ISSUE TYPE

• Bug Report

COMPONENT NAME

SAML/SSO

CLOUDSTACK VERSION

4.15.2

CONFIGURATION

Enabled SAML plugin and configured it to authenticate against Azure AD.

STEPS TO REPRODUCE

SAML authentication fails intermittently depending on the SAML request ID that is generated. Depending on your luck, you might get a random request ID that begins with something between A-Z. In such cases, the authentication request goes through as expected. On the chance that the generated number begins with 0-9, the authentication request fails with an error similar to:

AADSTS7500529: The value '692rv91k6dgmdas33vr3b2keahr4lqjv' is not a valid SAML ID. The ID must not begin with a number.

As per Azure AD's documentation, an acceptable request ID must not start with a number.

ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/single-sign-on-saml-protocol.md

The CloudStack implementation generates the random ID string with the following method in SAMLUtils and has no ability to prefix the SAML ID string as recommended by Azure AD's documentation.

100 public class SAMLUtils {
101     public static final Logger s_logger = Logger.getLogger(SAMLUtils.class);
102
103     public static String generateSecureRandomId() {
104         return new BigInteger(160, new SecureRandom()).toString(32);
105     }

EXPECTED RESULTS

Successful authentication with SAML and Azure AD.

ACTUAL RESULTS

Intermittent authentication failure with SAML and Azure AD.