idp.singlelogout.binding=POST

spring.security.saml2.relyingparty.registration.cbio-saml-idp.singlelogout.response-url=https://mywebsiteurl/logout/saml2/slo

# TODO add to docs (in minutes; default 1)

spring.security.oauth2.allowed-clock-skew=

logging.level.org.springframework.security.saml2=DEBUG

spring.security.saml2.relyingparty.registration.cbio-saml-idp.base-url=https://mywebsiteurlwithoutportafterthecolon

The request made to IdP is made over http so decoded base64 message has

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://mywebsiteurl/login/saml2/sso/cbio-saml-idp" Destination="https://shib.raven.cam.ac.uk/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="ARQa10c25d-996b-4323-b095-1b8fc7ff8bd8" IsPassive="false" IssueInstant="2024-03-12T17:20:46.018Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">mynameoftheapp</saml2:Issuer></saml2p:AuthnRequest>

I've tried various things, but not sure why this is behaving like that - since it's over HTTP, I've updated my SP XML metadata to have http location but then, since the website sits on university servers behind double proxy, there are automatic redirection for https resulting in "login?error", screenshot attached.

If this is your case. We had a similar issue at CHOP.
server.forward-headers-strategy=NATIVE // This copies common HTTPS Headers over (Link below)
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.use-behind-a-proxy-server
This fixed it.

[Kiran]

Hello Marcin,

It Looks like you have fixed the certificate issue while decrypting the SAML response for attributes. I am also getting the following error. I used crt and key files in the configuration. However, I can decrypt using the tool when I provide the private key from the key file. Could you please provide me with your fix? Thanks in advance

Found 2 validation errors in SAML response [_0918fa8028572e9b21935c6b2868c9c7e608]: [[invalid_signature] Did not decrypt response [_0918fa8028572e9b21935c6b2868c9c7e608] since it is not signed, [malformed_response_data] No assertions found in response.]

Thanks,

Kiran

[Waryszak Marcin]

Hey Kiran,

Apologies but i just seen your reply and question!

I had to go through this again since my previous certificate expired.

In case this is still failing for you as it was for me (with keycloak "invalid signature" error in the logs), you need to:

1. generate p12 certificate
2. convert it to key and crt files:
   1. openssl pkcs12 -in keystore.p12 -nocerts -nodes -out local.key
   2. openssl pkcs12 -in keystore.p12 -nokeys -out local.crt
3. Put the above 2 files in the src/main/resources folder
4. Build via maven again: sudo mvn -DskipTests clean install
5. Upload the p12 file to the keycloak dashboard: clients>cbioportal>keys>import key for Client signature require
6. enjoy happy life :)

Hope that helps!

[Kiran]

Thank you Marcin for the reply. I am not using KeyCloak instead I am using our own SSO.

I am using crt and key files and those are working fine now.

The problem I am now experiencing problem loading with the existing authorities from the cbioportla database. It looks like it is not supporting.

Thanks,

Kiran