-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I'm still having a problem with signing SSO communication (the same problem that was fixed in Issue #25) #207
Comments
Hey @kartzman, Can you provide more information, for example the configuration you used, the hooks you defined and your app configuration on your Identity Provider? Please redact sensitive information before posting. |
Sorry for the delay. What are the "hooks" you are referring to? I didn't define any "hooks". I didn't set up the app configuration on the Identity Provider (Azure). The Azure admin set it up and sent me the metadata file (/var/lib/mailman3/web/azuread.xml). Is that what you want to see? If so, can you tell me what fields are considered sensitive data so I can remove them before posting the rest of that file. Here is the SSO configuration (hostname replaced with "FQDN"): SAML2_AUTH = {
'DEBUG': True,
'METADATA_LOCAL_FILE_PATH': '/var/lib/mailman3/web/azuread.xml',
'DEFAULT_NEXT_URL': '/mailman3/postorius/lists/',
'CREATE_USER': False,
'NEW_USER_PROFILE': {
'USER_GROUPS': [],
'ACTIVE_STATUS': True,
'STAFF_STATUS': False,
'SUPERUSER_STATUS': False,
},
'ATTRIBUTES_MAP': {
'email': 'emailAddress',
'username': 'SamAccountName',
'first_name': 'givenName',
'last_name': 'surname',
},
'WANT_ASSERTIONS_SIGNED': True,
'AUTHN_REQUESTS_SIGNED': True,
'WANT_RESPONSE_SIGNED': True,
'ENTITY_ID': 'https://FQDN/mailman3/saml2_auth/acs/',
'TOKEN_REQUIRED': False,
}
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG',
'class': 'logging.FileHandler',
'filename': '/tmp/debug.log',
},
},
'loggers': {
'django': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
'saml2': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
},
} |
Here is the metadata file with sensitive data removed |
Some additional information about the system: By "hooks" do you mean the contents of the urls.py file? If so, that is below: from django.conf.urls import include, url
from django.contrib import admin
from django.http import Http404
from django.urls import reverse_lazy
from django.views.generic import RedirectView
import django_saml2_auth.views
def not_found(request):
raise Http404("Signups are disabled on this site.")
urlpatterns = [
# These are the SAML2 related URLs. You can change "^saml2_auth/" regex to
# any path you want, like "^sso/", "^sso_auth/", "^sso_login/", etc. (required)
url(r'^saml2_auth/', include('django_saml2_auth.urls')),
# The following line will replace the default user login with SAML2 (optional)
# If you want to specific the after-login-redirect-URL, use parameter "?next=/the/path/you/want"
# with this view.
url(r'^accounts/login/$', django_saml2_auth.views.signin),
url(r'^accounts/logout/$', django_saml2_auth.views.signout, name='logout'),
url(r'^$', RedirectView.as_view(
url=reverse_lazy('list_index'),
permanent=True)),
url(r'^postorius/', include('postorius.urls')),
url(r'^hyperkitty/', include('hyperkitty.urls')),
url(r'', include('django_mailman3.urls')),
url(r'^accounts/signup', not_found),
url(r'^accounts/', include('allauth.urls')),
# Django admin
url(r'^admin/', admin.site.urls),
] |
I forgot to mention that there are no problems and the SSO works fine when I set all these to "False" But I get the warning message: That is why I am trying to get it to work with the configuration set to: |
If you set all the |
I just confirmed with our Azure administrator that we already were signing (at least the assertion and as of last week everything) and still it is not working: 'Yes, that's what we did. We changed the "Signing Option" from "Sign SAML assertion" to "Sign SAML response and assertion"' |
@kartzman |
OK. I included them and it gets further along -- I get an error from Microsoft: Sorry, but we’re having trouble signing you in. The Azure admin gave me this link that says the solution is to use HTTP-POST instead oif HTTP-REDIRECT: |
The problem is not with the response, its with the request: 'AUTHN_REQUESTS_SIGNED': True, # Require each authentication request to be signed When WANT_ASSERTIONS_SIGNED and WANT_RESPONSES_SIGNED are True and AUTHN_REQUESTS_SIGNED is False, I don't get the error. Is the authn request sent via HTTP-REDIRECT or HTTP-POST? |
@kartzman |
Yes: |
Hi. This was all on my test machine. On my production machine, even though I have WANT_ASSERTIONS_SIGNED and WANT_RESPONSES_SIGNED set to True and AUTHN_REQUESTS_SIGNED set to False I still get an error: These errors are showing up even though CERT_FILE and KEY_FILE are specified in the config file. Any idea what could be going wrong? |
@kartzman |
Mostafa, you are right on the mark! I forgot we only made the configuration change last month for the test server: "We changed the "Signing Option" from "Sign SAML assertion" to "Sign SAML response and assertion"' only for the test server. I just asked him to make the same change for production and now when I have WANT_ASSERTIONS_SIGNED and WANT_RESPONSES_SIGNED set to True and AUTHN_REQUESTS_SIGNED set to False I no longer get the error. I still am getting an error when I set AUTHN_REQUESTS_SIGNED to true. Any suggestions? |
I merged the PR #216, thanks to @gregorywong, that I'll release soon. See if setting |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
This issue was closed because it has been stalled for 5 days with no activity. |
Hi. I installed 3.11 and I'm still having the same problem as discussed in issue #25 (Certificate and Key File) that was fixed in 3.11. Here is the relevant part of the log file:
Internal Server Error: /mailman3/accounts/login/
The text was updated successfully, but these errors were encountered: