Hi Giuseppe,

thanks for your e-mail. That is good advice. I figured the problem is because I use Keycloak broker as a SP and I set url to SATOSA with idphint parameter as SAML AuthnRequest. When I use in Keycloak broker url without idphint and manually add this parameter it works. I think it is a problem in Keycloak because it does not recognize the parameter in SAML AuthnRequest url.

Best Regards,
Marcin

W dniu 29.07.2022 o 00:31, Giuseppe De Marco pisze:
Ciao Marcin

In the log the relevant error Is the following

saml2.s_utils.OtherError: Not destined for me!


That means that the balidation of the request fails, do you have a good destination value in your authn?

Il gio 28 lug 2022, 09:42 Marcin Miłek <marcin.milek@pwr.edu.pl> ha scritto:
Hello everyone,

I have a problem with a "idp hinting" feature. I set in SP a SAML
AuthnRequest url, e.g.:
https://proxy.example.com/Saml2/sso/redirect?idphint=https%3A%2F%2Fidp.example.com%2Fidp%2Fshibboleth

I have SATOSA 8.1.0 with a Discovery Service:
https://service.seamlessaccess.org/ds/ and a configuration of idp
hinting:
https://github.com/IdentityPython/SATOSA/blob/master/example/plugins/microservices/idp_hinting.yaml.example

In satosa saml backend are metadata from eduGAIN. (For this example I
changed domain to "example.com")

After authentication request in SATOSA log is:


[2022-07-26 14:09:40,711] [ERROR] [saml2.request._verify]
https://proxy.example.com/Saml2/sso/redirect?idphint=https%3A%2F%2Fidp.example.com%2Fidp%2Fshibboleth
not in ['https://proxy.example.com/Saml2/sso/redirect']
[2022-07-26 14:09:40,711] [ERROR] [satosa.base.run]
[urn:uuid:1f970493-c436-4d86-83a5-88162a2ca2a1] Uncaught exception
Traceback (most recent call last):
   File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
240, in run
     resp = self._run_bound_endpoint(context, spec)
   File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
180, in _run_bound_endpoint
     return spec(context)
   File
"/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
100, in handle_authn_request
     return self._handle_authn_request(context, binding_in, self.idp)
   File
"/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
195, in _handle_authn_request
     req_info = idp.parse_authn_request(context.request["SAMLRequest"],
binding_in)
   File "/usr/local/lib/python3.6/site-packages/saml2/server.py", line
244, in parse_authn_request
     signature=signature)
   File "/usr/local/lib/python3.6/site-packages/saml2/entity.py", line
1080, in _parse_request
     _request.verify()
   File "/usr/local/lib/python3.6/site-packages/saml2/request.py", line
157, in verify
     return self._verify()
   File "/usr/local/lib/python3.6/site-packages/saml2/request.py", line
144, in _verify
     raise OtherError("Not destined for me!")
saml2.s_utils.OtherError: Not destined for me!
[2022-07-26 14:09:40,712] [ERROR] [satosa.proxy_server.__call__] Unknown
error
Traceback (most recent call last):
   File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
240, in run
     resp = self._run_bound_endpoint(context, spec)
   File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
180, in _run_bound_endpoint
     return spec(context)
   File
"/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
100, in handle_authn_request
     return self._handle_authn_request(context, binding_in, self.idp)
   File
"/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
195, in _handle_authn_request
     req_info = idp.parse_authn_request(context.request["SAMLRequest"],
binding_in)
   File "/usr/local/lib/python3.6/site-packages/saml2/server.py", line
244, in parse_authn_request
     signature=signature)
   File "/usr/local/lib/python3.6/site-packages/saml2/entity.py", line
1080, in _parse_request
     _request.verify()
   File "/usr/local/lib/python3.6/site-packages/saml2/request.py", line
157, in verify
     return self._verify()
   File "/usr/local/lib/python3.6/site-packages/saml2/request.py", line
144, in _verify
     raise OtherError("Not destined for me!")
saml2.s_utils.OtherError: Not destined for me!

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
   File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py",
line 148, in __call__
     resp = self.run(context)
   File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
258, in run
     raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error


Do you know the solution of the problem?

Best Regards,
Marcin Miłek

_______________________________________________
Idpy-discuss mailing list -- idpy-discuss@lists.sunet.se
To unsubscribe send an email to idpy-discuss-leave@lists.sunet.se

------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica dell'Università della Calabria
https://www.unical.it/5x1000