Invalid user after SAML Login

Community Support
1

Hello,

we use Rocketchat snap version 3.12.1 and switched recently from LDAP-Login to only SAML-Azure-AD-Login.
Sometimes (not always) the user login does not work with the message “invalid user”. Often a single reload solves this problem but sometimes this workaround still does not work.
In the View Logs panel we get this message:

I20210312-12:44:05.790(1) Exception while invoking method getUserRoles Error: Invalid user [error-invalid-user] at MethodInvocation.getUserRoles (app/lib/server/methods/getUserRoles.js:9:10) at MethodInvocation.methodsMap. (app/lib/server/lib/debug.js:76:34) at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12) at packages/ddp-server/livedata_server.js:1689:15 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at packages/ddp-server/livedata_server.js:1687:36 at new Promise () at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12) at Server.apply (packages/ddp-server/livedata_server.js:1625:26) at Server.call (packages/ddp-server/livedata_server.js:1607:17) at Object.post (app/api/server/v1/misc.js:263:26) at app/api/server/api.js:394:82 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39) at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32) at packages/nimble_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:98:9 => awaited here: at Promise.await (/snap/rocketchat-server/1457/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12) at Server.apply (packages/ddp-server/livedata_server.js:1638:22) at Server.call (packages/ddp-server/livedata_server.js:1607:17) at Object.post (app/api/server/v1/misc.js:263:26) at app/api/server/api.js:394:82 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39) at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32) at packages/nimble_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:98:9
I20210312-12:44:05.864(1) Exception while invoking method listCustomUserStatus Error: Invalid user [error-invalid-user] at MethodInvocation.listCustomUserStatus (app/user-status/server/methods/listCustomUserStatus.js:9:10) at MethodInvocation.methodsMap. (app/lib/server/lib/debug.js:76:34) at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12) at packages/ddp-server/livedata_server.js:1689:15 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at packages/ddp-server/livedata_server.js:1687:36 at new Promise () at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12) at Server.apply (packages/ddp-server/livedata_server.js:1625:26) at Server.call (packages/ddp-server/livedata_server.js:1607:17) at Object.post (app/api/server/v1/misc.js:263:26) at app/api/server/api.js:394:82 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39) at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32) at packages/nimble_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:98:9 => awaited here: at Promise.await (/snap/rocketchat-server/1457/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12) at Server.apply (packages/ddp-server/livedata_server.js:1638:22) at Server.call (packages/ddp-server/livedata_server.js:1607:17) at Object.post (app/api/server/v1/misc.js:263:26) at app/api/server/api.js:394:82 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39) at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32) at packages/nimble_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:98:9

In the syslog we see this output:

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: Exception while invoking method getUserRoles Error: Invalid user [error-invalid-user]

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at MethodInvocation.getUserRoles (app/lib/server/methods/getUserRoles.js:9:10)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at MethodInvocation.methodsMap. (app/lib/server/lib/debug.js:76:34)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/ddp-server/livedata_server.js:1689:15

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/ddp-server/livedata_server.js:1687:36

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at new Promise ()

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.apply (packages/ddp-server/livedata_server.js:1625:26)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.call (packages/ddp-server/livedata_server.js:1607:17)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object.post (app/api/server/v1/misc.js:263:26)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at app/api/server/api.js:394:82

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/nimble_restivus/lib/route.coffee:59:33

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/simple_json-routes.js:98:9

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: => awaited here:

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Promise.await (/snap/rocketchat-server/1457/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.apply (packages/ddp-server/livedata_server.js:1638:22)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.call (packages/ddp-server/livedata_server.js:1607:17)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object.post (app/api/server/v1/misc.js:263:26)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at app/api/server/api.js:394:82

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/nimble_restivus/lib/route.coffee:59:33

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/simple_json-routes.js:98:9

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: Exception while invoking method listCustomUserStatus Error: Invalid user [error-invalid-user]

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at MethodInvocation.listCustomUserStatus (app/user-status/server/methods/listCustomUserStatus.js:9:10)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at MethodInvocation.methodsMap. (app/lib/server/lib/debug.js:76:34)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/ddp-server/livedata_server.js:1689:15

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/ddp-server/livedata_server.js:1687:36

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at new Promise ()

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.apply (packages/ddp-server/livedata_server.js:1625:26)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.call (packages/ddp-server/livedata_server.js:1607:17)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object.post (app/api/server/v1/misc.js:263:26)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at app/api/server/api.js:394:82

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/nimble_restivus/lib/route.coffee:59:33

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/simple_json-routes.js:98:9

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: => awaited here:

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Promise.await (/snap/rocketchat-server/1457/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.apply (packages/ddp-server/livedata_server.js:1638:22)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Server.call (packages/ddp-server/livedata_server.js:1607:17)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object.post (app/api/server/v1/misc.js:263:26)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at app/api/server/api.js:394:82

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/nimble_restivus/lib/route.coffee:59:33

Mar 12 12:44:05 rocketchat01 rocketchat-server.rocketchat-server[337279]: at packages/simple_json-routes.js:98:9

invalid User
invalid User932×618 10.7 KB

The problem is independent of the browser (tested on firefox, chrome, native RC-Client) and we cannot see any failure on our firewall or webloadbalancer at all.
Do you have any clues or can you help us?

2

How saml response looks like (use saml tracer extension to catch that if you don’t have idea what’s that)? How many roles has user assigned?

3

Hello Jan,

here is a link to the debug log from my login:

I have to reload the site four times until I finally logged in.
Do you see anything useful in this log?

Best regards

4

Sorry, I asked for SAML response and you gave me thousand lines. Please don’t expect from me the that I will spend a minutes searching all lines just to find SAML response for you. I would recommend to find paid support in this case.

5

I apologize for that. Here is the single SAML Response:
<samlp:Response ID="_decd170a-3ebb-4fdd-a521-a2ec42243633" Version="2.0" IssueInstant="2021-03-14T17:44:24.744Z" Destination="https://rocketchat.mydomain.com/_saml/validate/my-app" InResponseTo="id-FyYLS5LxgQQMwr4ch" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/anonymized_tenant_id/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_0a9bf816-e134-4433-bf1a-7a4562962a00" IssueInstant="2021-03-14T17:44:24.739Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/anonymized_tenant_id/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_0a9bf816-e134-4433-bf1a-7a4562962a00"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>KUnBYZNo5P01/VGi1yyhF6pIr1+jK7YS1u4qJqavpRg=</DigestValue></Reference></SignedInfo><SignatureValue>FkemUdmlshq7dZFRcQltdFKyrGwz7pHiUUPz08+2EaSpPl58V+0KqEw7KmWgMndV29GK0l8ivklSTEZr9kTDD2qrusizau2xOLCEjPi4WpT5Fy34fL0VIyJVi6CHyeQtStOUycxRZxLbVePpPbFwkIPeTxw2fw5i2oefneUIaj/JKnWMSnRhugJjHaHuJXv8xSC1VvjQ55pReuHi/YMYDGoO6r4hJIdttofqx6CywXJLatrqxiW83LtcIsxXTgKfGuS4UK8LuW/g4jdjIn/5axVdqBGL7tuaXoEPnZxvcd83z1K5DIb6dC24fwpf/1cq6KA25eD4ezUYpiSvHBTCzw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQFO2hyRkqprdLolaZkr0qaDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDEwMDcxMjM4NDlaFw0yMzEwMDcxMjM4NThaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/In+Sx/xGrceGYE9unjbEorZARak3bm747zyXuIxX9JrCDFlQ2ryGZ8K1ZogY/lWnzMupT1dGGV//X+Y0wIMCLCa1uotR+ZWbjFKIY3Tum6/B6JWJLWELRb+R8b7k2U9R91pukjPJyOQsfIC3AB1oYyFuQzB2UY7o9OjfPWvREhyXCO3qf3tNXPBDgkE5xFOlVO7J/SviEr4nr0ES1O+aiCEBwh0Cu0JSkCcEFOYM1oLQoXKVIsAtUUiXgwuq9Cf+IZ3Wz/QqtrCAverr/xCRuW6hsfEf5Jg2i1VOTZHaqp5/IKMWERNeAAXockYnOxvXJM2OmWY/Nt7dHo1+umsQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC9lajScIAD+psXxgtspes3hYn9TxcT0A2ZWYwOKxjmsqpcfdKGjsDJO5dtAVEieAeWiasrGb0rME5KamRdjIo5M9IX+1SqNXp3b7vSukEMubrcACHFfQswCykX3YuV7z2UD+eV0bUmWToUopWZi5np9X+FxfJfKmWT7Rsr8B3tn7qT2KzznNdO+dF/LI6VvKS7/qQ5TxdXWjU1sEl0stEi1bXQ+WCzeeGTDt2ITn0c5Hlb8iNCk2ng5Na8T6TTyU/pcC4GJ4E+pP26a9h5uuKcjvzUtq5aqiEbWRURzWjiRjEtFQJtBmZF2nBytu9dLPSzj+3fDZ+xkIUEqiDHI3IC</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Daniel.Prestin@mydomain.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id-FyYLS5LxgQQMwr4ch" NotOnOrAfter="2021-03-14T18:44:24.574Z" Recipient="https://rocketchat.mydomain.com/_saml/validate/my-app"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-03-14T17:39:24.574Z" NotOnOrAfter="2021-03-14T18:44:24.574Z"><AudienceRestriction><Audience>https://rocketchat.mydomain.com/_saml/metadata/my-app</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>anonymized_tenant_id</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>2966e646-2c1b-46ba-a960-ebc765d512c6</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/anonymized_tenant_id/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue></Attribute><Attribute Name="email"><AttributeValue>Daniel.Prestin@mydomain.com</AttributeValue></Attribute><Attribute Name="nutzername"><AttributeValue>Daniel Prestin</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2021-03-14T17:44:22.867Z" SessionIndex="_0a9bf816-e134-4433-bf1a-7a4562962a00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

6

I don’t see any roles in the SAML response. But it’s failing on

So user is still not logged in. I would double check SAML configuration and compare SAML response of successful login with SAML response for unsuccessful login.

7

Hello Jan,

good hint to compare the SAML response of a successful login with an unsuccessful login.
Unfortunately they both looks very similar:
<samlp:Response ID="_f93bbddb-cb9c-4771-a7c9-22eed129f664" Version="2.0" IssueInstant="2021-03-19T12:19:41.393Z" Destination="https://rocketchat.mydomain.com/_saml/validate/my-app" InResponseTo="id-94hwA87uxiCc9EYKT" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/anonymized_tenant_id/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_48acf8fa-5e94-4e8d-b0ad-34711f7a0e00" IssueInstant="2021-03-19T12:19:41.388Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/anonymized_tenant_id/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_48acf8fa-5e94-4e8d-b0ad-34711f7a0e00"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>Ekx3D/Owwginq/PwMpL0NKaQSiGiMkfQ3Xu68nj3Ncw=</DigestValue></Reference></SignedInfo><SignatureValue>A2hyt2gxm59qUhMvcNP2kZahOKb/kdC+u3kentP9wvCztF+B8MLoUmwNNTx2raJ1lOJvCsIvwBvfcMGUtF+0dPg6bS07Oxzg1INGW5sOiJw0XwZbu57zJ3EfEhUIEqYTJvBtTSSnwRdVB8Bl6rNRtIQiDcq6QUMYeGmjIVCVgVZRzeC9WlGKP3NQMcv0RrRYJwQVU3EIGJXLPj3/jBaiR0FcgE7/6RScLpBnKSkPttWLl78I4J0j8YwqjLxFm989qYmpOiXCi+ON6AENGMycS4PAsA+O5WfXjKYjR/C6aD+L7N844Go8stSPa/nBXRb+ppWzds/N54/F3SLT7J/2iw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQFO2hyRkqprdLolaZkr0qaDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDEwMDcxMjM4NDlaFw0yMzEwMDcxMjM4NThaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/In+Sx/xGrceGYE9unjbEorZARak3bm747zyXuIxX9JrCDFlQ2ryGZ8K1ZogY/lWnzMupT1dGGV//X+Y0wIMCLCa1uotR+ZWbjFKIY3Tum6/B6JWJLWELRb+R8b7k2U9R91pukjPJyOQsfIC3AB1oYyFuQzB2UY7o9OjfPWvREhyXCO3qf3tNXPBDgkE5xFOlVO7J/SviEr4nr0ES1O+aiCEBwh0Cu0JSkCcEFOYM1oLQoXKVIsAtUUiXgwuq9Cf+IZ3Wz/QqtrCAverr/xCRuW6hsfEf5Jg2i1VOTZHaqp5/IKMWERNeAAXockYnOxvXJM2OmWY/Nt7dHo1+umsQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC9lajScIAD+psXxgtspes3hYn9TxcT0A2ZWYwOKxjmsqpcfdKGjsDJO5dtAVEieAeWiasrGb0rME5KamRdjIo5M9IX+1SqNXp3b7vSukEMubrcACHFfQswCykX3YuV7z2UD+eV0bUmWToUopWZi5np9X+FxfJfKmWT7Rsr8B3tn7qT2KzznNdO+dF/LI6VvKS7/qQ5TxdXWjU1sEl0stEi1bXQ+WCzeeGTDt2ITn0c5Hlb8iNCk2ng5Na8T6TTyU/pcC4GJ4E+pP26a9h5uuKcjvzUtq5aqiEbWRURzWjiRjEtFQJtBmZF2nBytu9dLPSzj+3fDZ+xkIUEqiDHI3IC</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Daniel.Prestin@mydomain.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id-94hwA87uxiCc9EYKT" NotOnOrAfter="2021-03-19T13:19:41.278Z" Recipient="https://rocketchat.mydomain.com/_saml/validate/my-app"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-03-19T12:14:41.278Z" NotOnOrAfter="2021-03-19T13:19:41.278Z"><AudienceRestriction><Audience>https://rocketchat.mydomain.com/_saml/metadata/my-app</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>anonymized_tenant_id</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>2966e646-2c1b-46ba-a960-ebc765d512c6</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/anonymized_tenant_id/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue></Attribute><Attribute Name="email"><AttributeValue>Daniel.Prestin@mydomain.com</AttributeValue></Attribute><Attribute Name="nutzername"><AttributeValue>Daniel Prestin</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2021-03-19T12:19:39.569Z" SessionIndex="_48acf8fa-5e94-4e8d-b0ad-34711f7a0e00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

Do you see any difference?
Best regards

8

This sounds like it could be the same issue we’re experiencing in other places.

See my latest comment on this other post where I discuss what I’ve found so far:

Another related issue that I’m having, apparently due to the same bug: