Saml path crashing with nil pointer

[tinder-tder]

O am trying to figure out how to get SAML logins working with Okta but am struggling with the lack of documentation. When configuring the saml.json and setting the admin auth to 'saml' I can get it to start up but when trying to hit the 'saml/acs' path on the admin server it causes a crash.

Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: server.go:3197: http: panic serving 10.0.101.226:60668: runtime error: invalid memory address or nil pointer dereference
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: goroutine 3522 [running]:
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: net/http.(*conn).serve.func1()
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/usr/local/go/src/net/http/server.go:1825 +0xbf
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: panic({0xf73c20, 0x188cbe0})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/usr/local/go/src/runtime/panic.go:844 +0x258
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.findChildren(0xc000023260?, {0x10da9b0, 0x22}, {0x10bba10, 0x9})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:1580 +0x49
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.findChild(0x125ece8?, {0x10da9b0, 0x22}, {0x10bba10, 0x9})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:1626 +0x31
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.(*ServiceProvider).validateSignature(0xc000031600, 0x0)
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:1076 +0x56
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.(*ServiceProvider).parseResponse(0xc000031600, 0x18d7938?, {0xc0004ea390?, 0x1, 0x1}, {0x7f8978c2a060?, 0x18d7938?, 0x0?}, 0x0)
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:832 +0x95
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.(*ServiceProvider).ParseXMLResponse(0xc0000ca000?, {0x18d7938, 0x0, 0x0}, {0xc0004ea390, 0x1, 0x1})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:806 +0x2fe
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.(*ServiceProvider).parseResponseHTTP(0xc00059e101?, 0xc00022e300, {0xc0004ea390, 0x1, 0x1})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:663 +0x197
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml.(*ServiceProvider).ParseResponse(0xf138c0?, 0xc00022e300?, {0xc0004ea390?, 0x1?, 0x1?})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/service_provider.go:601 +0xff
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml/samlsp.(*Middleware).ServeACS(0xc000031600, {0x125e410, 0xc0003a4000}, 0xc0004f0210?)
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/samlsp/middleware.go:89 +0x13a
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/crewjam/saml/samlsp.(*Middleware).ServeHTTP(0xc000031600, {0x125e410, 0xc0003a4000}, 0xc00022e300)
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/crewjam/[email protected]/samlsp/middleware.go:60 +0xe5
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: github.com/gorilla/mux.(*Router).ServeHTTP(0xc000444300, {0x125e410, 0xc0003a4000}, 0xc000346200)
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/root/go/pkg/mod/github.com/gorilla/[email protected]/mux.go:210 +0x1cf
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: net/http.serverHandler.ServeHTTP({0xc0004f1200?}, {0x125e410, 0xc0003a4000}, 0xc000346200)
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/usr/local/go/src/net/http/server.go:2916 +0x43b
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: net/http.(*conn).serve(0xc0002723c0, {0x125ed58, 0xc0003f9800})
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/usr/local/go/src/net/http/server.go:1966 +0x5d7
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: created by net/http.(*Server).Serve
Feb  7 18:48:44 ip-10-0-2-179 osctrl-admin[111372]: #011/usr/local/go/src/net/http/server.go:3071 +0x4db
Feb  7 18:48:50 ip-10-0-2-179 osctrl-admin[111372]: auth.go:50: GetSession saml: session not present
Feb  7 18:48:50 ip-10-0-2-179 osctrl-admin[111372]: auth.go:60: error parsing JWT: token contains an invalid number of segments
Feb  7 18:48:50 ip-10-0-2-179 osctrl-admin[111372]: auth.go:50: GetSession saml: session not present
Feb  7 18:48:50 ip-10-0-2-179 osctrl-admin[111372]: auth.go:60: error parsing JWT: token contains an invalid number of segments

the saml.json file looks like:

{
	"saml": {
		"metadataurl": "<metadata url from okta app>",
		"keypath": "/opt/osctrl/config/stub.key",
		"certpath": "/opt/osctrl/config/stub.crt",
		"loginurl": "<sso url from okta>",
		"rooturl": "https://<admin dns entry>"
	}
}

Any help would be appreciated in setting up saml with okta. I have looked at the crewjam repo and there are similar questions about okta setup that have no resolution or dont offer any details.

https://github.com/crewjam/saml/issues?q=is%3Aissue+is%3Aopen+okta

[javuto]

The non-standard part of osctrl definitely needs some better documentation, apologies for that!

First, you need to specify using saml as the authentication method in the admin.json, which will configure the osctrl-admin service. This is how the configuration may look like:

{
  "admin": {
    "listener": "127.0.0.1",
    "port": "9001",
    "host": "admin.osctrl.local",
    "auth": "saml",
    "logger": "none",
    "carver": "none"
  }
}

Then you need to have the saml.json file in the configuration directory. For example, if osctrl-admin is running from /opt/osctrl, you must have the file /opt/osctrl/config/saml.json with the following values:

{
  "saml": {
    "certpath": "/opt/osctrl/config/stub.crt",
    "keypath": "/opt/osctrl/config/stub.key",
    "metadataurl": "<metadata url from okta app>",
    "rooturl": "https://<admin dns entry>",
    "loginurl": "<sso url from okta>",
    "nametoken": "session",
    "attremail": "",
    "attruser": "",
    "attrdisplay": ""
  }
}

Once the service is configured with these values, use osctrl-cli to add users using the email as username, and you should be able to use SSO with Okta using SAML, or any other SAML system.

I hope that helps!

[tinder-tder]

Thank you for the details, unfortunately we moved to fleetdm. Hopefully this helps the next person that needs to setup saml

[javuto]

No worries! And thank you for testing osctrl and the pull requests and issues. Would you be able to quickly enumerate the main aspects why you decided to go with fleetdm? Lack of documentation? Better interface? Thanks in advance!

[tinder-tder]

Sure!

• Docs dont match some of the code, if its documented at all
• AWS cred handling: It took a good bit of my time getting things to work the way we wanted and it involved a lot of hackey patching on my part (not good enough for a pr, but good enough to get it running). For example, the normal fallback AWS credential handling doesnt work because it was programmed to only use a key and secret, it cant use the instance profile or assume a role for example.
• Redis tls and connection handling (I see my pr was merged!)
• SSO, even in comments its mentioned the sso package wasnt the best, Fleet has pretty good SSO implementation and can autoprovision
• Interface is def more polished in fleet, just some weird template issues that I saw in osctrl but I'm no JS expert
• Maintainability long term, setup/rebuilding and configuration brings in a lot of tech debt, provision.sh is fine for local, but not good at scale if we need to customize things without reinventing the wheel, it could just be a documentation shortfall. Same goes for the runtime configuration files. if one is shared for multiple daemons or is unique isnt clear without reading through the code.

One of the original killer features that made us look at osctrl was multiple envs/orgs which fleet does not have.

[javuto]

Thank you so much for the detailed response and the awesome feedback! We are actively working on some of those points, and the rest will follow, but again, appreciated the feedback and the contributions to the project!