Rocket.chat: saml configuration

i found the way to do that..

Hey @assafm81 it would be nice if you can provide some information about how you configured rocket chat with adfs. I'm a bit lost in the windows world :D

Were you successfull in creating an SSO with rocketchat and adfs?

we use adfs to auth user from ad to the rocket.chat.
what you need to to is:

1. put the endpoints "your a record to the rocket" with POST binding
2. same in the identifiers
   now the tricky part are the Claim Rule.
   try this for the start and work forward for what you need:

Assaf

Thx @assafm81 we will give it a try. We spend the whole wednesday trying to bring the ADFS to work. But in 90% we got an error after login in the popup. But your fieldmapping looks promising :D

@assafm81 Hey can you provide the settings you used for Rocket Chat as well?

I'm having issues getting my ADFS to respond.

Not sure what the settings mean.

Thanks,

Has anyone else been able to figure this out? I have asked many times in their support chat to update their SAML documentation and only get silence. My organization is really interested in using this if we can get it work with ADFS.

I was updating all the settings that needed to support SAML.

On Mon, Oct 3, 2016, 18:07 Jamie T. [email protected] wrote:

Has anyone else been able to figure this out? I have asked many times in
their support chat to update their SAML documentation and only get silence.
My organization is really interested in using this if we can get it work
with ADFS.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/RocketChat/Rocket.Chat/issues/2770#issuecomment-251132211,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ARb9IbebGxrm_z8YX7ux4XkYHZ5HXLx_ks5qwRo9gaJpZM4H_8ln
.

Quick guide for Rocketchat running on SUSE Enterprise 12 SP1 with Microsoft ADFS 2.0 running on Windows Server 2008 R2

1) Rocketchat general settings:

Site URL: https://rocketchat.mydomain.com
MUST USE HTTPS NOT TCP 3000. Must have Nginx or other proxy infront

2) Rocketchat SAML settings:

Enable :True
Custom Provider: adfs
Custom Entry Point: https://adfs.mydomain.com/adfs/ls/
Custom Issuer: https://rocketchat.mydomain.com
Custom Certificate: your certificate string here
Generate Username: True

3) ADFS Set up wizard

New Relaying Party Trust
Select Data Source; Enter data about the relaying party manually
Select Display Name; Display name: Rocket.Chat
Choose profile; AD FS 2.0 profile
Configure Certificate; None
Configure URL: none
Configure Identifiers: https://rocketchat.mydomain.com
Choose Issuance Authorization Rules: Permit all users to access this relaying party
Ready to add trust: Untick Open the Edit Claims Rules…

Go to properties of Rocket.Chat
Go to Endpoints tab
Add
Endpoint type: SAML Assertion Consumer
Binding: POST
URL: https://rocketchat.mydomain.com/_saml/validate/adfs

Go to Edit Claims Rules of Rocket.Chat, use assafm81 settings
https://github.com/RocketChat/Rocket.Chat/issues/2770#issuecomment-221605998

Thank you very much for the response! I will try these settings today and report back. One question, I am assuming that the Customer cert is the SSL cert I generated for the reverse SSL nginx proxy?

We configured our ADFS per the instructions but we are getting a Error: Unable to validate response url: Error: Invalid signature. Other applications we can worked with uses a metadata.xml method but I am not seeing it in RC. I feel we are close, we are just missing a key detail. Thank you again for the help!

Are you using cert signature in the realm? If so try to remove it.

On Wed, Oct 5, 2016, 23:02 Jamie T. [email protected] wrote:

We configured our ADFS per the instructions but we are getting a Error:
Unable to validate response url: Error: Invalid signature. Other
applications we can worked with uses a metadata.xml method but I am not
seeing it in RC. I feel we are close, we are just missing a key detail.
Thank you again for the help!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/RocketChat/Rocket.Chat/issues/2770#issuecomment-251782847,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ARb9Ib9ad2sTVFphWhkYELL9GbbINBH2ks5qxAJdgaJpZM4H_8ln
.

Not sure what you mean by that, we have other apps that use that adfs server so we can't remove anything or it may break other apps.

On the specific realm for the rocket in the adfs server..

Open your adfs manager and check in the realm you will see other realms
the connection different services. Look for the rocket realm get it
settings.

On Wed, Oct 5, 2016, 23:11 Jamie T. [email protected] wrote:

Not sure what you mean by that, we have other apps that use that adfs
server so we can't remove anything or it may break other apps.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/RocketChat/Rocket.Chat/issues/2770#issuecomment-251785193,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ARb9IfCCR40VrbCGPTfJ_fdozzKOSC-Aks5qxASAgaJpZM4H_8ln
.

Can think of 3 possible things to look for;

-Is the Custom Certificate string right in the SAML page on Rocketchat
-That there is no certificate defined on the ADFS properties of Rocket.Chat (we could not get this to work yet)

And finally, try opening Rocketchat using a Firefox private window or Chrome incognito window.

Where does the Custom Certificate string come from? Is it generated from adfs? is it the ssl cert local to the machine?

We used our public trusted domain certificate we obtained. We used openssl to print the contents of our certificate and then pasted the string of characters between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into the Custom Certificate box

I am assuming this is the token signing cert from adfs? My apologies but I am still confused as to the origin of the certificate.

Adfs is generating these errors when we try to login.

- UserData 
  - Event 
  - EventData 
   Data Saml 
   Data https://rocket 
   Data Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS. at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken) at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken) at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

- UserData 

  - Event 

  - EventData 

   Data 

   Data 

   Data System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID. Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '8' character, hexadecimal value 0x38. at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message) at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader) at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage) at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection) at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form) at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) System.ArgumentException: ID4128: The value is not a valid SAML ID. Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '8' character, hexadecimal value 0x38. at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message) System.Xml.XmlException: Name cannot begin with the '8' character, hexadecimal value 0x38. at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) 

To add on: With the adfs token signing cert, I converted it to a pem format using openssl and grabbed the string. With that string I get Error:

Unable to validate response url: Error: Missing SAML assertion

We get that error sometimes if we have used adfs to authenticate to something else.

have you now tried the private browser window?

I have tried in a private browser (both in fact) they get the same response.

Unable to validate response url: Error: Missing SAML assertion

I tried the SSL cert for the ADFS server and went back to

Error: Unable to validate response url: Error: Invalid signature

So rocket.chat needs a dedicated adfs server? BTW we are using ADFS 3.0, if it matters.

The certificate we are using is a trusted wildcard cert from a 3rd party certificate authority... It just so happens we use that same cert on our ADFS and Rocketchat.

I think you are much closer with the "Unable to validate response url: Error: Missing SAML assertion" error

Not sure how different ADFS 3.0 is compared to 2.0. Can only advise to review the settings from my original post

Rocketchat doesn't need its own adfs

Yeah I am using a self-signed cert on RC and the ADFS has a cert from and Internal CA I believe. I will review the settings and see if I can decipher anything.

I think this is an important message... MSIS7102: Requested Authentication Method is not supported on the STS.

Doing some digging, and looking at the SAML that is sent by RC, I think more types of auth need to be sent by RC, as we use certificate based auth in our systems which I don't think works with Forms Auth in ADFS. I am trying to get that auth type turned on, but my AD guys are fearful it could muck up other apps that are using that system.

<saml :AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

A solution from the RC side would be handling a gamut of options like the ones below. This would allow many different auth types to be used.

<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:authentication:windows</saml:AuthnContextClassRef>

Thoughts?

We were finally able to make SAML work (intermittently) however its only asking for a user/pass. Is there an option somewhere on the RC side to ask for another assertion type? Such as a certificate?

I was finally able to make ADFS SSO work without prompting the user for a username and password. The missing piece for me (after following the info from @assafm81 and @megamaced) was to add a new assertion for Windows Integrated Authentication.

I installed Rocket.Chat manually rather than using the Snap installer. In my Rocket.Chat directory, I browsed to 'programs/server/packages' and then edited 'steffo_meteor-accounts-saml.js'.

On line 535 (as of today, that may very well change) the line says: request += '<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">' + '<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n' + '</samlp:AuthnRequest>';

I changed that to say: request += '<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">' + '<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:authentication:windows</saml:AuthnContextClassRef>\n';
request += '<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n' + '</samlp:AuthnRequest>';.

Note: that should be two separate lines. I added the assertion that says "urn:federation:authentication:windows" before the one that was originally there, and I adjusted both assertions to be properly XML-formatted. After doing this I was able to successfully login via ADFS SSO without a password prompt (or form). Note: everything was working OK prior to this, you just had to type your password, so make sure you get everything working with the instructions earlier in this thread before adding my piece to the puzzle.

Hi everyone,
I'm desperately trying to configure my ADFS 3.0 (Windows Server 2012 R2) with RocketChat 0.62.2
I followed megamaced and assafm81 settings whith no luck. I allways have an error after adfs login :

TypeError: Cannot read property 'toString' of undefined

Maybe since then, things have changed.

In the SAML documentation, at the very end :

Idp Returned Attribute Name Usage
cn User’s Full Name
email User’s Email Address
username User’s username

I don't see cn and email configuration in assafm81 settings.

Any help is welcome :)

We were finally able to make SAML work (intermittently) however its only asking for a user/pass. Is there an option somewhere on the RC side to ask for another assertion type? Such as a certificate?

@sc10n how you managed to fix the "invalid signature " issue in the end?