satosa-users April 2019

satosa-users@lists.sunet.se

3 participants
2 discussions

ResponseMicroService reading information in Request

by Alex.Stuart＠jisc.ac.uk

Dear Satosa Users, I'm trying to create a ResponseMicroService which generates a subject identifier of pairwise-id [1] from the eduPersonTargetedID provided by the Home Organization's IdP. To avoid collisions, I want the input to the generator for the pairwise-id to contain entityID + '!' + eduPersonTargetedID, but the Response Context doesn't appear to contain the entityID of the originating IdP. Evidently I don't understand the model which SATOSA uses to pass information from backend to frontend... - Is there a way to access the proxied IdP's entityID from a ResponseMicroService? - Would it be better to generate the attribute in a RequestMicroService? - Do microservices act in the order that they're defined in proxy_conf.yaml? For example, can I define a microservice to generate the new attribute from an existing attribute, and then filter out the existing attribute. Any information appreciated. Thanks, Alex [1] SAML subject identifier attributes, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-su… — Alex Stuart Principal technical support specialist (UK federation) alex.stuart at jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

5 years, 6 months

SAML-Frontend complains about rsa-sha256 algorithm

by rainer＠hoerbe.at

Using a SAMl2SAML configuration I get 'Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'>. pysaml2 does support his since a couple of years. Has anybody encountered this? - Rainer [2019-04-09 21:01:44] [DEBUG]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Routing to frontend: Saml2IDP [2019-04-09 21:01:44] [DEBUG]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Filter: ['name', 'telephoneNumber', 'surname', 'givenname', 'mail', 'uid', 'displayname', 'title'] [2019-04-09 21:01:44] [DEBUG]: frontend attribute displayName mapped from displayname [2019-04-09 21:01:44] [DEBUG]: frontend attribute givenName mapped from givenname [2019-04-09 21:01:44] [DEBUG]: frontend attribute email mapped from mail [2019-04-09 21:01:44] [DEBUG]: frontend attribute cn mapped from name [2019-04-09 21:01:44] [DEBUG]: frontend attribute sn mapped from surname [2019-04-09 21:01:44] [DEBUG]: frontend attribute uid mapped from uid [2019-04-09 21:01:44] [DEBUG]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] returning attributes {"displayName": ["User Test"], "givenName": ["Test"], "email": ["test at bmspot.gv.at"], "cn": ["Test User"], "sn": ["User"], "uid": ["test at bmspot.gv.at"]} [2019-04-09 21:01:44] [ERROR]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 [2019-04-09 21:01:44] [ERROR]: [urn:uuid:0afc6b35-2ff2-436e-a7db-bb8d2fc877a0] Uncaught exception Traceback (most recent call last): File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 366, in _handle_authn_response args['sign_alg'] = getattr(xmldsig, sign_alg) AttributeError: module 'saml2.xmldsig' has no attribute 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 286, in run resp = self._run_bound_endpoint(context, spec) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 228, in _run_bound_endpoint return spec(context) File "/opt/venv/lib/python3.6/site-packages/satosa/backends/saml2.py", line 238, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 197, in _auth_resp_callback_func context, internal_response) File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 168, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 84, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 370, in _handle_authn_response raise Exception(errmsg) from e Exception: Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 [2019-04-09 21:01:44] [ERROR]: Unknown error Traceback (most recent call last): File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 366, in _handle_authn_response args['sign_alg'] = getattr(xmldsig, sign_alg) AttributeError: module 'saml2.xmldsig' has no attribute 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 286, in run resp = self._run_bound_endpoint(context, spec) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 228, in _run_bound_endpoint return spec(context) File "/opt/venv/lib/python3.6/site-packages/satosa/backends/saml2.py", line 238, in authn_response return self.auth_callback_func(context, self._translate_response(authn_response, context.state)) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 197, in _auth_resp_callback_func context, internal_response) File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process return super().process(context, data) File "/opt/venv/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process return self.next(context, data) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 168, in _auth_resp_finish return frontend.handle_authn_response(context, internal_response) File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 84, in handle_authn_response return self._handle_authn_response(context, internal_response, self.idp) File "/opt/venv/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 370, in _handle_authn_response raise Exception(errmsg) from e Exception: Unsupported sign algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/opt/venv/lib/python3.6/site-packages/satosa/proxy_server.py", line 113, in __call__ resp = self.run(context) File "/opt/venv/lib/python3.6/site-packages/satosa/base.py", line 302, in run raise SATOSAUnknownError("Unknown error") from err satosa.exception.SATOSAUnknownError: Unknown error

5 years, 7 months

2024

2023

2022

2021

2020

2019

2018

2017

satosa-users April 2019