SAML

[darkyen]

Currently saml docs are a stub, can you please add docs for SAML ?

[failattu]

Hello,

Any idea when this could be done? Currently I am working on installing rocket with SAML and documentation would help. Especially where the metadata.xml is located on the server?

Certificate format, idp endpoint location, how to setup idp initiated vs. client initiated SAML.

From terminology point of view it would be good to specify what you mean by custom provider, custom entry point. What to minimally configure for th system to work and that public and private certificates are for security and custom certificate is the idp certificate.

I would say basic documentation is pretty fast to write and would hope to see it soon.

If I get this working I might do some of it myself. If you have answers to the things pointed above I would really like them.

[Rohlik]

Here you can see pull request for SAML docs - c244f5a

[failattu]

Perfect. Managed to do with this.

[sc10n]

@failattu Could you shed some light on how you did it? I followed the SAML docs and didn't seem to make much headway. What IdP are you using? We are using ADFS and I can't seem to get it to work. After entering all the data and trying the SAML login button i get Error: Unexpected SAML service https: and the url doesn't seem correct https://rc.example.orgl/_saml/authorize/https://rc.example.orgl/_saml/metadata/rocket-chat/5TYnepg5zXbRkLCwf

ADFS doesn't seem to validate the metadata url either. Any help would be greatly appreciated!

[Rohlik]

@sc10n Can you show your configuration in RC? (you can mask your private data)

[sc10n]

[Rohlik]

@sc10n We are using ADSF too, but in "Custom Issuer" field, we have only something like this: https://chat.company.cz, which is our RC url. Also according to RocketChat/Rocket.Chat#2770 (comment) we have "Generate Username" set to True.

[sc10n]

Thanks for the tip @Rohlik, I think I am getting closer. Now I'm getting
MSIS7102: Requested Authentication Method is not supported on the STS.
which led me to start digging into the SAML code. We use a smart card with our ADFS so I need the assertions to reflect a smart card. I found this here:
Rocket.Chat/packages/meteor-accounts-saml/saml_utils.js

	request +=
		'<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">' +
		'<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n' +
		'</samlp:AuthnRequest>';

So in my local copy I changed Comparison to minimum and the assertion to unspecified. That got me farther, I now get the smart card login page from our ADFS, but the certificates aren't listed. I am still digging. Do you guys use certificate auth with your SAML? If I ever make it work I will post back and possibly create a merge request.

[Rohlik]

We don´t use certificate.

[sc10n]

No problem. I think I am really close. I got the certificates to appear and send. I'm just now getting No signature verification certificate found for issuer 'https://example.org'. on the ADFS side, so I'm working through making AFDS see the self-signed cert of RC as the relaying party.

[sc10n]

It seems having a non-self-signed cert helped ADFS use the metadata to setup the RP which seems to help with some errors. However, I am stuck at finding the correct authentication class and proper nameids to match for Smartcards. I've really been banging my head against the wall the past few days... I have tried changing the authentication classes and nameids in saml_utils.js to various combinations to figure out how to do smartcard assertions. There is just some disconnect between RC and ADFS that won't allow it. It seems that the implementation of SAML on the RC is only focused on passwords and doesn't allow for anything else, maybe I am wrong here but its how it looks when I review the code.

I may have to move on from this if I can't find a solution soon. Any help would be greatly appreciated.

[Rohlik]

@engelgabriel The docs for SAML are merged, so this issue should be closed.