SAML authentication broken after server upgrade

We upgraded our server to 2023.11.3 (build 147512) and SAML authentication no longer works with our gsuite domain accounts.  It was working fine before but now we get this error:

 

0
11 comments
Hi,

Please provide the following information:
1. Please let me know from which version you have updated. I will check if there were any changes to the authentication between the version you have previously used and the current one.
2. Screenshot of SAML plugin settings.
3. Please increase the response length logged by TeamCity. To do that please set an internal property (https://www.jetbrains.com/help/teamcity/configuring-teamcity-server-startup-properties.html) `teamcity.logging.maxRequestUrlLength=16392`. Reproduce the issue and share the teamcity-auth.log file from /logs.

To keep the attachments private, you can upload them to the https://uploads.jetbrains.com/ and share the upload ID.

Best regards,
Anton
0

I was able to get it working by disabling strict SAML mode - is this a security concern leaving it disabled?

0
Hi,

The SAML Strict Mode checks that the request URL conforms to the expected callback URL (configured as the TeamCity root URL). It is highly recommended enabling this option for the production environment, as an extra security check.

The SAML Authentication plugin itself is maintained by a third party (https://github.com/morincer/teamcity-plugin-saml).

In the documentation to the plugin, you can find the troubleshooting section with steps required to troubleshoot the invalid_response error: https://github.com/morincer/teamcity-plugin-saml#troubleshooting. Please follow the troubleshooting guide and let me know the results.

To help you with the investigation from my side, I would need the materials I asked for in the previous message to investigate why authentication fails when the strict mode is enabled. Additionally, please confirm the URL set up for the TeamCity server (Administration > Global Settings > Server URL), and the points mentioned in the troubleshooting guide.

Best regards,
Anton
0

Here's the error but I checked the global server URLs and the ones in the SAML configs and they all use "https". - I don't see “http” anywhere - where could that be coming from?

[2024-03-05 18:57:21,346]  ERROR [no auth; http-nio-8111-exec-29] - The response was received at http://<redacted>:443/app/saml/callback/ instead of https://<redacted>/app/saml/callback/
[2024-03-05 18:57:21,346]  ERROR [no auth; http-nio-8111-exec-29] - processResponse error. invalid_response

0

our SAML settings: Upload id: 2024_03_05_CcB28wdndr2twmKamtv1bi (file: Screenshot 2024-03-05 at 1.13.08 PM.png)

0
Hi,

How did you configure HTTPS for your TeamCity server?

If you use the built-in HTTPS configuration and not the reverse proxy, please check the Administration > HTTPS Settings > HTTPS Redirect. If the value is other than "Enable for all requests", try setting it to this option, and let me know the results.
If this option is already selected, or it didn't help, please share the following:
1. Please let me know from which version you have updated. I will check if there were any related changes between the version you have previously used and the current one.
2. Screenshots of the settings on the IdP side.

Best regards,
Anton
0

We are using an NGINX https configuration. Also I tested upgrading the external SAML auth plugin to latest but it still failed with the same error on strict mode

1. The problem is I'm not sure exactly when the problem occurred because for all the already logged-in users we didn't see the error, everything worked normally.  I didn't notice the error until I attempted to sign in from a new device.  So it could have been broken for a few upgrades.  We're trying to stay on the most up-to-date server version and currently that is 2023.11.4

2. Like you want to see our google IDP metadata?

0
Hi,

With the reverse proxy, my main assumption for the cause is its, or Tomcat's misconfiguration. I.e., everything uses HTTPS, the Nginx receives a response at HTTPS but transmits it to Tomcat via HTTP. Please check if your reverse proxy setup follows the documentation, especially the Tomcat's configuration part: https://www.jetbrains.com/help/teamcity/2023.11/configuring-proxy-server.html#TeamCity+Tomcat+Configuration.

Best regards,
Anton
0

ok, I think our server.xml didn't get updated when we updated to the newest container version.  what is the best way to override the server.xml properties without requiring us to modify the official container image?

0
Hi,

Is my understanding correct that you are running the TeamCity inside a Docker? If that's the case, then to change the server configuration, please refer to the "Alternative Tomcat configuration" section of a TeamCity Server Docker container documentation: https://hub.docker.com/r/jetbrains/teamcity-server/.

Best regards,
Anton
0

thanks that works!

0

Please sign in to leave a comment.