- satosa-users - lists3.sunet.se

by kuba.michal.n＠gmail.com

Hello, It seems that Satosa is not sending attributes to the SP. The only exception is the one attribute specified in user_id_from_attrs. Is it a default behaviour? No SP specific policies were defined. [2021-08-11 15:57:36,463] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] backend received attributes: { "displayName": [ "plguser14" ], "eduPersonTargetedID": [ "64d759cc-1d21-4a29-a6e1-e7a10908d95e" ], "mail": [ "plguser14 at ops.pl" ], "sn": [ "czterna" ] } [2021-08-11 15:57:36,464] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] Routing to frontend: Saml2IDP-front [2021-08-11 15:57:36,464] [WARNING] [saml2.assertion.restrict] The metadata parameter for saml2.assertion.Policy.restrict is deprecated and ignored; instead, initialize the Policy object setting the mds param. [2021-08-11 15:57:36,465] [DEBUG] [saml2.assertion.filter] required: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.14', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrnam e-format:uri', 'friendly_name': 'schacPersonalUniqueCode', 'is_required': 'true'}], optional: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'name_format': 'urn:oasis :names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonTargetedID'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'name_format': 'urn:oasis:names:tc:SAML :2.0:attrname-format:uri', 'friendly_name': 'eduPersonPrincipalName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:0.9.2342.19200300.100.1.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrn ame-format:uri', 'friendly_name': 'mail'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:urn:oid:2.16.840.1.113730.3.1.241', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'fr iendly_name': 'displayName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:2.5.4.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'cn'}, {'__class__': 'urn :oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonScopedAffiliation'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'schacHomeOrganization'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.13685.1.1.1.1.2.20', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'pleduOrgUniqueNumber'}] [2021-08-11 15:57:36,465] [DEBUG] [satosa.frontends.saml2._get_approved_attributes] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] Filter: ['edupersontargetedid', 'schacPersonalUniqueCode', 'mail'] [2021-08-11 15:57:36,465] [DEBUG] [satosa.attribute_mapping.from_internal] frontend attribute eduPersonTargetedID mapped from edupersontargetedid [2021-08-11 15:57:36,465] [DEBUG] [satosa.attribute_mapping.from_internal] frontend attribute email mapped from mail [2021-08-11 15:57:36,465] [DEBUG] [satosa.frontends.saml2._handle_authn_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] returning attributes {"eduPersonTargetedID": ["64d759cc-1d21-4a29-a6e1-e7a10908d95e"], "email": ["plguser14 at ops.pl"]} [2021-08-11 15:57:36,466] [DEBUG] [satosa.frontends.saml2._handle_authn_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 [2021-08-11 15:57:36,466] [DEBUG] [satosa.frontends.saml2._handle_authn_response] [urn:uuid:104101fc-b624-41d0-96d2-c952f11713f9] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256 [2021-08-11 15:57:36,466] [WARNING] [satosa.frontends.saml2._handle_authn_response] sign_alg and digest_alg are deprecated; instead, use signing_algorithm and digest_algorithm under the service/idp configuration path (not under policy/default). [2021-08-11 15:57:36,467] [DEBUG] [saml2.assertion.filter] required: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.14', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'schacPersonalUniqueCode', 'is_required': 'true'}], optional: [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonTargetedID'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonPrincipalName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:0.9.2342.19200300.100.1.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'mail'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:urn:oid:2.16.840.1.113730.3.1.241', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'displayName'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:2.5.4.3', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'cn'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'eduPersonScopedAffiliation'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'schacHomeOrganization'}, {'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute', 'name': 'urn:oid:1.3.6.1.4.1.13685.1.1.1.1.2.20', 'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'friendly_name': 'pleduOrgUniqueNumber'}] [2021-08-11 15:57:36,469] [INFO] [saml2.entity.sign] REQUEST: <ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2=" http://www.w3.org/2000/09/xmldsig#" Destination=" https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp" ID="id-HquE4vV74jkKMlK19" InResponseTo="_417162b56e4c88f4e2d89d05c295789a5d318a5d91" IssueInstant="2021-08-11T13:57:36Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://sso.pre.plgrid.pl:8081/Saml2IDP-front/proxy.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm=" http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#id-HquE4vV74jkKMlK19"><ns2:Transforms><ns2:Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue /></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue /><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIFtzCCA5+gAwIBAgIJAMItW6x6FcDjMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlBMMRYwFAYDVQQIDA1MZXNzZXIgUG9sYW5kMQ8wDQYDVQQHDAZDcmFjb3cxDDAKBgNVBAoMA0FDSzEQMA4GA1UECwwHQUNLLVNFQzEaMBgGA1UEAwwRc3NvLnByZS5wbGdyaWQucGwwHhcNMjEwNzMwMTIzODAxWhcNMjIwNzMwMTIzODAxWjByMQswCQYDVQQGEwJQTDEWMBQGA1UECAwNTGVzc2VyIFBvbGFuZDEPMA0GA1UEBwwGQ3JhY293MQwwCgYDVQQKDANBQ0sxEDAOBgNVBAsMB0FDSy1TRUMxGjAYBgNVBAMMEXNzby5wcmUucGxncmlkLnBsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzwaBMIs/laH99rd6VxxIE/pbCv4oQqYelNRPEPpn9w+VmV5Er3RGfhGA8xuahHpFUu7rdqB0G96tmr7J8WMVCjEoDFnXkzYlJf8oul8BAsTXI2CnMw74mE98BnmT0/4jXIJbfcH9/UrtMVpR4pxIYV6CF2deXtPhFHxF8Sp+lhWCqEE27bxt7CVGoq5DMt9cm3qh6TtfdoLjALmKLjFvp6vBcyleufS1xv8AsXz0lHWJ6j8FdG2uBC75aZ9jWYZINopt90gJMUZpZ3XUfNm5DVFQqV3LyiNc4UNexqKtAydGtj6CWYXaBi5XiOflyINakSJf0v/3G5kFUonlleGsBgcq3xNU0ZeC+vjRoh4cA4CpIcvq//VvQvG9jcL5ExUhNc5niMuCBMNiJzPXG0l+HewX+n0PRG/XiYBlgC8dhYmaZXqyHpja5y4UjvKXlJxqcPxdqxfzoe30jK4UlgQZ2hu0i1pOQ+TdVURISJYKu2AjI9WmQ6J0F/77yaSez2J4MkqjZWADEv7EG/fdvCrCl/rSMNX6cEbHZHu8wu+OpWX15tF6av+CKt43NyPTFdB+vC2bHNSFzDAZwYwyX14HkNwkWHjerrGQSK9VdqoOBb2/NRGlHffpvyoS7Jd7TFD8Po26936rfF4weS/Urd9KLrOrg+dpU/8DT7jlROBNDtMCAwEAAaNQME4wHQYDVR0OBBYEFHqQWjL3v2VO2GjeRt221qP/Kkz7MB8GA1UdIwQYMBaAFHqQWjL3v2VO2GjeRt221qP/Kkz7MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK7m+DKYQsyzniRNCWm4bgeqJ4fBjEdjw6xn8kB43MRTlaOQ41wMB7Qu2MM1umJida3/tIySbHGph/l/l3I/SanlUOAS9ahiKJtWUOj03XDdAKkQPf1ij7NqAq7Ealw9NVee+vhew36hD6m/jskjcJJEmbufb08QgeX7G7dG1jkSr2rfXhGzOnXIvAGiqizkRrI7WUNxferqU6CLgn1LxH3oSQa747dKPG02w0flphSN6f81+H2vxsIddvkeC1NSUq92sIfiMuYuKnzNkEheiFJ6JQpCaHH1yYJpkd8xoMZrSAosNprBYxMyS8cwEColCCdkiUcpab1xE4f3TF12O4eWEKSZw0MxH/FdPUvOjE9IMuGhQOMxbMQFw9AJnY2PNRHotMmyZQ5xUCUjUvfeE5FkD/rM1U8GWDSxoDPx9ORMebU3w2oXR8r4PUc//n405fXn/s4IYA3SleoaU5XmDtfg1QVd/4rN5rCa4yMqIzhVpZli6umVOYULbzhxAnpCd0PwUGoGfPniKg7fNHB5veSRzLXju8JaW7ldJacvkXnWzAnh3ti0BJQ29DbTUZ/QsjWGhzMfub31jp8lPK+tuphTkWoGok0sZRhKLH+2Sdkcb+jJkbhv0Ft197vnMZvz4Ybn4suAP5/GE2ZCgKDj7J9OJ37n/KyiD3gUKJasWFDk</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status><ns1:Assertion ID="id-X2qR3due6dcurArXi" IssueInstant="2021-08-11T13:57:36Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://sso.pre.plgrid.pl:8081/Saml2IDP-front/proxy.xml</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="_417162b56e4c88f4e2d89d05c295789a5d318a5d91" NotOnOrAfter="2021-08-11T14:12:36Z" Recipient=" https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp" /></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2021-08-11T13:57:36Z" NotOnOrAfter="2021-08-11T14:12:36Z"><ns1:AudienceRestriction><ns1:Audience> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2021-08-11T13:57:36Z" SessionIndex="id-YX0liwOPeyOoMqBv7"><ns1:AuthnContext><ns1:AuthnContextClassRef>default-LoA</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority> https://sso.pre.plgrid.pl/auth/realms/PLGRID</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID></ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion></ns0:Response> [2021-08-11 15:57:36,472] [DEBUG] [saml2.sigver._run_xmlsec] xmlsec command: /bin/xmlsec1 --sign --privkey-pem /etc/satosa/plugins/frontends/frontend.key --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response --node-id id-HquE4vV74jkKMlK19 --output /tmp/tmp3ylf1dxd.xml /tmp/tmpj9ip14kl.xml [2021-08-11 15:57:36,516] [INFO] [saml2.entity.apply_binding] HTTP POST Logs from SP: Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:AttributeStatement> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:AttributeValue> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">64d759cc-1d21-4a29-a6e1-e7a10908d95e</ns1:NameID> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:AttributeValue> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:Attribute> Aug 11 11:34:20 simplesamlphp DEBUG [ed6e68a42d] </ns1:AttributeStatement> Thank you in advance for any help! Jakub

4 years, 10 months

2
7
0 0

KeyError when routing to frontend

by ymniezab＠cyfronet.krakow.pl

Hello, We are trying to use Satosa as proxy for Keycloak. After successful login backend receives attributes and tries to route them to frontend named Saml2IDP (same name as in the example) but fails: [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes: { "sn": [ "czterna" ] } [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__ resp = self.run(context) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error Thank you in advance for any help!

4 years, 10 months

2
1
0 0

KeyError when routing to frontend

by kuba.michal.n＠gmail.com

Hello, We are trying to use Satosa as proxy for Keycloak. After successful login backend receives attributes and tries to route them to frontend named Saml2IDP (same name as in the example) but fails: [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes: { "sn": [ "czterna" ] } [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__ resp = self.run(context) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error Thank you in advance for any help!

4 years, 10 months

2
5
0 0

KeyError when routing to frontend

by ymniezab＠cyfronet.krakow.pl

Hello, We are trying to use Satosa as proxy for Keycloak. After successful login backend receives attributes and tries to route them to frontend named Saml2IDP (same name as in the example) but fails: [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes: { "sn": [ "czterna" ] } [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run resp = self._run_bound_endpoint(context, spec) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint return spec(context) File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response request_state = self.load_state(context.state) File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state state_data = state[self.name] File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__ raise KeyError(key) KeyError: 'Saml2IDP' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__ resp = self.run(context) File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error Thank you in advance for any help!

4 years, 10 months

1
0
0 0

OIDC frontend introspection endpoint

by thijs.kinkhorst＠surf.nl

Hi all, I've set up Satosa as a proxy between a SAML 2.0 backend and an OpenID Connect frontend (OP). This works fine for the basic flow, but the RP indicates they're missing the introspect endpoint. I was looking though the docs but could not find information about support for it. Am I overlooking something or does Satosa not support introspection? Kind regards, Thijs Kinkhorst SURF

5 years, 1 month

3
2
0 0

Exposing SAML 2.0 IdP Entity ID in OIDC Frontend

by christian.franke＠picturepipe.com

Hello, we've been setting up SATOSA as a proxy that uses the SAML 2.0 backend to authenticate against a SAML federation, and provides authentication via the OpenID Connect frontend. We've successfully managed to map attributes from the SAML side to scopes on the OIDC side. However, to qualify these attributes, it seems sensible to also check the SAML entity ID of the IdP that made the assertions. How can we expose the entity ID of the IdP asserting the identity of the user on the OIDC side? All Best, Chris -- Christian Franke reelport GmbH Karl-Heine-Str. 93 04229 Leipzig Germany Email: christian.franke at picturepipe.com GPG-KeyID: 0xB657CF42AE512BEE Phone: +49-157-34575984 Web: http://www.picturepipe.com/ CEO Tilman Scheel Amtsgericht Duisburg, HRB 17622 USt-IdNr.: DE814323473

5 years, 3 months

2
3
0 0

Satosa-Saml2Saml example project

by giuseppe.demarco＠unical.it

Hello everyone, I have pulled up an example project which exemplifies a SATOSA saml2saml proxy demo. Specifically, I use my pySAML2 and SATOSA forks for interoperability with SPID (Italian Digital Identity System) but all this is not necessary for those who do not have the same problems I have! I share as it is, here https://github.com/peppelinux/Satosa-Saml2Spid probably the only convincing innovation for those who already deal with SATOSA, excluding the animated gif in the readme (!), is that my Dockerfile adopts alpine linux, consuming less than half the storage space normally required by Debian and overall I also register a performance gain, but I haven't certain numbers at the moment, only "Human sensations" :') best regards Giuseppe ____________________ Giuseppe De Marco Centro ICT d'Ateneo Università della Calabria 87036 Rende (CS) - Italy Phone: +39 0984 496961 e-mail: giuseppe.demarco at unical.it

5 years, 4 months

1
0
0 0

setting up a saml2-to-oidc proxy

by chris.mailing＠gmx.net

Hello, I'm currently trying to setup SATOSA as a proxy with a SAML2 backend and an OIDC frontend as I have a few apps that only support OIDC connect, but not SAML. Following the doc https://github.com/IdentityPython/SATOSA/blob/master/doc/saml2-to-oidc.md I created the necessary config files, but I can't make much sense out of the configuration parameters as https://github.com/IdentityPython/SATOSA/blob/master/doc/README.md#proxy_co… only describes a few of them and only on a very high level. Most importantly: - are <base_url> and <name> actual (auto-populated?) variables or do I have to replace them? base_url may be obvious (BASE from proxy_conf.yaml?) but what is "name"? - am I really supposed to generate the metadata manually using https://github.com/IdentityPython/SATOSA/blob/master/doc/README.md#saml_met… or is that achieved automatically by "entityid_endpoint: true" already? if not where does the resulting file need to be put an referenced? - with "entityid_endpoint: true" and "entityid: '<base_url>/<name>/metadata'" configured shouldn't I be able to download the SP metadata from this very URL? This doesn't seem to work for me (but may be related to Q1) as I'm only getting "The Service or Identity Provider you requested could not be found." (with various variations of name being "app" or "sp") - which backend endpoints are actually needed for a simple saml2-to-oidc use case? Reading through the mailing list I have only seen some known issues when connecting to Shibboleth as IdP. Are there also known issues or recommended configuration parameters when connecting to a SimpleSAMLphp IdP? Thanks for any pointers! Chris

5 years, 4 months

2
1
0 0

Potential issue w/ deleted subject-identifiers from MongoDB in v7.x

by david.huebner＠daasi.de

Hi folks, this topic probably needs further investigation. I'll share my findings and welcome any ideas on how to further debug this. Maybe someone else has encountered the same problem? We're using Satosa as the basis for various of our deployments. This issue occurs in any v7 version of Satosa and is not limited to only the most recent 7.0.3. The pySAML2 security vulnerability only was the trigger for me to finally upgrade from 6.1.0 which we have been using until now. This upgrade also includes raising the pyop dependency from 3.0.1 to 3.1.0 for what it's worth. I removed as much of our custom config and code as possible, notably switching back to the vanilla OIDC frontend without any modifications. Basically, MongoDB entries for subject-identifier are being deleted whenever another access token is generated (i.e. another user logs in). This leads to all previous access tokens being unusable for accessing userinfo etc.: [Wed Jan 27 13:00:49 2021] [wsgi] [ERROR] [satosa.base] [/usr/local/lib/python3.6/site-packages/satosa/base.py - line 257]: [urn:uuid:652c74dc-bab6-46a4-8be8-d83fa215a281] Uncaught exception ... [Wed Jan 27 13:00:49 2021] [wsgi] File "/usr/local/lib/python3.6/site-packages/pyop/authz_state.py", line 315, in get_user_id_for_subject_identifier [Wed Jan 27 13:00:49 2021] [wsgi] raise InvalidSubjectIdentifier('{} unknown'.format(subject_identifier)) [Wed Jan 27 13:00:49 2021] [wsgi] pyop.exceptions.InvalidSubjectIdentifier: 00000000-0000-0000-0000-000000000002 unknown Consider the following example: 1) Login with Account 1 (sub=00000000-0000-0000-0000-000000000002) 2) Login with Account 2 in another browser (sub=ddd3a947-b5e1-4f59-a757-eab8231aa687) With 6.1.0 MongoDB would now look like this: { _id: ObjectId('60115fab8486770baffef551'), lookup_key: 'superadmin', data: { 'public': '00000000-0000-0000-0000-000000000002' }, modified_ts: 1611751339.31406 } { _id: ObjectId('60115fe08486770baffef5f5'), lookup_key: 'a at b.de', data: { 'public': 'ddd3a947-b5e1-4f59-a757-eab8231aa687' }, modified_ts: 1611751392.2613952 } With 7.x MongoDB contains *only* the following entry instead: { _id: ObjectId('60115fe08486770baffef5f5'), lookup_key: 'a at b.de', data: { 'public': 'ddd3a947-b5e1-4f59-a757-eab8231aa687' }, modified_ts: 1611751392.2613952 } If that makes any difference, we're only using public sub claims: fe_id: openid: [sub] which are generated from LDAP attributes: search_return_attributes: didmosUUID: fe_id I have not yet tested with pairwise claims. Any ideas are much appreciated :) Cheers, David -- David Hübner, Solutions Engineer DAASI International GmbH Europaplatz 3 D-72072 Tübingen Germany phone: +49 7071 407109-0 fax: +49 7071 407109-9 email: david.huebner at daasi.de web: www.daasi.de Sitz der Gesellschaft: Tübingen Registergericht: Amtsgericht Stuttgart, HRB 382175 Geschäftsleitung: Peter Gietz

5 years, 4 months

1
0
0 0

SaToSa throughput problems

by JonathanANewell＠hotmail.com

Hello SaToSa list! We are experiencing unexpected poor performance with SaToSa. (1K requests/minute) . We are seeing very high resource use with XMLSEC binary (default option) and using pyXMLSecurity (crypto_backend configuration) with encryption disabled. Here is our setup: Load Balancer=>EC2=>NGINX=>Gunicorn. (NGINX=>Gunicorn is on the UDS, not network stack) EC2 instance size information: (OS is AWS linux) Model vCPU Memory (GiB) Instance Storage (GiB) Network Bandwidth (Gbps) EBS Bandwidth (Mbps) c5n.2xlarge 8 21 EBS-Only Up to 25 Up to 4,750 Gunicorn is set to the "thread" model: import multiprocessing workers = multiprocessing.cpu_count() * 2 + 1 threads = multiprocessing.cpu_count() * 2 + 1 We have 8 core boxes. Any suggestion on things we may try ? TIA -Jonathan

5 years, 5 months

3
2
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

satosa-users