'SSO Sign-in is not available' after changing SMTP info via Admin

[voc0der]

Backstory: I've had this server running fine for a while now, and I wanted to get my SMTP info updated to a new mailserver I had, and away from google.

Vaultwarden Support String

*### Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.4-1
• Web-vault version: voidc_button-v2024.6.2-4
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.46.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "organization_invite_auto_accept": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*****************",
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": true,
  "sso_authority": "https://auth.mydomain.com",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "https://vaultwarden.mydomain.com/identity/connect/oidc-signin",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "**********************************************************************",
  "sso_client_secret": "***",
  "sso_debug_force_fail_auth_code": false,
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_organizations_all_collections": true,
  "sso_organizations_id_mapping": "",
  "sso_organizations_invite": false,
  "sso_organizations_token_path": "/groups",
  "sso_pkce": true,
  "sso_roles_default_to_user": true,
  "sso_roles_enabled": false,
  "sso_roles_token_path": "/resource_access/*********************************************/roles",
  "sso_scopes": "email profile offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "/web-vault_button",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.32.4-1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx (latest linuxserver image)

Host/Server Operating System

Linux

Operating System Version

Debian

Clients

Web Vault

Client Version

CLI 2024.6.2, Firefox latest

Steps To Reproduce

1. Set up SSO with Authelia and have it working properly with this image
2. Go to the /admin page
3. Change SMTP information around a few times, I failed once or twice while there, but it worked when I left. Send a test email, verify that works.
4. Now try to login to the vault, get
   

CONFIG:

SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true
SSO_SIGNUPS_MATCH_EMAIL=true

Troubleshooting steps:

1. Tried regenerating client_secret/id from authelia.
2. Truncated sso_users
3. Tried undoing the whole vaultwarden SSO install via the instructions https://github.com/Timshel/vaultwarden?tab=readme-ov-file#db-migration
4. Tried SSO_SIGNUPS_MATCH_EMAIL set to false.
5. Tried docker logs authelia , nothing making it through with debug logging set.
6. Verified my load balancer settings.
7. Verified Firewall not blocking traffic.
8. Removing SSO_FRONTEND=override lets me log in again

Expected Result

Not to have SMTP settings break my provider

Actual Result

400 Bad Request (see logs)

Logs

[2024-11-12 19:59:50.614][request][INFO] GET /identity/sso/prevalidate?domainHint=fqwefwef
[2024-11-12 19:59:50.614][vaultwarden::api::identity][ERROR] SSO sign-in is not available
[2024-11-12 19:59:50.614][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 400 Bad Request

Additional Context

Was working beautifully before I started mucking with the SMTP settings. Because I had to change more than a SMTP settings in the admin panel, few things, it wasn't successful the first time, but I got there, and it did save correctly.

All clients are not working as you'd expect.

[voc0der]

Follow up; I had a backup from last night I restored. Immediately SSO was working again.

To verify this bug was real, again I went into the admin page, and meticulously changed the SMTP and then immediately trying the vault led to this again. The test email sent fine, and this time, I didn't make more than one edit.

I suppose I could go down the same rabbit hole of debugging the SQLite table but I don't know what I'm doing there besides clearing out rows in a few tables and such.

[Timshel]

Hey,
The SSO sign-in is not available error should be returned only when the SSO_ENABLED setting is set to false.
I'll check if changing setting using the admin interface reset to the default false value.

[voc0der]

I should also note that since I forgot to originally, my email address itself did not change, just the SMTP provider. Thank you in advance!

If this is the case, for now I can get back up to speed by modifying the json. I'll try that. Thanks! I do see in the submission its set to false.

Edit.. yep, SSO_ENABALED=true to environment overrides the behavior in the bug, and fixed it, not sure why I did not try that before. Thank you.

[Timshel]

Hey
Made the test of changing config using the admin panel and the sso_enable is not present in the generated data/config.json file.

One possible explication I can see is that if your installation is old enough then sso_enable was part of the admin configurable fields in the past, so maybe it was set to true in the data/config.json but when making a change a new file was generated without the parameter (since it was removed) which resulted in the server now using the default which is false.

[voc0der]

That's entirely possible. Was a very early install. I suspect it might happen to other early adopters, but its not a big deal once you know to include the variable, or why it's happening! It might be worth documenting or giving a link here someplace and just closing the book on it.