getSAMLResponse-Interactive icon indicating copy to clipboard operation
getSAMLResponse-Interactive copied to clipboard
verified publisher icon allynl93

Failing to create PASSession using psPAS

Open Mordanthanus opened this issue 2 years ago • 1 comments

Problem: When trying to use the webview2 exe with psPAS, I'm not able to authenticate with my Cyberark instance.

Environment: Cyberark 12.6.5 - My team does not control this application and we can't make any config changes. Currently using PowerShell ISE 5.1 in Windows 10 due to wide availability. Current versions of your code as well as psPAS (as of today)

What I am experiencing: $SamlResponse = .\getSAMLResponse.exe https://sapm.domain.com/PasswordVault/v10/logon/saml New-PASSession -BaseURI https://sapm.domain.com/PasswordVault/v10/ -SAMLResponse $SamlResponse

 This creates a bad session...
 Get-PASSession
 
 User BaseURI                                             ExternalVersion WebSession                                    
 ---- -------                                             --------------- ----------                                    
      https://sapm.domain.com/PasswordVault/v10/PasswordVault 0.0             
      Microsoft.PowerShell.Commands.WebRequestSession

 When trying to use this session, I get errors like the following...
 Invoke-WebRequest : Specified value has invalid CRLF characters.
 Parameter name: value
 At line:216 char:19
 + ... $APIResponse = Invoke-WebRequest @PSBoundParameters -ErrorAction Stop
 +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], ArgumentException
     + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

 I have also tried .Trim()-ing the $SamlResponse to no avail.

Further info: Working with psPete and Slasky in the Cyberark-Eng Discord, we tested Invoke-RestMethod using the SAML response from your tool and it spits back a bunch of HTML, none of which contains a token or web auth. When looking at the headers of the invalid PASSession, it contains the same HTML. We are definitely doing SP initiated auth. We attempted the workaround listed here https://github.com/pspete/psPAS/issues/462#issuecomment-1474118492, but the output of your tool isn't JSON, but base64 XML. I am able to read the XML using this tool - https://www.samltool.com/decode.php

Mordanthanus avatar Aug 29 '23 13:08 Mordanthanus

Running the following:

$SamlResponse = .\getSAMLResponse.exe https://sapm.domain.com/PasswordVault/v10/logon/saml

After retrieving the contents of this variable and pasting into the decoder here, then formatting it in VSCode, I get this

image

How do I use this to create a new session with psPAS?

Mordanthanus avatar Sep 02 '23 03:09 Mordanthanus