Automatically pass user credentials from SAML login to network 802.1x authentication
Reported by
jstra...@mbhs.sa.edu.au,
Aug 3
|
|||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Platform: 10575.58.0 (Official Build) stable-channel snappy
Steps to reproduce the problem:
1. Configure a device to automatically connect to an 802.1x wireless network in user mode utilizing the ${LOGIN_ID} and ${PASSWORD} tokens as per the following page: https://support.google.com/chrome/a/answer/2634553#variables
2. Configure SAML single sign-on for Chrome devices as per the following page: https://support.google.com/chrome/a/answer/6060880?hl=en
3. Sign-in to the Chrome device using SAML authentication.
What is the expected behavior?
Once signed-in the device should automatically connect to the 802.1x wireless SSID using the user's credentials that were supplied during the SAML sign-in.
The user will not have to provide any further input to connect to the 802.1x SSID.
What went wrong?
The device is unable to automatically connect to the 802.1x wireless SSID.
The wireless configuration appears to translate the ${USER_ID} token to the user's username but it does not translate the ${PASSWORD} token to the user's password.
Did this work before? N/A
Chrome version: 67.0.3396.101 Channel: n/a
OS Version: 67.0.3396.101
Flash Version: 30.0.0.113
I believe this is a feature request more so than a bug.
I also see it as a natural extension to the following issue which implemented the ${PASSWORD} token. https://bugs.chromium.org/p/chromium/issues/detail?id=386606
This referenced issue introduced functionality to allow capturing the user's password from the ChromeOS login screen when the user logs in. Once logged in, the user's password can be substituted through the use of the ${PASSWORD} token allowing for the dynamic implementation of 802.1x single sign on in enterprise scenarios.
Our preference would be to utilize ADFS and SAML where possible for authenticating users directly back to our Active Directory removing the requirement to sync user passwords to Google servers.
With this in mind, it is my understanding that the Chrome Credentials Passing API ( http://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices ) has the capability to pass the user's password from the SAML authentication workflow to the ChromeOS device as plain text. If this is indeed correct, I see the next logical step would be to store the password for use with the ${PASSWORD} token.
Functionality such as this would make Chromebooks far easier to implement and deploy in enterprise scenarios where unique logins are required to be used for connecting to 802.1x networks.
,
Aug 3
Looks like this is very similar to https://bugs.chromium.org/p/chromium/issues/detail?id=386606 (just replace SAML by ChromeOS in the subject). The crucial and tricky part is passing the password around in a safe way. May already solved this with her password API. Hooking this up with SAML shouldn't be too hard now since, as Pavol pointed out, Chrome OS needs the password, anyway. Unless only a password is hashed immediately when scraped from the page, I guess.
,
Aug 3
My point was that I'd have assumed that this already works transparently with passwords scraped/received from SAML IdPs, as they seem to end up in the same GaiaScreenHandler functions. But I'll have to test to confirm.
,
Aug 3
Does this go through the AD flow? It looks like there's a different auth flow for that in GaiaScreenHandler: https://cs.chromium.org/chromium/src/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc?rcl=ef36dc19986a90f49d0d31520c88d310d72bd038&l=671
,
Aug 5
Thanks for looking into this.
You are correct. The authentication being used is EAP with MS-CHAPv2.
This is the value of DeviceOpenNetworkConfiguration:
{
"Certificates": [ {
"GUID": "{1fbcf48f-261a-4f16-a8c8-320cec53d2e3}",
"Type": "Authority",
"X509": "-----BEGIN CERTIFICATE-----\r\nMIIDtTCCAp2gAwIBAgIQGLT/uRTOx4RO17H1d0hLGDANBgkqhkiG9w0BAQUFADBt\r\nMRIwEAYKCZImiZPyLGQBGRYCYXUxEzARBgoJkiaJk/IsZAEZFgNlZHUxEjAQBgoJ\r\nkiaJk/IsZAEZFgJzYTEUMBIGCgmSJomT8ixkARkWBG1iaHMxGDAWBgNVBAMTD21i\r\naHMtTUJIU1JEMS1DQTAeFw0xMDA5MTUwNjA3MDVaFw0yNTA5MTUwNjE3MDRaMG0x\r\nEjAQBgoJkiaJk/IsZAEZFgJhdTETMBEGCgmSJomT8ixkARkWA2VkdTESMBAGCgmS\r\nJomT8ixkARkWAnNhMRQwEgYKCZImiZPyLGQBGRYEbWJoczEYMBYGA1UEAxMPbWJo\r\ncy1NQkhTUkQxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx04y\r\no7GH4N5sTgwLNGV1p78h0qHLfYhdWk1Byki57s9yCIK3nrdKQSdFCsI2wP/8LAde\r\nMOGnp135GPVKDay2Eru/cpCwUXXczkfEDeh63tPkPbNQF3Oo+sNzUZzjX4jfxiM+\r\nY2u8wokHlydXmCLSlA+YCVdevdBVLyuUhgfyB4jBAl03p/M6qwyZgDxIweO1fEgx\r\nlvPuhqEY05vDisZo8uYdEsSU5PZ+BQPgjSjsysivM/7fIq2jsHY1YDOEDqvNA5jx\r\noMA3Ef0eBavvZ+grbevBGSdZvyqHzbwyRgQBRAzBBm40cHgS6wyeiSdHVdyXFuUy\r\n1FZh48F2tlgSgVxAJQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw\r\nAwEB/zAdBgNVHQ4EFgQUBbLjj/z1AkJW/tLEu1vq+Ubf6VkwEAYJKwYBBAGCNxUB\r\nBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADd8F56+hGc98gSjmdldHxwWCE0j4iaE\r\nwWuWVY2fhu5Fg46wKWY43CUZ7mDZbpHAgfxfN+fdlbpyRcAPduMVzqHrQuAIrWG4\r\nWEWNpJkkf4v2AzLXyDKaUth69bmrDV49mv46AzcY1+F1BiViGZ6Bc04sYJy15wdW\r\ntfkhNmq1FF1rmeUl1UC5HK2BYmq1d353GQlbK9guvgb8L49ZlYfRdyoVHTpng+sd\r\nuQu4nl79jq4Cv5UHWZr015hF/aKwVC5qTdHlPgqdtvJBLQ+Gf5dzS5Wczg2micKE\r\nVwXLNZKgU+vrY27gUpFOK80YcjGit6QDrO0ZM0PCLzTq5RFGTNc6Ifo=\r\n-----END CERTIFICATE-----"
} ],
"GlobalNetworkConfiguration": {
},
"NetworkConfigurations": [ {
"GUID": "{5ecd646e-7bfc-4dc5-991d-23259ad04c72}",
"Name": "Logon - BYOD",
"ProxySettings": {
"Type": "Direct"
},
"Type": "WiFi",
"WiFi": {
"AutoConnect": true,
"EAP": {
"Identity": "chromebook",
"Inner": "MSCHAPv2",
"Outer": "PEAP",
"Password": "********",
"Recommended": [ "AnonymousIdentity", "Identity", "Password" ],
"SaveCredentials": true,
"ServerCARef": "{1fbcf48f-261a-4f16-a8c8-320cec53d2e3}",
"UseSystemCAs": true
},
"HiddenSSID": false,
"SSID": "MBHS BYOD",
"Security": "WPA-EAP"
}
} ]
}
This is the value of OpenNetworkConfiguration:
{
"Certificates": [ {
"GUID": "{0a950b6d-fd6e-4859-a5f8-d068a3d6e881}",
"Type": "Authority",
"X509": "-----BEGIN CERTIFICATE-----\r\nMIIDtTCCAp2gAwIBAgIQGLT/uRTOx4RO17H1d0hLGDANBgkqhkiG9w0BAQUFADBt\r\nMRIwEAYKCZImiZPyLGQBGRYCYXUxEzARBgoJkiaJk/IsZAEZFgNlZHUxEjAQBgoJ\r\nkiaJk/IsZAEZFgJzYTEUMBIGCgmSJomT8ixkARkWBG1iaHMxGDAWBgNVBAMTD21i\r\naHMtTUJIU1JEMS1DQTAeFw0xMDA5MTUwNjA3MDVaFw0yNTA5MTUwNjE3MDRaMG0x\r\nEjAQBgoJkiaJk/IsZAEZFgJhdTETMBEGCgmSJomT8ixkARkWA2VkdTESMBAGCgmS\r\nJomT8ixkARkWAnNhMRQwEgYKCZImiZPyLGQBGRYEbWJoczEYMBYGA1UEAxMPbWJo\r\ncy1NQkhTUkQxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx04y\r\no7GH4N5sTgwLNGV1p78h0qHLfYhdWk1Byki57s9yCIK3nrdKQSdFCsI2wP/8LAde\r\nMOGnp135GPVKDay2Eru/cpCwUXXczkfEDeh63tPkPbNQF3Oo+sNzUZzjX4jfxiM+\r\nY2u8wokHlydXmCLSlA+YCVdevdBVLyuUhgfyB4jBAl03p/M6qwyZgDxIweO1fEgx\r\nlvPuhqEY05vDisZo8uYdEsSU5PZ+BQPgjSjsysivM/7fIq2jsHY1YDOEDqvNA5jx\r\noMA3Ef0eBavvZ+grbevBGSdZvyqHzbwyRgQBRAzBBm40cHgS6wyeiSdHVdyXFuUy\r\n1FZh48F2tlgSgVxAJQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw\r\nAwEB/zAdBgNVHQ4EFgQUBbLjj/z1AkJW/tLEu1vq+Ubf6VkwEAYJKwYBBAGCNxUB\r\nBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADd8F56+hGc98gSjmdldHxwWCE0j4iaE\r\nwWuWVY2fhu5Fg46wKWY43CUZ7mDZbpHAgfxfN+fdlbpyRcAPduMVzqHrQuAIrWG4\r\nWEWNpJkkf4v2AzLXyDKaUth69bmrDV49mv46AzcY1+F1BiViGZ6Bc04sYJy15wdW\r\ntfkhNmq1FF1rmeUl1UC5HK2BYmq1d353GQlbK9guvgb8L49ZlYfRdyoVHTpng+sd\r\nuQu4nl79jq4Cv5UHWZr015hF/aKwVC5qTdHlPgqdtvJBLQ+Gf5dzS5Wczg2micKE\r\nVwXLNZKgU+vrY27gUpFOK80YcjGit6QDrO0ZM0PCLzTq5RFGTNc6Ifo=\r\n-----END CERTIFICATE-----"
} ],
"NetworkConfigurations": [ {
"GUID": "{7bceb027-4e4e-4b01-9742-8cc7548432da}",
"Name": "Logged On - BYOD",
"ProxySettings": {
"Type": "Direct"
},
"Type": "WiFi",
"WiFi": {
"AutoConnect": true,
"EAP": {
"Identity": "${LOGIN_ID}",
"Inner": "MSCHAPv2",
"Outer": "PEAP",
"Password": "${PASSWORD}",
"Recommended": [ "AnonymousIdentity", "Identity", "Password" ],
"SaveCredentials": true,
"ServerCARef": "{0a950b6d-fd6e-4859-a5f8-d068a3d6e881}",
"UseSystemCAs": true
},
"HiddenSSID": false,
"SSID": "MBHS BYOD",
"Security": "WPA-EAP"
}
} ]
}
I have also attached a screenshot of the screen I am given if I try to manually connect to the wireless network. I have obscured the username but this was substituted correctly. You can see however, if I show the password it is still using the ${PASSWORD} token.
,
Aug 6
Note that the replacement for the ${PASSWORD} placeholder of the EAP.Password field is performed in a protected system daemon to reduce the risk of exposing the user's password due to vulnerabilities/bugs. This means that the replacement will _not_ be visible on the UI.
May, do you know if the password replacement works even when the field is marked as "Recommended"? I think it should but I was not 100% sure.
Thanks!
,
Aug 6
It works even when marked as "Recommended".
,
Aug 13
To update this. I was doing some further testing of other ChromeOS functionality when I noticed that the Chromebook I was using had successfully connected to the wireless SSID. Checking our wireless controller I could see that the Chromebook had connected using my personal username/password as intended. Thinking that I may have saved credentials I logged in with a previously unused account and the same behavior occurred. Automatically connected to the wireless SSID using the username/password of the user that had logged into the Chromebook via SAML. I am unsure why it is all of a sudden working now when it did not previously. I have not changed any settings that I believe should impact this. However, I just want to advise that the functionality appears to be working as expected so this issue can be closed.
,
Aug 28
Thanks for reporting that this works now. The issues you have been seeing might be also related bug 873775 . I'll close this for now, please feel free to reopen and/or comment here if you see it happen again. |
|||
►
Sign in to add a comment |
|||
Comment 1 by pmarko@chromium.org
, Aug 3Owner: pmarko@chromium.org