diff --git a/changes/12559-sso-metadata-url b/changes/12559-sso-metadata-url new file mode 100644 index 0000000000..a2debaf1d5 --- /dev/null +++ b/changes/12559-sso-metadata-url @@ -0,0 +1 @@ +/fleet/sso endpoint now returns 400 status code (as opposed to 500) when SSO Metadata URL returns invalid data or when SSO Metadata provided by user is invalid. \ No newline at end of file diff --git a/server/service/integration_sso_test.go b/server/service/integration_sso_test.go index ade53abc18..ced7ad685b 100644 --- a/server/service/integration_sso_test.go +++ b/server/service/integration_sso_test.go @@ -83,6 +83,61 @@ func (s *integrationSSOTestSuite) TestGetSSOSettings() { assert.True(t, strings.HasPrefix(authReq.ID, "id"), authReq.ID) } +func (s *integrationSSOTestSuite) TestSSOInvalidMetadataURL() { + t := s.T() + + badMetadataUrl := "https://www.fleetdm.com" + acResp := appConfigResponse{} + s.DoJSON( + "PATCH", "/api/latest/fleet/config", json.RawMessage( + `{ + "sso_settings": { + "enable_sso": true, + "entity_id": "https://localhost:8080", + "issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php", + "idp_name": "SimpleSAML", + "metadata_url": "`+badMetadataUrl+`", + "enable_jit_provisioning": false + } + }`, + ), http.StatusOK, &acResp, + ) + require.NotNil(t, acResp) + + var resIni initiateSSOResponse + expectedStatus := http.StatusBadRequest + t.Logf("Expecting 400 %v status when bad SSO metadata_url is set: %v", expectedStatus, badMetadataUrl) + s.DoJSON("POST", "/api/v1/fleet/sso", map[string]string{}, expectedStatus, &resIni) +} + +func (s *integrationSSOTestSuite) TestSSOInvalidMetadata() { + t := s.T() + + badMetadata := "foo" + acResp := appConfigResponse{} + s.DoJSON( + "PATCH", "/api/latest/fleet/config", json.RawMessage( + `{ + "sso_settings": { + "enable_sso": true, + "entity_id": "https://localhost:8080", + "issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php", + "idp_name": "SimpleSAML", + "metadata": "`+badMetadata+`", + "metadata_url": "", + "enable_jit_provisioning": false + } + }`, + ), http.StatusOK, &acResp, + ) + require.NotNil(t, acResp) + + var resIni initiateSSOResponse + expectedStatus := http.StatusBadRequest + t.Logf("Expecting %v status when bad SSO metadata is provided: %v", expectedStatus, badMetadata) + s.DoJSON("POST", "/api/v1/fleet/sso", map[string]string{}, expectedStatus, &resIni) +} + func (s *integrationSSOTestSuite) TestSSOValidation() { acResp := appConfigResponse{} // Test we are validating metadata_url diff --git a/server/service/sessions.go b/server/service/sessions.go index 84f6308d26..da46ef3041 100644 --- a/server/service/sessions.go +++ b/server/service/sessions.go @@ -303,7 +303,7 @@ func (svc *Service) InitiateSSO(ctx context.Context, redirectURL string) (string metadata, err := sso.GetMetadata(&appConfig.SSOSettings.SSOProviderSettings) if err != nil { - return "", ctxerr.Wrap(ctx, err, "InitiateSSO getting metadata") + return "", ctxerr.Wrap(ctx, badRequestErr("Could not get SSO Metadata. Check your SSO settings.", err)) } serverURL := appConfig.ServerSettings.ServerURL