I'm still having a problem with signing SSO communication (the same problem that was fixed in Issue #25) #207
Comments
|
Hey @kartzman, Can you provide more information, for example the configuration you used, the hooks you defined and your app configuration on your Identity Provider? Please redact sensitive information before posting. |
|
Sorry for the delay. What are the "hooks" you are referring to? I didn't define any "hooks". I didn't set up the app configuration on the Identity Provider (Azure). The Azure admin set it up and sent me the metadata file (/var/lib/mailman3/web/azuread.xml). Is that what you want to see? If so, can you tell me what fields are considered sensitive data so I can remove them before posting the rest of that file. Here is the SSO configuration (hostname replaced with "FQDN"): SAML2_AUTH = {
'DEBUG': True,
'METADATA_LOCAL_FILE_PATH': '/var/lib/mailman3/web/azuread.xml',
'DEFAULT_NEXT_URL': '/mailman3/postorius/lists/',
'CREATE_USER': False,
'NEW_USER_PROFILE': {
'USER_GROUPS': [],
'ACTIVE_STATUS': True,
'STAFF_STATUS': False,
'SUPERUSER_STATUS': False,
},
'ATTRIBUTES_MAP': {
'email': 'emailAddress',
'username': 'SamAccountName',
'first_name': 'givenName',
'last_name': 'surname',
},
'WANT_ASSERTIONS_SIGNED': True,
'AUTHN_REQUESTS_SIGNED': True,
'WANT_RESPONSE_SIGNED': True,
'ENTITY_ID': 'https://FQDN/mailman3/saml2_auth/acs/',
'TOKEN_REQUIRED': False,
}
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG',
'class': 'logging.FileHandler',
'filename': '/tmp/debug.log',
},
},
'loggers': {
'django': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
'saml2': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
},
} |
|
Here is the metadata file with sensitive data removed |
|
Some additional information about the system: By "hooks" do you mean the contents of the urls.py file? If so, that is below: from django.conf.urls import include, url
from django.contrib import admin
from django.http import Http404
from django.urls import reverse_lazy
from django.views.generic import RedirectView
import django_saml2_auth.views
def not_found(request):
raise Http404("Signups are disabled on this site.")
urlpatterns = [
# These are the SAML2 related URLs. You can change "^saml2_auth/" regex to
# any path you want, like "^sso/", "^sso_auth/", "^sso_login/", etc. (required)
url(r'^saml2_auth/', include('django_saml2_auth.urls')),
# The following line will replace the default user login with SAML2 (optional)
# If you want to specific the after-login-redirect-URL, use parameter "?next=/the/path/you/want"
# with this view.
url(r'^accounts/login/$', django_saml2_auth.views.signin),
url(r'^accounts/logout/$', django_saml2_auth.views.signout, name='logout'),
url(r'^$', RedirectView.as_view(
url=reverse_lazy('list_index'),
permanent=True)),
url(r'^postorius/', include('postorius.urls')),
url(r'^hyperkitty/', include('hyperkitty.urls')),
url(r'', include('django_mailman3.urls')),
url(r'^accounts/signup', not_found),
url(r'^accounts/', include('allauth.urls')),
# Django admin
url(r'^admin/', admin.site.urls),
] |
|
I forgot to mention that there are no problems and the SSO works fine when I set all these to "False" But I get the warning message: That is why I am trying to get it to work with the configuration set to: |
|
If you set all the |
|
I just confirmed with our Azure administrator that we already were signing (at least the assertion and as of last week everything) and still it is not working: 'Yes, that's what we did. We changed the "Signing Option" from "Sign SAML assertion" to "Sign SAML response and assertion"' |
|
@kartzman |
|
OK. I included them and it gets further along -- I get an error from Microsoft: Sorry, but we’re having trouble signing you in. The Azure admin gave me this link that says the solution is to use HTTP-POST instead oif HTTP-REDIRECT: |
|
The problem is not with the response, its with the request: 'AUTHN_REQUESTS_SIGNED': True, # Require each authentication request to be signed When WANT_ASSERTIONS_SIGNED and WANT_RESPONSES_SIGNED are True and AUTHN_REQUESTS_SIGNED is False, I don't get the error. Is the authn request sent via HTTP-REDIRECT or HTTP-POST? |
|
@kartzman |
|
Yes: |
|
Hi. This was all on my test machine. On my production machine, even though I have WANT_ASSERTIONS_SIGNED and WANT_RESPONSES_SIGNED set to True and AUTHN_REQUESTS_SIGNED set to False I still get an error: These errors are showing up even though CERT_FILE and KEY_FILE are specified in the config file. Any idea what could be going wrong? |
|
@kartzman |
|
Mostafa, you are right on the mark! I forgot we only made the configuration change last month for the test server: "We changed the "Signing Option" from "Sign SAML assertion" to "Sign SAML response and assertion"' only for the test server. I just asked him to make the same change for production and now when I have WANT_ASSERTIONS_SIGNED and WANT_RESPONSES_SIGNED set to True and AUTHN_REQUESTS_SIGNED set to False I no longer get the error. I still am getting an error when I set AUTHN_REQUESTS_SIGNED to true. Any suggestions? |
|
I merged the PR #216, thanks to @gregorywong, that I'll release soon. See if setting |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This issue was closed because it has been stalled for 5 days with no activity. |
Hi. I installed 3.11 and I'm still having the same problem as discussed in issue #25 (Certificate and Key File) that was fixed in 3.11. Here is the relevant part of the log file:
Internal Server Error: /mailman3/accounts/login/
The text was updated successfully, but these errors were encountered: