UniFi ID SAML Error #141
Comments
|
Does the certificate in the configuration have linebreaks? |
|
In the SSO-Auth.xml:
`<SamlCertificate>MIIEUTCC...qiMiS5dznV1G7lNokEl0gKY</SamlCertificate>`
No line breaks.
|
|
Is the Jellyfin server running on Windows, Linux, or something else? |
|
It’s on MacOS 13.5.1 (as mentioned in the ticket) using the Jellyfin.app that I self-signed. It works great other than this issue.
… On Aug 31, 2023, at 14:16, 9p4 ***@***.***> wrote:
Is the Jellyfin server running on Windows, Linux, or something else?
—
Reply to this email directly, view it on GitHub <#141 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADFBK4XHV5DVIGAD42RE23XYDIGRANCNFSM6AAAAAA4FK2TFY>.
You are receiving this because you authored the thread.
|
|
Is the SAML assertion you are using encrypted or just signed? |
|
It’s just signed.
… On Sep 1, 2023, at 09:27, 9p4 ***@***.***> wrote:
Is the SAML assertion you are using encrypted or just signed?
—
Reply to this email directly, view it on GitHub <#141 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADFBKY7TYDUJQBA4GMIZHTXYHPCTANCNFSM6AAAAAA4FK2TFY>.
You are receiving this because you authored the thread.
|
|
Does SAML login function correctly? |
|
The binding never completes, so no.
… On Sep 1, 2023, at 09:43, 9p4 ***@***.***> wrote:
Does SAML login function correctly?
—
Reply to this email directly, view it on GitHub <#141 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADFBK6Q6LPWSYK3OBO6HMTXYHRANANCNFSM6AAAAAA4FK2TFY>.
You are receiving this because you authored the thread.
|
|
Not the linking, but if you just go to |
|
No, I get the same error in the logs:
```
[2023-09-01 10:14:54.227 -04:00] [ERR] [53] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/sso/SAML/p/UID".
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Jellyfin.Plugin.SSO_Auth.Api.SSOController.SamlPost(String provider, String relayState)
at lambda_method1221(Closure , Object , Object[] )
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Jellyfin.Server.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
at Jellyfin.Server.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
at Jellyfin.Server.Middleware.IpBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
at Jellyfin.Server.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Jellyfin.Server.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Jellyfin.Server.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
at Jellyfin.Server.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Jellyfin.Server.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
at Jellyfin.Server.Middleware.ExceptionMiddleware.Invoke(HttpContext context)
```
|
|
Just to check the characters used in your SAML certificate, can you put the certificate into a file, then run |
|
Furthermore, are the assertions signed or documents signed? |
|
Here's the character list: Nothing strange there. The assertions and documents are both signed. |
|
In my testing environment (and in the docs), only the document should be signed. Try turning off signed assertions? |
|
I don’t have the option to customize any of the assertions. Is there a reason you don’t just accept the xml metadata and act accordingly?
… On Sep 2, 2023, at 09:00, 9p4 ***@***.***> wrote:
In my testing environment (and in the docs), only the document should be signed. Try turning off signed assertions?
—
Reply to this email directly, view it on GitHub <#141 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADFBKYBWQRXGISP7OEM62TXYMUV3ANCNFSM6AAAAAA4FK2TFY>.
You are receiving this because you authored the thread.
|
|
Enabling signed assertions in Keycloak still works for me. Unfortunately, I can't seem to get access to Unifi Identity, and it may make it harder for me to reproduce your issue. If you are willing, can you email me the unredacted public certificate that you are using? My contact information is at https://ersei.net/en/contact-me |
|
Is there any update? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I have set up a new SAML application in UniFi Identity (UID) that points to my Jellyfin instance. At first it was complaining about the ACS URL being wrong. It appears that the current documentation contains the wrong URL to be set up. After analyzing the error response, I put the correct ACS URL into the UID config. Now I'm getting a valid SAML Response, but the Linking page still shows an error: jellyfin log file extract
To Reproduce
Steps to reproduce the behavior:
/jellyfin/sso/SAML/Add/UID?api_key=[API_KEY]JSON Payloadjellyfin/SSOViews/linkingin the browser and click the + button.Error processing request.when redirected tojellyfin/sso/SAML/p/UIDbase64 -d -i file.b64to verify that the response is indeed parseable (I can email you this base64 encoded response, but I don't want to share it publicly.)Expected behavior
I would expect the successful response from the IdP would be parsed and the linking would succeed.
Screenshots
See this Gist
Configuration
See this Gist
Versions (please complete the following information):
Additional context
Jellyfin Mac App from the website. Installed plugin from repo listed in README.md.
The text was updated successfully, but these errors were encountered: