SSO redirect issue with iOS native client

[moritzmann1]

Rocket.chat runs fine with SAML HTTP POST Binding for all clients except Android (known issue? RocketChat/Rocket.Chat.Cordova#59) and iOS clients.

iOS iPhone clients show a white "load error" page after the SSO Login. The SAML communication on the Rocket.chat server below shows the SAML handshake works:

POST /_saml/validate/SAMLIdp HTTP/1.1
Connection: upgrade
Host: chat.open.ch
X-Real-IP: 192.168.35.202
X-Forward-For: 192.168.35.202
X-Forward-Proto: http
X-Nginx-Proxy: true
Content-Length: 6258
Content-Type: application/x-www-form-urlencoded
Origin: https://sso.somedomain.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15
Referer: https://sso.somedomain.com/sso-login/SSOPOST/metaAlias/SAMLIdp?SAMLRequest=nVNdb5swFH3fr0B%2BDw7Rsq1WiESDqkXKVhTYJu1l8sxtsWRs6ntp038%2FQ5MoUr
<.. undisclosed ..>
ldpkde0BMURvjHtZeQgppox8D8E9fy%2FtqHe%2Fc1CPGxj6IthdtYEr13bSaxyKgp1UdIj9lHhlQqpbeLimhIswJdRAHcZFeLw4Xw9LDCoYq7y02DlP%2B8LO6TlmdDaOEBZ%2F%2F5su%2FwE%3D&RelayState=SAMLIdp
Accept-Language: en-us
Accept-Encoding: gzip, deflate

SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6%0D%0AcHJvdG9jb2wiIElEPSJzMmJiOGQ5NTZmMDMxMTVkOWVlZTgxYTIxNTU2MTNjMGMyZjZmNmRjNzEi%0D%0AIEluUmVzcG9uc2VUbz0iVERGTFBlV0Q0eURCcWhvc2kiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0%0D%0AYW50PSIyMDE2LTAxLTI1VDE3OjI5OjI2WiIgRGVzdGluYXRpb249Imh0dHBzOi8vY2hhdC5vcGVu%0D%0ALmNoL19zYW1sL3ZhbGlkYXRlL1NBTUxJZHAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46%0D%0Ab2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5TQU1MSWRwPC9zYW1sOklzc3Vlcj48%0D%0Ac2FtbHA6U3RhdHVzIHhtbG5zOnNhbWxwPSJ1cm
<.. undisclosed ..>
bWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5z%0D%0AdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjE5Mi4xNjguMzUuMjAyPC9zYW1sOkF0dHJpYnV0%0D%0AZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6%0D%0AQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B%0D%0A&RelayState=SAMLIdp

HTTP/1.1 200 OK
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-Rocket-Chat-Version: 0.0.1
Access-Control-Expose-Headers: X-Rocket-Chat-Version
X-Powered-By: Express
Content-Type: text/html
Date: Mon, 25 Jan 2016 17:29:26 GMT
Connection: keep-alive
Transfer-Encoding: chunked

57
<html><head><script>window.close()</script></head><body><H1>Verified</H1></body></html>

[moritzmann1]

Please let me know, should you need additional information! Does this work for anybody?

[bretwilcox]

We are seeing an issue but instead of seeing "load error" we just see a white "Verified" page after successfully authenticating.

[cperrin88]

👍 I see the same behaviour. I'd like to disable form based logins completely but this is not possible now.

[moritzmann1]

As a workaround: should LDAP form-based login in parallel to SSO?

I ask because LDAP authentication only seems to work for first-time users and not existing ones.

[bretwilcox]

Is there any more information needed to get this addressed? This is a big issue for us. To stay SOX compliant we have to turn off other forms of authentication.

[jeffreywescott]

Also seeing the "Verified" page after a SAML login (on iOS client). Any workarounds?

[jeffreywescott]

FYI, this seems to have to do with two things:

1. meteor-accounts-saml uses window.close() to complete the sign-in process.
2. Cordova InAppBrowser doesn't support window.close().

Seems likely that this issue should be filed on meteor-accounts-saml instead of here.

A possible workaround would be something like this.

[engelgabriel]

@rodrigok do we need more info to replicate the problem?

[rodrigok]

Someone can help me to setup SAML at my local server to test this behavior?

[rore]

Any idea how we go forward with this?

[dekelev]

@engelgabriel Can you use this forked repo instead?
https://github.com/gigya/meteor-accounts-saml