Authentication failure using SAML SSO (against Authentik IdP)

Hello,

I install DocSpace 3 using the install script, and it’s running on Debian unstable, Docker 27.3.1.

Now I am trying to configure SSO, and even though I think I did everything right, I am getting authentication failures. Maybe someone knows why?

We have Authentik as our IdP, and I created a provider as follows:

On the DocSpace side of things, I configured stuff as follows:

Now, when I try to log in using SAML, the IdP logs say everything is hunky dory, but the authentication fails:

I set up a tail -f on all log files prior to trying the SSO login, and here is the output. Everything seems fine (HTTP 200 OK) up until an including GET /api/2.0/settings?withPassword=true, which gets a HTTP 200 OK, but the next requests are for the login error page/message.

Nothing else is in the logs anywhere. How can I figure out why this is not working?

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:58 +0000] "GET /ssologin.ashx?config=saml HTTP/1.0" 200 4735 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "192.168.231.97, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:58 +0000] "GET /ssologin.ashx?config=saml HTTP/1.1" 200 4754 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "192.168.231.97"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:58 +0000] "GET /ssologin.ashx?config=saml HTTP/1.1" 200 4754 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:58 +0000] "GET /sso/login HTTP/1.0" 302 1300 "https://docs.example.net/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:58 +0000] "GET /sso/login HTTP/1.1" 302 1300 "https://docs.example.net/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:58 +0000] "GET /sso/login HTTP/1.1" 302 1300 "https://docs.example.net/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:59 +0000] "GET /ssologin.ashx?config=saml HTTP/1.0" 200 4735 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "192.168.231.97, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /ssologin.ashx?config=saml HTTP/1.1" 200 4754 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "192.168.231.97"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /ssologin.ashx?config=saml HTTP/1.1" 200 4754 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:59 +0000] "GET /sso/acs?SAMLResponse=xVhZc6PIsn7Xr…Rf%2F1Vvbt3w%3D%3D HTTP/1.0" 302 148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /sso/acs?SAMLResponse=xVhZc6PIsn7Xr…Rf%2F1Vvbt3w%3D%3D HTTP/1.1" 302 148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /sso/acs?SAMLResponse=xVhZc6PIsn7Xr…Rf%2F1Vvbt3w%3D%3D HTTP/1.1" 302 148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:59 +0000] "GET /api/2.0/settings/colortheme HTTP/1.0" 200 901 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98, 172.23.0.4, 192.168.231.97, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /api/2.0/settings/colortheme HTTP/1.1" 200 913 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98, 172.23.0.4, 192.168.231.97"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /api/2.0/settings/colortheme HTTP/1.1" 200 913 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:59 +0000] "GET /api/2.0/settings?withPassword=true HTTP/1.0" 200 1160 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98, 172.23.0.4, 192.168.231.97, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /api/2.0/settings?withPassword=true HTTP/1.1" 200 1172 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98, 172.23.0.4, 192.168.231.97"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /api/2.0/settings?withPassword=true HTTP/1.1" 200 1172 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:50:59 +0000] "GET /login/error?messageKey=18 HTTP/1.0" 200 14622 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /login/error?messageKey=18 HTTP/1.1" 200 14738 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:50:59 +0000] "GET /login/error?messageKey=18 HTTP/1.1" 200 14738 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

==> access.log <==
172.23.0.4 - - [03/Dec/2024:12:51:00 +0000] "GET /logo.ashx?logotype=1&dark=false&default=false HTTP/1.0" 302 0 "https://docs.example.net/login/error?messageKey=18" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1, 192.168.231.98"
192.168.231.98 - - [03/Dec/2024:12:51:00 +0000] "GET /logo.ashx?logotype=1&dark=false&default=false HTTP/1.1" 302 0 "https://docs.example.net/login/error?messageKey=18" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" "192.168.235.1"

==> access-proxy.log <==
192.168.231.98 - - [03/Dec/2024:12:51:00 +0000] "GET /logo.ashx?logotype=1&dark=false&default=false HTTP/1.1" 302 0 "https://docs.example.net/login/error?messageKey=18" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"

Hello,
Please provide all DocSpace logs for reference ( /var/log/onlyoffice/docspace/, for Docker inside the container)

Sure @DmitriiV, here are three Zip files.

First, I stopped all containers, then emptied the onlyoffice-logs-data volume completely.

I then started the containers, and created the logs-after-start.zip archive.

I then loaded the main page in the browser and created the logs-after-load.zip archive.

Finally, I attempted SSO login, and when the auth failure message was shown, I created logs-after-sso-try.zip.

Can you see anything that might be wrong?

Thanks!
m

I cannot find a docspace subdirectory in /var/log/onlyoffice. Which container should I look into?

Answering my own question, following help from the support staff:

There’s a known bug in DocSpace currently preventing authentication against Authentik if assertion encryption is turned on. And indeed, as soon as I disable assertion encryption in Authentik:

and also in the SAML configuration in DocSpace:

image

then SAML SSO works.

image

Thank you for sharing.
As you submitted the ticket regarding the issue, the communication on the issue will be continued there (the follow-up will be created when the bug is resolved), sorry for the inconvenience