SSO intergration configuration fails

hasithaw54 · 25 October 2023 04:37

Do you want to: Report a bug / Ask a how-to question
Community Server/Control Panel version: Latest
Type of installation of Workspace (docker, deb/rpm, exe) : docker-compose
OS: Amazon Linux 2

I have installed onlyoffice on a development server using docker-compose. The server is under a NAT. When I tried to integrate SSO using onelogin I faced few issues.

IdP metadata file is not getting uploaded (URL and file both don’t work). Gives a 504 error.
IdP certificates and SP certificates are not uploading. Stucks in please wait and then closes.
Can’t download onlyoffice SP metadata file. It gives a timeout error

Following logs can be found in the logs folder

Control panel log
2023-10-19 05:13:22 - error: http://onlyoffice-community-server/sso/loadmetadata Unexpected token < in JSON at position 0

Community server logs

web.sso log
{“message”:“getPortalSsoConfigUrl: https://hsuite.cyou/ssologin.ashx?config=saml",“level”:"debug”}
{“error”:{“message”:“request to https://hsuite.cyou/ssologin.ashx?config=saml failed, reason: connect EHOSTUNREACH 124.43.131.134:443”,“type”:“system”,“errno”:“EHOSTUNREACH”,“code”:“EHOSTUNREACH”},“level”:“error”,“message”:“uncaughtException: request to https://hsuite.cyou/ssologin.ashx?config=saml failed, reason: connect EHOSTUNREACH 124.43.131.134:443\nFetchError: request to https://hsuite.cyou/ssologin.ashx?config=saml failed, reason: connect EHOSTUNREACH 124.43.131.134:443\n at ClientRequest. (/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js:1461:11)\n at ClientRequest.emit (node:events:513:28)\n at TLSSocket.socketErrorListener (node:_http_client:502:9)\n at TLSSocket.emit (node:events:513:28)\n at emitErrorNT (node:internal/streams/destroy:151:8)\n at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21)”

web.socketio log
2023-10-19 10:42:05 - error: https://hsuite.cyou/api/2.0/batch.jsonconnect EHOSTUNREACH 124.43.131.134:443
2023-10-19 10:42:52 - info: POST /controller/counters/sendUnreadUsers 200 4.855 ms - -

nginx logs
2023/10/19 10:43:22 [error] 2323#2323: *44699 upstream timed out (110: Unknown error) while reading response header from upstream, client: 112.134.243.176, server: , request: “POST /controlpanel/sso/loadmetadata HTTP/2.0”, upstream: “http://172.24.0.6:80/controlpanel/sso/loadmetadata”, host: “hsuite.cyou”, referrer: “https://hsuite.cyou/controlpanel/sso”
2023/10/19 10:43:22 [error] 2323#2323: *46070 upstream timed out (110: Unknown error) while reading response header from upstream, client: 172.24.0.6, server: _, request: “POST /sso/loadmetadata HTTP/1.1”, upstream: “https://127.0.0.1:443/sso/loadmetadata”, host: “onlyoffice-community-server”

How can I overcome this issues?

Nikolas · 31 October 2023 08:15

hi @hasithaw54

What happens when you try to curl your metadata link from the Control Panel container?

hasithaw54 · 31 October 2023 09:51

hi @Nikolas
When trying to curl the metadata link I can see all the metadata. So controlpanel is able to get the data.

Also want to give a new update on this.

SSO intergration works if I remove the HTTPS certificate. But it only works if I log in using the server IP. Not from the domain URL.

Thanks

Nikolas · 31 October 2023 10:42

what if we edit the /etc/hosts file?

Try to add Community Server/Control Panel containers ip’s with the domain inside the corresponding docker containers etc/hosts files.

hasithaw54 · 1 November 2023 06:07

It worked!!! Thanks for the support @Nikolas

hasithaw54 · 14 November 2023 06:39

Hi @Nikolas

The same problem I mentioned above arised again. Due to some PTR records issues we had to remove the NAT connection. After that network change SSO integration is not working again. The logs have indicated a different issue this time.

web.sso log
{“message”:“getPortalSsoConfigUrl: https://hsuite.lk/ssologin.ashx?config=saml",“level”:"debug”} {“error”:{“message”:“request to https://hsuite.lk/ssologin.ashx?config=saml failed, reason: unable to verify the first certificate”,“type”:“system”,“errno”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”,“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”},“level”:“error”,“message”:“uncaughtException: request to https://hsuite.lk/ssologin.ashx?config=saml failed, reason: unable to verify the first certificate\nFetchError: request to https://hsuite.lk/ssologin.ashx?config=saml failed, reason: unable to verify the first certificate\n at ClientRequest. (/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js:1461:11)\n at ClientRequest.emit (node:events:513:28)\n at TLSSocket.socketErrorListener (node:_http_client:502:9)\n at TLSSocket.emit (node:events:513:28)\n at emitErrorNT (node:internal/streams/destroy:151:8)\n at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21)”,“stack”:“FetchError: request to https://hsuite.lk/ssologin.ashx?config=saml failed, reason: unable to verify the first certificate\n at ClientRequest. (/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js:1461:11)\n at ClientRequest.emit (node:events:513:28)\n at TLSSocket.socketErrorListener (node:_http_client:502:9)\n at TLSSocket.emit (node:events:513:28)\n at emitErrorNT (node:internal/streams/destroy:151:8)\n at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21)”,“exception”:true,“date”:“Tue Nov 14 2023 04:09:14 GMT+0000 (Coordinated Universal Time)”,“process”:{“pid”:2314,“uid”:104,“gid”:107,“cwd”:“/var/www/onlyoffice/Services/ASC.SsoAuth”,“execPath”:“/usr/bin/node”,“version”:“v18.16.0”,“argv”:[“/usr/bin/node”,“/var/www/onlyoffice/Services/ASC.SsoAuth/app.js”,“UNIX.SERVER”],“memoryUsage”:{“rss”:113455104,“heapTotal”:30191616,“heapUsed”:27588400,“external”:1043971,“arrayBuffers”:134523}},“os”:{“loadavg”:[0.37,0.35,0.36],“uptime”:3355179.31},“trace”:[{“column”:11,“file”:“/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js”,“function”:null,“line”:1461,“method”:null,“native”:false},{“column”:28,“file”:“node:events”,“function”:“ClientRequest.emit”,“line”:513,“method”:“emit”,“native”:false},{“column”:9,“file”:“node:_http_client”,“function”:“TLSSocket.socketErrorListener”,“line”:502,“method”:“socketErrorListener”,“native”:false},{“column”:28,“file”:“node:events”,“function”:“TLSSocket.emit”,“line”:513,“method”:“emit”,“native”:false},{“column”:8,“file”:“node:internal/streams/destroy”,“function”:“emitErrorNT”,“line”:151,“method”:null,“native”:false},{“column”:3,“file”:“node:internal/streams/destroy”,“function”:“emitErrorCloseNT”,“line”:116,“method”:null,“native”:false},{“column”:21,“file”:“node:internal/process/task_queues”,“function”:“process.processTicksAndRejections”,“line”:82,“method”:“processTicksAndRejections”,“native”:false}]} {“message”:“::ffff:127.0.0.1 - - [14/Nov/2023:04:10:14 +0000] "POST /loadmetadata HTTP/1.1" - - "-" "-"”,“level”:“info”}

Do you know any solution for this?

Nikolas · 16 November 2023 10:30

@hasithaw54
I’ll take a look at the issue a bit later, alright?

Nikolas · 21 November 2023 11:48

@hasithaw54

Do you have a reverse proxy in front of the portal?
Which instruction did you use to switch to HTTPS?
Check the solution for HTTPS issues: HTTPS Issues

Let’s see how the request from the CS container goes:

curl -vv https://hsuite.lk/ssologin.ashx?config=saml

hasithaw54 · 23 November 2023 03:30

Hi @Nikolas
Sorry for been late. The issue is solved. I uploaded the certificate chain again and it solved the issue.