Rocket.chat: CAS seamless login not working as expected
Description:
Seamless login is not working via CAS as I would expect.
In the scenario where the user has a valid CAS session (and TGT cookie), but no RocketChat session (and is logged out), the following URL takes me to the RocketChat login screen:
https://auth.example.com:8443/cas/login?service=https://chat.example.com/home
However, if the user has a valid RocketChat session, then this call works.
I would expect it to work in both cases, however it looks like Rocket.Chat generates and verifies some sort of unique token in the service URL. This unique token only seems to get generated when a user clicks the CAS Login button (e.g. https://auth.example.com:8443/cas/login?service=https://chat.example.com/_cas/qDtdvkL5e8ZkXRtFQ)
Server Setup Information:
- Version of Rocket.Chat Server: 0.58.2
- Operating System: Mac OSX El Capitan
- Deployment Method(snap/docker/tar/etc): Tar
- Number of Running Instances: 1
- DB Replicaset Oplog: Disabled
- Node Version: v4.2.4
- CAS Version: 5.1.3
Steps to Reproduce:
- Login via CAS
- Log out of Rocket.Chat (whilst keeping CAS session active)
- Try accessing https://
/cas/login?service=https:// /home
Expected behavior:
User is logged in automatically due to the existence of CAS session
Actual behavior:
User is taken to the login screen
j2ro
All 2 comments
@engelgabriel @MartinSchoeler @pierre-lehnen-rc
Hi guys,
It really looks odd having to press a button to authenticate in the SSO context when you're actually already authenticated in the SSO context. This is against the nature of SSO where login should be seamless.
Is this a technical problem that cannot be solved (due to the unique token mechanism that @j2ro described above) or is it something else?
FredNass
on 5 Jun 2020
Ok, we found the solution. Here's what needs to be done:
In "Custom Script for Logged Out Users" we set:
const credentialToken = Random.id();
const login_url = "https://cas.domain.com/login";
const appUrl = Meteor.absoluteUrl().replace(/\/$/, '') + __meteor_runtime_config__.ROOT_URL_PATH_PREFIX;
const delim = (login_url.split('?').length > 1) ? '&' : '?';
var i = document.createElement('iframe');
i.style.display = 'none';
i.onload = function() {
Accounts.callLoginMethod({
methodArguments: [{ cas: { credentialToken } }],
});
};
i.src = `${ login_url }${ delim }service=${ appUrl }/_cas/${ credentialToken }`;
document.body.appendChild(i);
In "Custom Script for Logout Flow" we set:
const logout_url = "https://cas.domain.com/logout";
var i = document.createElement('iframe');
i.style.display = 'none';
i.src = `${ logout_url }`;
document.body.appendChild(i);
And it works great now. :-)
Note: To make sure that the RC session is closed when the user logs out, you should also enable "Forget User Session on Window Close" in Accounts section. Otherwise, reopening a chat to RC URL will see the user logged in in RC without any valid CAS session.
FredNass
on 8 Jun 2020
Related issues
tanc
路
3Comments
mddvul22
路
3Comments
Buzzele
路
3Comments
ghost
路
3Comments
royalaid
路
3Comments
Most helpful comment
Ok, we found the solution. Here's what needs to be done:
In "Custom Script for Logged Out Users" we set:
In "Custom Script for Logout Flow" we set:
And it works great now. :-)
Note: To make sure that the RC session is closed when the user logs out, you should also enable "Forget User Session on Window Close" in Accounts section. Otherwise, reopening a chat to RC URL will see the user logged in in RC without any valid CAS session.