kasmtech
[Bug] - Azure SSO Redirect to Invalid URL
Describe the bug
I've deployed a new Kasm instance (1.13.1) to replace an old server (Kasm 1.11.0) and configured Azure SSO exactly the same as I did for the old server.
When I browse directly to Kasm in the browser via https://1.2.3.4 and click the login with Azure SSO button it works fine.
However when I try to trigger the auth flow via the myapps.microsoft.com page (click on the Kasm app) it lands me at the URL https://1.2.3.4/api/acs/?id=<id_here> on a blank white page with the message "An unhandled exception occurred check logs for details"
See server logs/error message in additional details at the bottom.
To Reproduce Steps to reproduce the behavior:
- Follow the documentation on how to configure SSO for Azure AD
- Go to myapps.microsoft.com
- Click on Kasm
- See error
Expected behavior The user should be logged in, just as if they manually browsed to the IP address of the server and clicked the login with Azure SSO button.
Workspaces Version 1.13.1
Workspaces Installation Method Single Server
Client Browser (please complete the following information):
- OS: Windows 11
- Browser: MS Edge
- Version 115
Workspace Server Information (please provide the output of the following commands):
uname -a
Linux <redacted> 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 9 17:09:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
sudo docker info
Client: Docker Engine - Community
Version: 24.0.5
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.11.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.20.2
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 8
Running: 8
Paused: 0
Stopped: 0
Images: 10
Server Version: 24.0.5
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
runc version: v1.1.8-0-g82f18fe
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.14.0-284.11.1.el9_2.x86_64
Operating System: Rocky Linux 9.2 (Blue Onyx)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 31.14GiB
Name: <redacted>
ID: d3851907-a588-4c64-bdd2-87660c73d1d5
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
sudo docker ps | grep kasm
93a3bbd798fb kasmweb/nginx:latest "/docker-entrypoint.…" 22 hours ago Up 22 hours 80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp kasm_proxy
bc789377fb4a kasmweb/agent:1.13.1 "/bin/sh -c '/usr/bi…" 22 hours ago Up 22 hours (healthy) 4444/tcp kasm_agent
cb89b3378e54 kasmweb/share:1.13.1 "/bin/sh -c '/usr/bi…" 22 hours ago Up 22 hours (healthy) 8182/tcp kasm_share
790e4c72509a kasmweb/manager:1.13.1 "/bin/sh -c '/usr/bi…" 22 hours ago Up 22 hours (healthy) 8181/tcp kasm_manager
7bf1eee2b04e redis:5-alpine "docker-entrypoint.s…" 22 hours ago Up 22 hours 6379/tcp kasm_redis
b6215743defd kasmweb/api:1.13.1 "/bin/sh -c '/usr/bi…" 22 hours ago Up 22 hours (healthy) 8080/tcp kasm_api
1e0dff5b3352 kasmweb/kasm-guac:1.13.1 "/dockerentrypoint.sh" 22 hours ago Up 22 hours (healthy) kasm_guac
0cf4c57553ce postgres:12-alpine "docker-entrypoint.s…" 22 hours ago Up 22 hours (healthy) 5432/tcp kasm_db
Additional context Error message from the server:
==> client_api_server.log <==
2023-08-11 03:29:39,103 [DEBUG] client_api_server: Successfully authenticated request (new_session_token) for user ([email protected]) at (<my_ip>)
==> api_server_json.log <==
{"asctime": "2023-08-11 03:29:44,088", "name": "cherrypy.error.139762830499600", "processName": "MainProcess", "filename": "_cplogging.py", "funcName": "error", "levelname": "ERROR", "lineno": 213, "module": "_cplogging", "threadName": "CP Server Thread-7", "message": "[11/Aug/2023:03:29:44] HTTP ", "exc_info": "Traceback (most recent call last):\n File \"cherrypy/_cprequest.py\", line 628, in respond\n File \"cherrypy/_cprequest.py\", line 687, in _do_respond\n File \"cherrypy/lib/encoding.py\", line 219, in __call__\n File \"cherrypy/_cpdispatch.py\", line 54, in __call__\n File \"client_api.py\", line 124, in acs\n File \"authentication/saml/saml_auth.py\", line 37, in acs\n File \"onelogin/saml2/auth.py\", line 210, in redirect_to\n File \"onelogin/saml2/utils.py\", line 210, in redirect\nonelogin.saml2.errors.OneLogin_Saml2_Error: Redirect to invalid URL: https://1.2.3.4/#/sso", "path_info": "/acs/", "query_string": "id=<id_here>", "request_ip": "<my_ip>", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.200", "timestamp": "2023-08-11T03:29:44.088736+00:00"}
{"asctime": "2023-08-11 03:29:44,092", "name": "root", "processName": "MainProcess", "filename": "server.py", "funcName": "generic_error_response", "levelname": "ERROR", "lineno": 136, "module": "server", "threadName": "CP Server Thread-7", "message": "Unhandled exception occurred", "exc_info": "Traceback (most recent call last):\n File \"cherrypy/_cprequest.py\", line 628, in respond\n File \"cherrypy/_cprequest.py\", line 687, in _do_respond\n File \"cherrypy/lib/encoding.py\", line 219, in __call__\n File \"cherrypy/_cpdispatch.py\", line 54, in __call__\n File \"client_api.py\", line 124, in acs\n File \"authentication/saml/saml_auth.py\", line 37, in acs\n File \"onelogin/saml2/auth.py\", line 210, in redirect_to\n File \"onelogin/saml2/utils.py\", line 210, in redirect\nonelogin.saml2.errors.OneLogin_Saml2_Error: Redirect to invalid URL: https://1.2.3.4/#/sso", "path_info": "/acs/", "query_string": "id=<id_here>", "request_ip": "<my_ip>", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.200", "timestamp": "2023-08-11T03:29:44.092534+00:00"}
{"asctime": "2023-08-11 03:29:44,094", "name": "cherrypy.access.139762830499600", "processName": "MainProcess", "filename": "_cplogging.py", "funcName": "access", "levelname": "INFO", "lineno": 283, "module": "_cplogging", "threadName": "CP Server Thread-7", "message": "172.18.0.9 - - [11/Aug/2023:03:29:44] \"POST /api/acs/?id=<id_here> HTTP/1.1\" 500 78 \"https://login.microsoftonline.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.200\"", "path_info": "/acs/", "query_string": "id=<id_here>", "request_ip": "<my_ip>", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.200", "timestamp": "2023-08-11T03:29:44.094915+00:00"}
==> api_server.log <==
2023-08-11 03:29:44,088 [ERROR] cherrypy.error.139762830499600: [11/Aug/2023:03:29:44] HTTP
Traceback (most recent call last):
File "cherrypy/_cprequest.py", line 628, in respond
File "cherrypy/_cprequest.py", line 687, in _do_respond
File "cherrypy/lib/encoding.py", line 219, in __call__
File "cherrypy/_cpdispatch.py", line 54, in __call__
File "client_api.py", line 124, in acs
File "authentication/saml/saml_auth.py", line 37, in acs
File "onelogin/saml2/auth.py", line 210, in redirect_to
File "onelogin/saml2/utils.py", line 210, in redirect
onelogin.saml2.errors.OneLogin_Saml2_Error: Redirect to invalid URL: https://1.2.3.4/#/sso
2023-08-11 03:29:44,092 [ERROR] root: Unhandled exception occurred
Traceback (most recent call last):
File "cherrypy/_cprequest.py", line 628, in respond
File "cherrypy/_cprequest.py", line 687, in _do_respond
File "cherrypy/lib/encoding.py", line 219, in __call__
File "cherrypy/_cpdispatch.py", line 54, in __call__
File "client_api.py", line 124, in acs
File "authentication/saml/saml_auth.py", line 37, in acs
File "onelogin/saml2/auth.py", line 210, in redirect_to
File "onelogin/saml2/utils.py", line 210, in redirect
onelogin.saml2.errors.OneLogin_Saml2_Error: Redirect to invalid URL: https://1.2.3.4/#/sso
2023-08-11 03:29:44,094 [INFO] cherrypy.access.139762830499600: 172.18.0.9 - - [11/Aug/2023:03:29:44] "POST /api/acs/?id=<id_here> HTTP/1.1" 500 78 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.200"
Not sure if this is the library being used in the frontend currently but I found the exact error message in the python3-saml repo: https://github.com/SAML-Toolkits/python3-saml/blob/d1bfaeb17a786735827b8252b91deafde29dabd8/src/onelogin/saml2/utils.py#L212
As far as I can see, at least in the regex check for that repo the redirect URL should pass the check fine.
Thank you.
I suspect you have put the wrong value in the Identifier (Entity Id) field. The url should include something like /api/metadata , instead of /api/acs
Please double check that you have entered the correct value (Entity ID) as defined in the Kasm config
Hey @j-travis,
Just checked config and it looks correct to me looking at the documentation as well.
See Azure and Kasm config images: Kasm Config - https://ibb.co/0936Jjd Azure Config - https://ibb.co/7vtrqcs
Cheers
Here's a screenshot of the error as well just for reference - This is the page I'm getting after clicking on the app from myapps.microsoft.com