Discourse-SAML "BAD CSRF"


(Jay Pfaffman) #1

Trying to get SAML configured at a university. It looks like it’s working, but then after login just gives [BAD CSRF"] on a page by itself.

Pinging @falco since he made the last commit. . .

Here are Apache logs that seem like they might have clues.

[Thu May 11 15:13:13.799020 2017] [proxy:debug] [pid 10895] proxy_util.c(2160): AH00942: HTTP: has acquired connection for (localhost)
[Thu May 11 15:13:13.799025 2017] [proxy:debug] [pid 10895] proxy_util.c(2213): [client 71.9.18.118:45630] AH00944: connecting http://localhost:7000/message-bus/e92d240660234736ae59d3b51696db83/poll to localhost:7000, referer: https://discuss.rc.school.edu/login
[Thu May 11 15:13:13.799031 2017] [proxy:debug] [pid 10895] proxy_util.c(2422): [client 71.9.18.118:45630] AH00947: connected /message-bus/e92d240660234736ae59d3b51696db83/poll to localhost:7000, referer: https://discuss.rc.school.edu/login
[Thu May 11 15:13:29.387752 2017] [proxy:debug] [pid 10443] proxy_util.c(2175): AH00943: http: has released connection for (localhost)
[Thu May 11 15:13:29.387780 2017] [deflate:debug] [pid 10443] mod_deflate.c(853): [client 71.9.18.118:45588] AH01384: Zlib: Compressed 14 to 36 : URL /message-bus/9180960f0ed3461f9e8419e8a29fd066/poll, referer: https://discuss.rc.school.edu/admin/plugins
[Thu May 11 15:13:29.581512 2017] [mod_shib:debug] [pid 10443] mod_shib.cpp(320): [client 71.9.18.118:45588] get_request_config created per-request structure, referer: https://discuss.rc.school.edu/admin/plugins
[Thu May 11 15:13:29.581606 2017] [ssl:debug] [pid 10443] ssl_engine_kernel.c(354): [client 71.9.18.118:45588] AH02034: Subsequent (No.13) HTTPS request received for child 5 (server discuss.rc.school.edu:443), referer: https://discuss.rc.school.edu/admin/plugins
[Thu May 11 15:13:29.581666 2017] [authz_core:debug] [pid 10443] mod_authz_core.c(835): [client 71.9.18.118:45588] AH01628: authorization result: granted (no directives), referer: https://discuss.rc.school.edu/admin/plugins
[Thu May 11 15:13:29.581710 2017] [mod_shib:debug] [pid 10443] mod_shib.cpp(917): [client 71.9.18.118:45588] shib_fixups entered in pid (10443), referer: https://discuss.rc.school.edu/admin/plugins
[Thu May 11 15:13:29.581739 2017] [proxy:debug] [pid 10443] mod_proxy.c(1160): [client 71.9.18.118:45588] AH01143: Running scheme http handler (attempt 0), referer: https://discuss.rc.school.edu/admin/plugins
[Thu May 11 15:13:29.581745 2017] [proxy_ajp:debug] [pid 10443] mod_proxy_ajp.c(738): [client 71.9.18.118:45588] AH00894: declining URL http://localhost:7000/message-bus/9180960f0ed3461f9e8419e8a29fd066/poll, referer: https://discuss.rc.school.edu/admin/plugins

(Jeff Atwood) #2

Good luck because SAML is something we only do for enterprise customers, for good reason. It is incredibly complicated and every instance is its own unique snowflake.