- satosa-users - lists3.sunet.se

skipped backend attribute ['email', 'emailAddress', 'mail']: no value found

by eric.attou＠wacren.net

Hello, I am deploying SaToSa version 8. But, it seems that the backend module is failing to map attribute from the IdP to internal proxy attributes. In fact, after the user's is authenticated, and accepted the consent, i got : KeyError 'mail' in the satosa log. What should i have missed in the configs ? Below is part of the log 2022-09-09 20:04:11,840] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['email', 'emailAddress', 'mail']: no value found satosa-proxy_1 | [2022-09-09 20:04:11,840] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['cn']: no value found satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['sn', 'surname']: no value found satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['eduPersonScopedAffiliation']: no value found satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['eduPersonPrincipalName']: no value found satosa-proxy_1 | [2022-09-09 20:04:11,842] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:722089a1-b43e-47b0-bd98-2888c96b3a10] backend received attributes: satosa-proxy_1 | {} satosa-proxy_1 | [2022-09-09 20:04:11,842] [ERROR] [satosa.base.run] [urn:uuid:722089a1-b43e-47b0-bd98-2888c96b3a10] Uncaught exception satosa-proxy_1 | Traceback (most recent call last): satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 240, in run satosa-proxy_1 | resp = self._run_bound_endpoint(context, spec) satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 180, in _run_bound_endpoint satosa-proxy_1 | return spec(context) satosa-proxy_1 | File "/src/satosa/src/satosa/backends/saml2.py", line 363, in authn_response satosa-proxy_1 | return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 141, in _auth_resp_callback_func satosa-proxy_1 | subject_id = [ satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 142, in <listcomp> satosa-proxy_1 | "".join(internal_response.attributes[attr]) for attr in satosa-proxy_1 | KeyError: 'mail' satosa-proxy_1 | [2022-09-09 20:04:11,843] [ERROR] [satosa.proxy_server.__call__] Unknown error satosa-proxy_1 | Traceback (most recent call last): satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 240, in run satosa-proxy_1 | resp = self._run_bound_endpoint(context, spec) satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 180, in _run_bound_endpoint satosa-proxy_1 | return spec(context) satosa-proxy_1 | File "/src/satosa/src/satosa/backends/saml2.py", line 363, in authn_response satosa-proxy_1 | return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 141, in _auth_resp_callback_func satosa-proxy_1 | subject_id = [ satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 142, in <listcomp> satosa-proxy_1 | "".join(internal_response.attributes[attr]) for attr in satosa-proxy_1 | KeyError: 'mail' satosa-proxy_1 | satosa-proxy_1 | The above exception was the direct cause of the following exception: satosa-proxy_1 | satosa-proxy_1 | Traceback (most recent call last): satosa-proxy_1 | File "/src/satosa/src/satosa/proxy_server.py", line 148, in __call__ satosa-proxy_1 | resp = self.run(context) satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 258, in run satosa-proxy_1 | raise SATOSAUnknownError("Unknown error") from err satosa-proxy_1 | satosa.exception.SATOSAUnknownError: Unknown error

1 year, 8 months

2
1
0 0

Installing Satosa under a location

by Kristof Bajnok

Hi all, I need to install Satosa under a path instead of the root of the webserver, but I can not make endpoint routing work if BASE in proxy_conf.yaml contains a path (ie. "https://example.com/path"). For long I was thinking it was a configuration error on my side, but I realised that also the flow (unit) tests fail if I change the BASE to such a value. I've filed a bug under https://github.com/IdentityPython/SATOSA/issues/404, and I'm already more than halfway fixing it, but I still can hardly believe that everybody installs Satosa under "/". Rewriting the request in the webserver breaks metadata generation, because it needs to know the external URLs and not the rewritten ones. It is a possibility to run metadata generation with a slightly different configuration file, but I'd like to avoid maintaining two sets of configurations if possible. Has anybody run into a similar issue? Kristof

1 year, 10 months

1
0
0 0

[Zeek] Zeek is not always detecting outcome of SSH connections.

by kuba.michal.n＠gmail.com

Hello, after completing another project I had some time to dig into the issue a little bit deeper. I've come across this site: https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full… I turns out my interface was misconfigured. Disabling some offloads solved the issue and overall loss has dropped significantly. Thank you for your help! Jakub czw., 2 wrz 2021 o 16:02 Vlad Grigorescu <vlad at es.net> napisał(a): > Jakub, > > Sorry for the delay on this, I was also out and then it fell off my radar. > > I think your answer lies in the missed_bytes field of the conn log. All of > the connections from your ssh.log had traffic that Zeek did not see. Since > Zeek has no way of knowing what transpired in those missed bytes, the SSH > analyzer will never flag those connections as successful or failed. > > The mailing list or Slack might have some suggestions on how to determine > the cause of your missed bytes, and what the solution might be. > > --Vlad > > On Thu, Aug 19, 2021 at 9:58 AM Jakub Niezabitowski < > kuba.michal.n at gmail.com> wrote: > >> Hello, >> >> I will be out for about a week. Sorry for your inconvenience. If there >> will be any update I will write as soon as I can. >> >> Thank you for your support. >> Jakub >> >> czw., 19 sie 2021 o 15:25 Jakub Niezabitowski <kuba.michal.n at gmail.com> >> napisał(a): >> >>> This is output of zeek -v: >>> ./zeek version 4.1.0-dev.750 >>> >>> ssh.log: >>> >>> {"ts":1629353969.834005,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629355319.70739,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >>> ","mac_alg":"umac-64-etm at openssh.com >>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >>> {"ts":1629355326.102184,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >>> ","mac_alg":"umac-64-etm at openssh.com >>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >>> {"ts":1629363511.517178,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629359395.93802,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629359403.032656,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629362225.296699,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >>> ","mac_alg":"umac-64-etm at openssh.com >>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >>> {"ts":1629361952.911338,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629368286.231978,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629368323.887805,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629368384.265589,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629369473.554433,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629369478.658333,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629363611.176921,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >>> ","mac_alg":"umac-64-etm at openssh.com >>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >>> {"ts":1629363530.397083,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4"} >>> {"ts":1629366392.592983,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >>> ","mac_alg":"umac-64-etm at openssh.com >>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >>> {"ts":1629365717.892757,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >>> ","mac_alg":"umac-64-etm at openssh.com >>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >>> >>> conn.log: >>> >>> {"ts":1629353969.732991,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1343.1681571006776,"orig_bytes":10765,"resp_bytes":1249389,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":372560,"history":"ShADadCGcggctgtcFRf","orig_pkts":2290,"orig_ip_bytes":128761,"resp_pkts":1878,"resp_ip_bytes":1005437} >>> >>> {"ts":1629355322.821648,"uid":"CBGul41OnibExQK9O6","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":88.76865911483765,"orig_bytes":0,"resp_bytes":1048,"conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^dt","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":4,"resp_ip_bytes":4400} >>> >>> {"ts":1629355319.682793,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3674.8831601142885,"orig_bytes":5049,"resp_bytes":2136781,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":9868,"history":"ShADadcgttR","orig_pkts":4225,"orig_ip_bytes":225141,"resp_pkts":4243,"resp_ip_bytes":2382129} >>> >>> {"ts":1629355326.076816,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3696.138195991516,"orig_bytes":8641,"resp_bytes":2227993,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":47024,"history":"ShADadcggttcGR","orig_pkts":4504,"orig_ip_bytes":243421,"resp_pkts":4411,"resp_ip_bytes":2454697} >>> >>> {"ts":1629363511.478,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":26.2694411277771,"orig_bytes":3497,"resp_bytes":45209,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":28080,"history":"ShADadCGcggFRft","orig_pkts":88,"orig_ip_bytes":6557,"resp_pkts":66,"resp_ip_bytes":23653} >>> >>> {"ts":1629363542.919383,"uid":"CpYDAh26XA0tnFjqE8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >>> >>> {"ts":1629363548.264316,"uid":"CKIeJ02kp7bqmZHQGa","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >>> >>> {"ts":1629363558.951295,"uid":"Cy70hG3xbe0YraNLQ","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >>> >>> {"ts":1629363580.29527,"uid":"ClzNXf3uL9jMAKVFN8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >>> >>> {"ts":1629363623.047142,"uid":"CM6AG64ej3HoBNCmV6","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >>> >>> {"ts":1629359395.898961,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2406.9871258735659,"orig_bytes":14529,"resp_bytes":1270377,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":231140,"history":"ShADadCGcggtcgTt","orig_pkts":2670,"orig_ip_bytes":152449,"resp_pkts":2337,"resp_ip_bytes":1196833} >>> >>> {"ts":1629359402.915081,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2431.203042984009,"orig_bytes":22009,"resp_bytes":3986829,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":401516,"history":"ShADadCGcgtTtgcGgc","orig_pkts":8571,"orig_ip_bytes":467389,"resp_pkts":8341,"resp_ip_bytes":4070913} >>> >>> {"ts":1629362225.253584,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":1795.6165931224824,"orig_bytes":23017,"resp_bytes":1719917,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":249976,"history":"ShAdDacggtctTg","orig_pkts":3808,"orig_ip_bytes":221809,"resp_pkts":3676,"resp_ip_bytes":1708085} >>> >>> {"ts":1629361952.865328,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2072.1008388996126,"orig_bytes":27917,"resp_bytes":1165281,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":322496,"history":"ShADadCGcgtTgctgc","orig_pkts":3158,"orig_ip_bytes":191313,"resp_pkts":2439,"resp_ip_bytes":1014905} >>> >>> {"ts":1629368286.226311,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":31.089575052261354,"orig_bytes":4095,"resp_bytes":7573,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGtFf","orig_pkts":50,"orig_ip_bytes":5807,"resp_pkts":35,"resp_ip_bytes":4377} >>> >>> {"ts":1629368323.882291,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":39.62539982795715,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":38,"orig_ip_bytes":4983,"resp_pkts":26,"resp_ip_bytes":3385} >>> >>> {"ts":1629368384.260782,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":95.20389604568482,"orig_bytes":4699,"resp_bytes":8045,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":78,"orig_ip_bytes":7855,"resp_pkts":48,"resp_ip_bytes":5441} >>> >>> {"ts":1629369473.551176,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4.286886930465698,"orig_bytes":3907,"resp_bytes":7169,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":5108,"history":"ShADadcgtFf","orig_pkts":42,"orig_ip_bytes":6111,"resp_pkts":29,"resp_ip_bytes":3661} >>> >>> {"ts":1629369478.65472,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1.974303960800171,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgtTCGFf","orig_pkts":39,"orig_ip_bytes":5535,"resp_pkts":27,"resp_ip_bytes":3909} >>> >>> {"ts":1629363611.137711,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":4322.946979999542,"orig_bytes":83385,"resp_bytes":4093093,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":1280948,"history":"ShADadcgcggttcTt","orig_pkts":9754,"orig_ip_bytes":592549,"resp_pkts":7344,"resp_ip_bytes":3280677} >>> >>> {"ts":1629363530.35789,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4444.6867852211,"orig_bytes":16493,"resp_bytes":2455029,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":99340,"history":"ShADadCGcgtgctT","orig_pkts":5389,"orig_ip_bytes":295961,"resp_pkts":5126,"resp_ip_bytes":2670001} >>> >>> {"ts":1629366392.574032,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5154.938705921173,"orig_bytes":14113,"resp_bytes":49097,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":17616,"history":"ShADadcgCGgc","orig_pkts":699,"orig_ip_bytes":49321,"resp_pkts":433,"resp_ip_bytes":55169} >>> >>> {"ts":1629365717.871532,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5869.062443971634,"orig_bytes":25417,"resp_bytes":123257,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":68778,"history":"ShADadcgCGTtgc","orig_pkts":1409,"orig_ip_bytes":97629,"resp_pkts":764,"resp_ip_bytes":96079} >>> >>> {"ts":1629378908.289358,"uid":"CgpvjA2SRGDerkjnt7","id.orig_h":"149.156.4.93","id.orig_p":33276,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":12.938737154006958,"orig_bytes":4699,"resp_bytes":8277,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6047,"history":"ShaGADdcgCtFf","orig_pkts":83,"orig_ip_bytes":8127,"resp_pkts":51,"resp_ip_bytes":5913} >>> >>> I also append new pcap in case logs for older one have been already >>> rotated. >>> >>> Jakub >>> >>> czw., 19 sie 2021 o 13:42 Vlad Grigorescu <vlad at es.net> napisał(a): >>> >>>> When I run the PCAP through try.zeek.org, it reports auth_success as >>>> T, https://try.zeek.org/#/tryzeek/saved/527994 >>>> >>>> What version of Zeek? To verify that capture loss isn't an issue, can >>>> you share the line from conn.log that you see for that connection? >>>> >>>> On Thu, Aug 19, 2021 at 5:47 AM Jakub Niezabitowski < >>>> kuba.michal.n at gmail.com> wrote: >>>> >>>>> To add some context this is my node.cfg: >>>>> >>>>> [logger-1] >>>>> type=logger >>>>> host=localhost >>>>> # >>>>> [manager] >>>>> type=manager >>>>> host=localhost >>>>> # >>>>> [proxy-1] >>>>> type=proxy >>>>> host=localhost >>>>> # >>>>> [worker-1] >>>>> type=worker >>>>> host=localhost >>>>> lb_procs=8 >>>>> lb_method=pf_ring >>>>> pin_cpus=0,1,2,3,4,5,6,7 >>>>> interface=eth-mirror >>>>> >>>>> This machine can handle up to 8GBit/s of traffic, during capture it >>>>> was about 1GBit/s. >>>>> >>>>> >>>>> czw., 19 sie 2021 o 12:42 Jakub Niezabitowski <kuba.michal.n at gmail.com> >>>>> napisał(a): >>>>> >>>>>> Hello, >>>>>> >>>>>> The data was gathered on same network interface as zeek. It was >>>>>> filtered though to include only related traffic. >>>>>> >>>>>> I have logged in using host 149.156.4.93 to machine 149.156.9.136 and >>>>>> executed few commands. Zeek is not showing auth_success field. >>>>>> >>>>>> After reading provided docs ( >>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…). >>>>>> I assume it could be related to capture losses but it shouldn't. The amount >>>>>> of traffic was way below average. >>>>>> >>>>>> Thank you for your help! >>>>>> Jakub >>>>>> >>>>>> >>>>>> śr., 18 sie 2021 o 14:27 Vlad Grigorescu <vlad at es.net> napisał(a): >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski < >>>>>>> kuba.michal.n at gmail.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1 >>>>>>>> Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm at openssh.com >>>>>>>> ","mac_alg":"hmac-sha2-256-etm at openssh.com >>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org >>>>>>>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"} >>>>>>>> >>>>>>> >>>>>>> This connection had “auth_attempts: 0,” so there was nothing to make >>>>>>> a determination on. >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":" >>>>>>>> chacha20-poly1305 at openssh.com","mac_alg":" >>>>>>>> hmac-sha2-256-etm at openssh.com >>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"} >>>>>>>> >>>>>>> This connection has “auth_success: false,” so it seems like a >>>>>>> determination was made? >>>>>>> >>>>>>> The docs ( >>>>>>> >>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…) >>>>>>> have a bit more info, but essentially, yes it is expected, and Zeek goes to >>>>>>> some lengths to avoid false positives and negatives, at the expense of true >>>>>>> positives. However, that doesn’t seem to be the case here? >>>>>>> >>>>>>> —Vlad >>>>>>> >>>>>>

2 years, 8 months

1
0
0 0

Example consent page

by kuba.michal.n＠gmail.com

Hello, does anybody have example consent page for consent plugin for satosa? It would be very helpful. Thank you in advance, Jakub

2 years, 8 months

2
1
0 0

Specify remd:contactType and assert Sirtfi compliance in Satosa frontend metadata

by kuba.michal.n＠gmail.com

Hi, I have updated metadata_tostring_fix function in metadata.py. It's ugly but it gets the job done: ```python def metadata_tostring_fix(desc, nspair, xmlstring=""): if not xmlstring: xmlstring = desc.to_string(nspair) try: if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring: xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS) except TypeError: if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring: xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS) xmlstring_decoded = xmlstring.decode("utf-8") #JN xmlstring = re.sub(r'(<\/ns0:ContactPerson>)', r'\1<md:ContactPerson xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security" xmlns:remd="http://refeds.org/metadata"><md:GivenName>Security Response Team</md:GivenName><md:EmailAddress>mailto:security at xxxxxxxxxxxxxxx</md:EmailAddress></md:ContactPerson>', xmlstring_decoded) #JN xmlstring = bytes(xmlstring, 'utf-8') #JN return xmlstring ``` czw., 2 wrz 2021 o 16:05 Jakub Niezabitowski <kuba.michal.n at gmail.com> napisał(a): > Hello Ivan, > > thank you for your quick response. Adding assurance_certification works > great! > > czw., 2 wrz 2021 o 15:55 Ivan Kanakarakis <ivan.kanak at gmail.com> > napisał(a): > >> hello Jakub, >> >> ## refeds metadata >> >> the refeds metadata is not known to pysaml2, and thus there is no way >> to do this. >> We can look into adding support and exposing that as part of the >> configuration. >> >> Until that is in place, you can add a post processing rule on your >> deployment proceed to inject the namespace and element as needed. >> >> >> ## assurance certification >> >> To add an assurance certification you can add the following in your >> saml frontend configuration: >> >> ```yaml >> module: ... >> name: ... >> config: >> idp_config: >> ... >> assurance_certification: >> - https://refeds.org/sirtfi >> ... >> ``` >> >> >> On Thu, 2 Sept 2021 at 15:25, Jakub Niezabitowski >> <kuba.michal.n at gmail.com> wrote: >> > >> > Hello, >> > >> > does anybody know how to specify remd:contactType for Satosa front-end? >> It is necessary for Refeds. Example: >> > >> > <md:ContactPerson contactType="other" remd:contactType=" >> http://refeds.org/metadata/contactType/security"> >> > <md:Company>XYZ</md:Company> >> > <md:GivenName>ABC</md:GivenName> >> > <md:SurName>Security</md:SurName> >> > <md:EmailAddress>mailto:security at example.com</md:EmailAddress> >> > </md:ContactPerson> >> > >> > I would be also very thankful for help in adding this static string to >> metadata: >> > >> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> ...> >> > <md:Extensions> >> > <mdattr:EntityAttributes >> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> >> > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" >> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >> > >> Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"> >> > <saml:AttributeValue>https://refeds.org/sirtfi >> </saml:AttributeValue> >> > </saml:Attribute> >> > </mdattr:EntityAttributes> >> > </md:Extensions> >> > </md:EntityDescriptor> >> > >> > Thank you in advance for any help >> > Jakub >> > _______________________________________________ >> > satosa-users mailing list >> > satosa-users at lists.sunet.se >> > https://lists.sunet.se/listinfo/satosa-users >> >> >> >> -- >> Ivan c00kiemon5ter Kanakarakis >:3 >> >

2 years, 8 months

2
1
0 0

Specify remd:contactType and assert Sirtfi compliance in Satosa frontend metadata

by kuba.michal.n＠gmail.com

Hello, does anybody know how to specify remd:contactType for Satosa front-end? It is necessary for Refeds. Example: <md:ContactPerson contactType="other" remd:contactType=" http://refeds.org/metadata/contactType/security"> <md:Company>XYZ</md:Company> <md:GivenName>ABC</md:GivenName> <md:SurName>Security</md:SurName> <md:EmailAddress>mailto:security at example.com</md:EmailAddress> </md:ContactPerson> I would be also very thankful for help in adding this static string to metadata: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...> <md:Extensions> <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"> <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </md:Extensions> </md:EntityDescriptor> Thank you in advance for any help Jakub

2 years, 8 months

2
1
0 0

Satosa not sending attributes to the SP

by kuba.michal.n＠gmail.com

Hello, It seems that Satosa is not sending attributes to the SP. The only exception is the one attribute specified in user_id_from_attrs. Is it a default behaviour? No SP specific policies were defined. [2021-08-11 15:57:36,463] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] backend received attributes: { "displayName": [ "plguser14" ], "eduPersonTargetedID": [ "64d759cc-1d21-4a29-a6e1-e7a10908d95e" ], "mail": [ "plguser14 at ops.pl" ], "sn": [ "czterna" ] } [2021-08-11 15:57:36,464] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] Routing to frontend: Saml2IDP-front [2021-08-11 15:57:36,464] [WARNING] [saml2.assertion.restrict] The metadata parameter for saml2.assertion.Policy.restrict is deprecated and ignored; instead, initialize the Policy object setting the mds param. [2021-08-11 15:57:36,465] [DEBUG] [saml2.assertion.filter] required: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.14', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrnam e-format:uri', 'friendly_name': 'schacPersonalUniqueCode', 'is_required': 'true'}], optional: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'name_format': 'urn:oasis :names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonTargetedID'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'name_format': 'urn:oasis:names:tc:SAML :2.0:attrname-format:uri', 'friendly_name': 'eduPersonPrincipalName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:0.9.2342.19200300.100.1.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrn ame-format:uri', 'friendly_name': 'mail'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:urn:oid:2.16.840.1.113730.3.1.241', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'fr iendly_name': 'displayName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:2.5.4.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'cn'}, {'__class__': 'urn :oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonScopedAffiliation'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'schacHomeOrganization'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.13685.1.1.1.1.2.20', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'pleduOrgUniqueNumber'}] [2021-08-11 15:57:36,465] [DEBUG] [satosa.frontends.saml2._get_approved_attributes] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] Filter: ['edupersontargetedid', 'schacPersonalUniqueCode', 'mail'] [2021-08-11 15:57:36,465] [DEBUG] [satosa.attribute_mapping.from_internal] frontend attribute eduPersonTargetedID mapped from edupersontargetedid [2021-08-11 15:57:36,465] [DEBUG] [satosa.attribute_mapping.from_internal] frontend attribute email mapped from mail [2021-08-11 15:57:36,465] [DEBUG] [satosa.frontends.saml2._handle_authn_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] returning attributes {"eduPersonTargetedID": ["64d759cc-1d21-4a29-a6e1-e7a10908d95e"], "email": ["plguser14 at ops.pl"]} [2021-08-11 15:57:36,466] [DEBUG] [satosa.frontends.saml2._handle_authn_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 [2021-08-11 15:57:36,466] [DEBUG] [satosa.frontends.saml2._handle_authn_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256 [2021-08-11 15:57:36,466] [WARNING] [satosa.frontends.saml2._handle_authn_response] sign_alg and digest_alg are deprecated; instead, use signing_algorithm and digest_algorithm under the service/idp configuration path (not under policy/default). [2021-08-11 15:57:36,467] [DEBUG] [saml2.assertion.filter] required: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.14', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'schacPersonalUniqueCode', 'is_required': 'true'}], optional: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonTargetedID'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonPrincipalName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:0.9.2342.19200300.100.1.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'mail'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:urn:oid:2.16.840.1.113730.3.1.241', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'displayName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:2.5.4.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'cn'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonScopedAffiliation'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'schacHomeOrganization'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.13685.1.1.1.1.2.20', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'pleduOrgUniqueNumber'}] [2021-08-11 15:57:36,469] [INFO] [saml2.entity.sign] REQUEST: <ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2=" http://www.w3.org/2000/09/xmldsig#" Destination=" https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp" ID="id-HquE4vV74jkKMlK19" InResponseTo="_417162b56e4c88f4e2d89d05c295789a5d318a5d91" IssueInstant="2021-08-11T13:57:36Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://sso.pre.plgrid.pl:8081/Saml2IDP-front/proxy.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm=" http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#id-HquE4vV74jkKMlK19"><ns2:Transforms><ns2:Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue /></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue /><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIFtzCCA5+gAwIBAgIJAMItW6x6FcDjMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlBMMRYwFAYDVQQIDA1MZXNzZXIgUG9sYW5kMQ8wDQYDVQQHDAZDcmFjb3cxDDAKBgNVBAoMA0FDSzEQMA4GA1UECwwHQUNLLVNFQzEaMBgGA1UEAwwRc3NvLnByZS5wbGdyaWQucGwwHhcNMjEwNzMwMTIzODAxWhcNMjIwNzMwMTIzODAxWjByMQswCQYDVQQGEwJQTDEWMBQGA1UECAwNTGVzc2VyIFBvbGFuZDEPMA0GA1UEBwwGQ3JhY293MQwwCgYDVQQKDANBQ0sxEDAOBgNVBAsMB0FDSy1TRUMxGjAYBgNVBAMMEXNzby5wcmUucGxncmlkLnBsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzwaBMIs/laH99rd6VxxIE/pbCv4oQqYelNRPEPpn9w+VmV5Er3RGfhGA8xuahHpFUu7rdqB0G96tmr7J8WMVCjEoDFnXkzYlJf8oul8BAsTXI2CnMw74mE98BnmT0/4jXIJbfcH9/UrtMVpR4pxIYV6CF2deXtPhFHxF8Sp+lhWCqEE27bxt7CVGoq5DMt9cm3qh6TtfdoLjALmKLjFvp6vBcyleufS1xv8AsXz0lHWJ6j8FdG2uBC75aZ9jWYZINopt90gJMUZpZ3XUfNm5DVFQqV3LyiNc4UNexqKtAydGtj6CWYXaBi5XiOflyINakSJf0v/3G5kFUonlleGsBgcq3xNU0ZeC+vjRoh4cA4CpIcvq//VvQvG9jcL5ExUhNc5niMuCBMNiJzPXG0l+HewX+n0PRG/XiYBlgC8dhYmaZXqyHpja5y4UjvKXlJxqcPxdqxfzoe30jK4UlgQZ2hu0i1pOQ+TdVURISJYKu2AjI9WmQ6J0F/77yaSez2J4MkqjZWADEv7EG/fdvCrCl/rSMNX6cEbHZHu8wu+OpWX15tF6av+CKt43NyPTFdB+vC2bHNSFzDAZwYwyX14HkNwkWHjerrGQSK9VdqoOBb2/NRGlHffpvyoS7Jd7TFD8Po26936rfF4weS/Urd9KLrOrg+dpU/8DT7jlROBNDtMCAwEAAaNQME4wHQYDVR0OBBYEFHqQWjL3v2VO2GjeRt221qP/Kkz7MB8GA1UdIwQYMBaAFHqQWjL3v2VO2GjeRt221qP/Kkz7MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK7m+DKYQsyzniRNCWm4bgeqJ4fBjEdjw6xn8kB43MRTlaOQ41wMB7Qu2MM1umJida3/tIySbHGph/l/l3I/SanlUOAS9ahiKJtWUOj03XDdAKkQPf1ij7NqAq7Ealw9NVee+vhew36hD6m/jskjcJJEmbufb08QgeX7G7dG1jkSr2rfXhGzOnXIvAGiqizkRrI7WUNxferqU6CLgn1LxH3oSQa747dKPG02w0flphSN6f81+H2vxsIddvkeC1NSUq92sIfiMuYuKnzNkEheiFJ6JQpCaHH1yYJpkd8xoMZrSAosNprBYxMyS8cwEColCCdkiUcpab1xE4f3TF12O4eWEKSZw0MxH/FdPUvOjE9IMuGhQOMxbMQFw9AJnY2PNRHotMmyZQ5xUCUjUvfeE5FkD/rM1U8GWDSxoDPx9ORMebU3w2oXR8r4PUc//n405fXn/s4IYA3SleoaU5XmDtfg1QVd/4rN5rCa4yMqIzhVpZli6umVOYULbzhxAnpCd0PwUGoGfPniKg7fNHB5veSRzLXju8JaW7ldJacvkXnWzAnh3ti0BJQ29DbTUZ/QsjWGhzMfub31jp8lPK+tuphTkWoGok0sZRhKLH+2Sdkcb+jJkbhv0Ft197vnMZvz4Ybn4suAP5/GE2ZCgKDj7J9OJ37n/KyiD3gUKJasWFDk</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status><ns1:Assertion ID="id-X2qR3due6dcurArXi" IssueInstant="2021-08-11T13:57:36Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://sso.pre.plgrid.pl:8081/Saml2IDP-front/proxy.xml</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="_417162b56e4c88f4e2d89d05c295789a5d318a5d91" NotOnOrAfter="2021-08-11T14:12:36Z" Recipient=" https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp" /></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2021-08-11T13:57:36Z" NotOnOrAfter="2021-08-11T14:12:36Z"><ns1:AudienceRestriction><ns1:Audience> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2021-08-11T13:57:36Z" SessionIndex="id-YX0liwOPeyOoMqBv7"><ns1:AuthnContext><ns1:AuthnContextClassRef>default-LoA</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority> https://sso.pre.plgrid.pl/auth/realms/PLGRID</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID></ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion></ns0:Response> [2021-08-11 15:57:36,472] [DEBUG] [saml2.sigver._run_xmlsec] xmlsec command: /bin/xmlsec1 --sign --privkey-pem /etc/satosa/plugins/frontends/frontend.key --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response --node-id id-HquE4vV74jkKMlK19 --output /tmp/tmp3ylf1dxd.xml /tmp/tmpj9ip14kl.xml [2021-08-11 15:57:36,516] [INFO] [saml2.entity.apply_binding] HTTP POST Logs from SP: Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:AttributeStatement> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:AttributeValue> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:AttributeValue> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:Attribute> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:AttributeStatement> Thank you in advance for any help! Jakub

2 years, 9 months

2
7
0 0

KeyError when routing to frontend

by ymniezab＠cyfronet.krakow.pl

Hello, We are trying to use Satosa as proxy for Keycloak. After successful login backend receives attributes and tries to route them to frontend named Saml2IDP (same name as in the example) but fails: [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes: { "sn": [ "czterna" ] } [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__ resp = self.run(context) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error Thank you in advance for any help!

2 years, 9 months

2
1
0 0

KeyError when routing to frontend

by kuba.michal.n＠gmail.com

Hello, We are trying to use Satosa as proxy for Keycloak. After successful login backend receives attributes and tries to route them to frontend named Saml2IDP (same name as in the example) but fails: [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes: { "sn": [ "czterna" ] } [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__ resp = self.run(context) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error Thank you in advance for any help!

2 years, 9 months

2
5
0 0

KeyError when routing to frontend

by ymniezab＠cyfronet.krakow.pl

Hello, We are trying to use Satosa as proxy for Keycloak. After successful login backend receives attributes and tries to route them to frontend named Saml2IDP (same name as in the example) but fails: [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes: { "sn": [ "czterna" ] } [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__ resp = self.run(context) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error Thank you in advance for any help!

2 years, 9 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

satosa-users