workspaces-issues icon indicating copy to clipboard operation
workspaces-issues copied to clipboard
verified publisher icon kasmtech

[Bug] - login in from App button in "My Apps" in Authentik give response of "internal error"

Open bruman opened this issue 1 year ago • 4 comments

Existing Resources

  • [x ] Please search the existing issues for related problems
  • [x ] Consult the product documentation : Docs
  • [x ] Consult the FAQ : FAQ
  • [x ] Consult the Troubleshooting Guide : Guide
  • [ x] Reviewed existing training videos: Youtube

Describe the bug I have set up Authentik as a SAML provider for KASM. If i am logging into Kasm from kasm webpage i am able to authenticate using my authentik username and password, so i believe i have everything correctly setup for SAML auth to authentik to work. However when i log into Authentik i see a page that has "my applications" listed. When i click on the one for Kasm, i get sent to the kasm website where get a "Interal Error" message.

To Reproduce Steps to reproduce the behavior: Following instructions at https://mafyuh.com/posts/how-to-authenticate-kasm-via-authentik/ log into authentik, then click on the kasm app in "my applications"

Expected behavior Should log you into Kasm

Screenshots If applicable, add screenshots to help explain your problem.

Workspaces Version 1.15.0.577587

Workspaces Installation Method e.g Single Server, Multi-Server, TrueNAS, linuxserver.io, terraform, ansible Docker community edition

Client Browser (please complete the following information): MacOS, Chrome and firefox

Workspace Server Information (please provide the output of the following commands):

  • uname -a
  • Linux xxx 5.14.0-427.28.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jul 31 15:28:35 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • cat /etc/os-release NAME="Rocky Linux" VERSION="9.4 (Blue Onyx)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="9.4" PLATFORM_ID="platform:el9" PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)" ANSI_COLOR="0;32" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:rocky:rocky:9::baseos" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" SUPPORT_END="2032-05-31" ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9" ROCKY_SUPPORT_PRODUCT_VERSION="9.4" REDHAT_SUPPORT_PRODUCT="Rocky Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
  • sudo docker info -Client: Docker Engine - Community Version: 27.1.1 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.16.1 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.29.1 Path: /usr/libexec/docker/cli-plugins/docker-compose

Server: Containers: 36 Running: 23 Paused: 1 Stopped: 12 Images: 109 Server Version: 27.1.1 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41 runc version: v1.1.13-0-g58aa920 init version: de40ad0 Security Options: seccomp Profile: builtin cgroupns Kernel Version: 5.14.0-427.28.1.el9_4.x86_64 Operating System: Rocky Linux 9.4 (Blue Onyx) OSType: linux Architecture: x86_64 CPUs: 24 Total Memory: 30.87GiB Name: xxx ID: e9748166-8f74-4bff-90d0-fbb07002e75f Docker Root Dir: /mnt/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false

  • sudo docker ps | grep kasm 0169f669756d kasmweb/ubuntu-jammy-desktop:1.15.0 "/dockerstartup/kasm…" 31 hours ago Up 31 hours 4901/tcp, 5901/tcp, 6901/tcp ismimacdonal_3c90dc9c 46d81abc0c6e lscr.io/linuxserver/webtop:ubuntu-kde "/kasminit" 2 days ago Up 2 days (Paused) 3000-3001/tcp ismimacdonal_2fa2eb79 a3ee77cfadc0 kasmweb/nginx:1.25.3 "/docker-entrypoint.…" 6 weeks ago Up 8 days 80/tcp, 0.0.0.0:4443->4443/tcp, :::4443->4443/tcp kasm_proxy cb6700cd1645 kasmweb/agent:1.15.0 "/bin/sh -c '/usr/bi…" 6 weeks ago Up 8 days (healthy) 4444/tcp kasm_agent c0e2f45940e1 kasmweb/share:1.15.0 "/bin/sh -c '/usr/bi…" 6 weeks ago Up 8 days (healthy) 8182/tcp kasm_share 43ecbb2282ae kasmweb/manager:1.15.0 "/bin/sh -c '/usr/bi…" 6 weeks ago Up 8 days (healthy) 8181/tcp kasm_manager 58630e7102c0 kasmweb/api:1.15.0 "/bin/sh -c '/usr/bi…" 6 weeks ago Up 8 days (healthy) 8080/tcp kasm_api 0f30594e8c67 postgres:12-alpine "docker-entrypoint.s…" 6 weeks ago Up 8 days (healthy) 5432/tcp kasm_db 89a8c76b4de4 redis:5-alpine "docker-entrypoint.s…" 6 weeks ago Up 8 days 6379/tcp kasm_redis ada6b9836076 kasmweb/kasm-guac:1.15.0 "/dockerentrypoint.sh" 6 weeks ago Up 8 days (healthy) kasm_guac

Additional context

bruman avatar Aug 22 '24 20:08 bruman

Do you see any errors in the kasm application logs? and/or your browser console

You should be able to get at the errors in Kasm from the UI, or you can run the following command from your kasm server...

sudo docker logs -f --tail 10 kasm_api

Then try logging in again and capturing the logs

j-travis avatar Aug 22 '24 21:08 j-travis 

2024-08-23 16:16:46,459 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (acs) from IP address (10.10.10.176, 10.10.10.176, 172.18.0.2).
2024-08-23 16:16:46,462 [ERROR] cherrypy.error.139679191504640: [23/Aug/2024:16:16:46] HTTP
Traceback (most recent call last):
  File "cherrypy/_cprequest.py", line 628, in respond
  File "cherrypy/_cprequest.py", line 687, in _do_respond
  File "cherrypy/lib/encoding.py", line 219, in __call__
  File "cherrypy/_cpdispatch.py", line 54, in __call__
  File "utils.py", line 99, in wrapper
  File "client_api.py", line 146, in acs
  File "authentication/saml/saml_auth.py", line 22, in acs
  File "onelogin/saml2/auth.py", line 124, in process_response
onelogin.saml2.errors.OneLogin_Saml2_Error: SAML Response not found, Only supported HTTP_POST Binding
2024-08-23 16:16:46,462 [ERROR] root: Unhandled exception occurred
Traceback (most recent call last):
  File "cherrypy/_cprequest.py", line 628, in respond
  File "cherrypy/_cprequest.py", line 687, in _do_respond
  File "cherrypy/lib/encoding.py", line 219, in __call__
  File "cherrypy/_cpdispatch.py", line 54, in __call__
  File "utils.py", line 99, in wrapper
  File "client_api.py", line 146, in acs
  File "authentication/saml/saml_auth.py", line 22, in acs
  File "onelogin/saml2/auth.py", line 124, in process_response
onelogin.saml2.errors.OneLogin_Saml2_Error: SAML Response not found, Only supported HTTP_POST Binding
2024-08-23 16:16:46,463 [INFO] cherrypy.access.139679191504640: 172.22.0.4 - - [23/Aug/2024:16:16:46] "GET /api/acs/?id=bcb3a36d66bb43c18226e86c286872d8 HTTP/1.1" 500 78 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
2024-08-23 16:16:46,937 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (healthcheck) from IP address (127.0.0.1).
2024-08-23 16:16:46,938 [INFO] cherrypy.access.139679191504640: 127.0.0.1 - - [23/Aug/2024:16:16:46] "GET /api/__healthcheck HTTP/1.1" 200 12 "" "curl/7.68.0"

bruman avatar Aug 23 '24 16:08 bruman

And just for reference this is what i get when i click the authentic button from the kasm log in

2024-08-23 16:21:00,571 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (sso) from IP address (10.10.10.176, 10.10.10.176, 172.18.0.2).
2024-08-23 16:21:00,574 [INFO] cherrypy.access.139679191504640: 172.22.0.4 - - [23/Aug/2024:16:21:00] "POST /api/sso HTTP/1.1" 200 833 "https://kasm.yyy.yyy/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
2024-08-23 16:21:00,843 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (acs) from IP address (10.10.10.176, 10.10.10.176, 172.18.0.2).
2024-08-23 16:21:01,099 [INFO] cherrypy.access.139679191504640: 172.22.0.4 - - [23/Aug/2024:16:21:01] "POST /api/acs/?id=bcb3a36d66bb43c18226e86c286872d8 HTTP/1.1" 302 1217 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
2024-08-23 16:21:01,187 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (login_saml) from IP address (10.10.10.176, 10.10.10.176, 172.18.0.2).
2024-08-23 16:21:01,193 [INFO] client_api_server: Successful authentication attempt for user: ([email protected])
2024-08-23 16:21:01,194 [INFO] cherrypy.access.139679191504640: 172.22.0.4 - - [23/Aug/2024:16:21:01] "POST /api/login_saml HTTP/1.1" 200 1492 "https://kasm.yyy.yyy/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
2024-08-23 16:21:01,249 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,250 [DEBUG] admin_api_server: Successfully authenticated request (get_agent_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,254 [DEBUG] client_api_server: Successfully authenticated request (get_client_settings) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,254 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,257 [INFO] cherrypy.access.139679191598560: 172.22.0.4 - - [23/Aug/2024:16:21:01] "POST /api/admin/get_report HTTP/1.1" 200 169 "https://kasm.yyy.yyy/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
2024-08-23 16:21:01,255 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,255 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,255 [DEBUG] client_api_server: Successfully authenticated request (license_status) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,256 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,257 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)
2024-08-23 16:21:01,263 [DEBUG] admin_api_server: Successfully authenticated request (get_report) for user ([email protected]) at (10.10.10.176, 10.10.10.176, 172.18.0.2)

bruman avatar Aug 23 '24 16:08 bruman

I'm facing the same problem. Is there any solution yet?

TheDuffman85 avatar Dec 06 '24 16:12 TheDuffman85

I finally tracked my issue down. Some how i had RelayState set to hours=1. after changing that to https://kasm.mydomain.com/#/sso it solved my issues. I ended up looking at what office 365 was sending to kasm for saml logins and found the difference. I am not sure why it ever got set to hours=1. Hopefully this is helpful to others.

bruman avatar Aug 13 '25 22:08 bruman