Dear all,
Is it possible to use a different discovery service depending on the SP
that sent a SAML AuthnRequest to SATOSA, or do I have to do that in the
discovery service's frontend somehow?
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
I want to again say "thanks" to Ioannis, Rainer, Scott, and everyone
else for their help and instruction during the various IdentityPython
and SATOSA meetings at TIIME this week. Chris Phillips and I were able
to get a SATOSA 3.4.8 deployment working in Chris's idp-installer test
bed. To that end I want to share my notes from the process, at the end
of which an interested party could perform a basic, end-to-end test of
the current SATOSA release using SAMLtest (https://samltest.id/)
1. I installed Ubuntu Server 18.04.1; run the following commands as root
to install the prerequisites:
```sh
apt update
apt dist-upgrade -y
apt install -y git python3-dev build-essential python3-pip libffi-dev
libssl-dev xmlsec1 libyaml-dev libxml2-utils
pip3 install --upgrade virtualenv
virtualenv -p python3 /opt/satosa
/opt/satosa/bin/pip install --upgrade pip setuptools
/opt/satosa/bin/pip install SATOSA
```
This is essentially the Docker image build process, only it uses the
current SATOSA release (etc.) on PyPI.
2. Copy
https://github.com/IdentityPython/SATOSA/tree/v3.4.8/docker/attributemap
s to /opt/satosa/attributemaps.
I'm not sure this is strictly necessary as the built-in pysaml2
attribute maps should be used by default, but it's what the Docker image
build process does.
3. Copy https://github.com/IdentityPython/SATOSA/tree/v3.4.8/example to
/opt/satosa/etc.
4. SATOSA doesn't have a default configuration, so you must provide it
yourself.
```sh
cp /opt/satosa/etc/proxy_conf.yaml.example \
/opt/satosa/etc/proxy_conf.yaml
cp /opt/satosa/etc/internal_attributes.yaml.example \
/opt/satosa/etc/internal_attributes.yaml
cp /opt/satosa/etc/plugins/frontends/saml2_frontend.yaml.example \
/opt/satosa/etc/plugins/frontends/saml2_frontend.yaml
cp /opt/satosa/etc/plugins/backends/saml2_backend.yaml.example \
/opt/satosa/etc/plugins/backends/saml2_backend.yaml
cp /opt/satosa/etc/plugins/microservices/static_attributes.yaml.example
\
/opt/satosa/etc/plugins/microservices/static_attributes.yaml
```
5. You may change the proxy URL (the value of BASE in
/opt/satosa/etc/proxy_conf.yaml), but it _must_ be a method plus
hostname without any trailing slash or path components, e.g.,
`https://proxy.example.com`, not `https://proxy.example.com/` nor
`https://proxy.example.com/satosa`. SATOSA must be hosted at the root
of your web site.
6. Comment out the `idp_blacklist_file` and `disco_srv` settings in
/opt/satosa/etc/plugins/backends/saml2_backend.yaml.
7. Generate IdP, SP, metadata signing, and web site keying material:
```sh
for i in frontend backend metadata https; do
openssl req -batch -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /opt/satosa/etc/$i.key -out /opt/satosa/etc/$i.crt \
-subj /CN=proxy.example.com
done
```
8. Download the SAMLtest metadata.
```sh
curl https://samltest.id/saml/sp > /opt/satosa/etc/sp.xml
curl https://samltest.id/saml/idp > /opt/satosa/etc/idp.xml
```
9. Generate the proxy metadata. (How you do this changes in future
releases of SATOSA.)
```sh
. /opt/satosa/bin/activate
cd /opt/satosa/etc
satosa-saml-metadata proxy_conf.yaml metadata.key metadata.crt
--split-frontend --split-backend --dir /opt/satosa/etc
xmllint --format /opt/satosa/etc/Saml2IDP_0.xml >
/opt/satosa/etc/proxy-idp.xml
xmllint --format /opt/satosa/etc/Saml2_0.xml >
/opt/satosa/etc/proxy-sp.xml
```
10. Edit the proxy metadata files to remove the `<ns1:Signature>`
element, else SAMLtest will be unable to load them due to an invalid
signature.
11. Upload the proxy metadata to SAMLtest
(https://samltest.id/upload.php)
12. SAMLtest doesn't release the eduPerson Targeted ID attribute, so
you'll need to change the last three lines of
/opt/satosa/etc/internal_attributes.yaml to the following (and before
anyone says anything, NEVER USE AN EMAIL ADDRESS AS AN IDENTIFIER---this
is just a quick hack to get SATOSA working):
```
hash: [mail]
user_id_from_attrs: [mail]
user_id_to_attr: mail
```
13. Start SATOSA:
```sh
. /opt/satosa/bin/activate
cd /opt/satosa/etc
gunicorn -b0.0.0.0:443 --keyfile https.key --certfile https.crt
satosa.wsgi:app
```
14. At this point you should be able to perform an IdP test
(https://samltest.id/start-idp-test/) by specifying the entity ID of the
proxy's front end, e.g., https://example.com/Saml2IDP/proxy.xml. The
SAMLtest SP will request authentication by your proxy IdP, causing your
proxy SP to request authentication by the SAMLtest IdP. If everything
works right, you will end up back at the SAMLtest SP:
SAMLtest SP ---AuthnRequest---> SATOSA front end (IdP)/back end (SP)
---AuthnRequest---> SAMLtest IdP
SAMLtest SP <---AuthnResponse--- SATOSA front end (IdP)/back end (SP)
<---AuthnResponse--- SAMLtest IdP
I hope this helps other adopters. If you have any questions, please
reply on list so everyone can benefit from the discussion.
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
Dear Satosa Users,
I'm trying to create a ResponseMicroService which generates a subject identifier of pairwise-id [1] from the eduPersonTargetedID provided by the Home Organization's IdP.
To avoid collisions, I want the input to the generator for the pairwise-id to contain entityID + '!' + eduPersonTargetedID, but the Response Context doesn't appear to contain the entityID of the originating IdP. Evidently I don't understand the model which SATOSA uses to pass information from backend to frontend...
- Is there a way to access the proxied IdP's entityID from a ResponseMicroService?
- Would it be better to generate the attribute in a RequestMicroService?
- Do microservices act in the order that they're defined in proxy_conf.yaml? For example, can I define a microservice to generate the new attribute from an existing attribute, and then filter out the existing attribute.
Any information appreciated.
Thanks,
Alex
[1] SAML subject identifier attributes, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-su…
—
Alex Stuart
Principal technical support specialist (UK federation)
alex.stuart at jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Using a SAMl2SAML configuration I get 'Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'>. pysaml2 does support his since a couple of years.
Has anybody encountered this?
- Rainer
[2019-04-09 21:01:44] [DEBUG]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Routing to frontend: Saml2IDP
[2019-04-09 21:01:44] [DEBUG]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Filter: ['name', 'telephoneNumber', 'surname', 'givenname', 'mail', 'uid', 'displayname', 'title']
[2019-04-09 21:01:44] [DEBUG]: frontend attribute displayName mapped from displayname
[2019-04-09 21:01:44] [DEBUG]: frontend attribute givenName mapped from givenname
[2019-04-09 21:01:44] [DEBUG]: frontend attribute email mapped from mail
[2019-04-09 21:01:44] [DEBUG]: frontend attribute cn mapped from name
[2019-04-09 21:01:44] [DEBUG]: frontend attribute sn mapped from surname
[2019-04-09 21:01:44] [DEBUG]: frontend attribute uid mapped from uid
[2019-04-09 21:01:44] [DEBUG]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] returning attributes {"displayName": ["User Test"], "givenName": ["Test"], "email": ["test at bmspot.gv.at"], "cn": ["Test User"], "sn": ["User"], "uid": ["test at bmspot.gv.at"]}
[2019-04-09 21:01:44] [ERROR]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2019-04-09 21:01:44] [ERROR]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Uncaught exception
Traceback (most recent call last):
File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 366, in _handle_authn_response
args['sign_alg'] = getattr(xmldsig, sign_alg)
AttributeError: module 'saml2.xmldsig' has no attribute 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 286, in run
resp = self._run_bound_endpoint(context, spec)
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 228, in _run_bound_endpoint
return spec(context)
File "/opt/venv/lib/python3.6/site-packages/satosa/backends/saml2.py", line 238, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 197, in _auth_resp_callback_func
context, internal_response)
File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process
return super().process(context, data)
File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process
return self.next(context, data)
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 168, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 84, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 370, in _handle_authn_response
raise Exception(errmsg) from e
Exception: Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[2019-04-09 21:01:44] [ERROR]: Unknown error
Traceback (most recent call last):
File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 366, in _handle_authn_response
args['sign_alg'] = getattr(xmldsig, sign_alg)
AttributeError: module 'saml2.xmldsig' has no attribute 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 286, in run
resp = self._run_bound_endpoint(context, spec)
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 228, in _run_bound_endpoint
return spec(context)
File "/opt/venv/lib/python3.6/site-packages/satosa/backends/saml2.py", line 238, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 197, in _auth_resp_callback_func
context, internal_response)
File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process
return super().process(context, data)
File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process
return self.next(context, data)
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 168, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 84, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 370, in _handle_authn_response
raise Exception(errmsg) from e
Exception: Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/opt/venv/lib/python3.6/site-packages/satosa/proxy_server.py", line 113, in __call__
resp = self.run(context)
File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 302, in run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
