Hello,
I am deploying SaToSa version 8. But, it seems that the
backend module is failing to map attribute from the IdP to internal proxy attributes.
In fact, after the user's is authenticated, and accepted the consent, i got : KeyError 'mail' in
the satosa log.
What should i have missed in the configs ?
Below is part of the log
2022-09-09 20:04:11,840] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['email', 'emailAddress', 'mail']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,840] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['cn']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['sn', 'surname']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['eduPersonScopedAffiliation']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,841] [DEBUG] [satosa.attribute_mapping.to_internal] skipped backend attribute ['eduPersonPrincipalName']: no value found
satosa-proxy_1 | [2022-09-09 20:04:11,842] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:722089a1-b43e-47b0-bd98-2888c96b3a10] backend received attributes:
satosa-proxy_1 | {}
satosa-proxy_1 | [2022-09-09 20:04:11,842] [ERROR] [satosa.base.run] [urn:uuid:722089a1-b43e-47b0-bd98-2888c96b3a10] Uncaught exception
satosa-proxy_1 | Traceback (most recent call last):
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 240, in run
satosa-proxy_1 | resp = self._run_bound_endpoint(context, spec)
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 180, in _run_bound_endpoint
satosa-proxy_1 | return spec(context)
satosa-proxy_1 | File "/src/satosa/src/satosa/backends/saml2.py", line 363, in authn_response
satosa-proxy_1 | return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 141, in _auth_resp_callback_func
satosa-proxy_1 | subject_id = [
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 142, in <listcomp>
satosa-proxy_1 | "".join(internal_response.attributes[attr]) for attr in
satosa-proxy_1 | KeyError: 'mail'
satosa-proxy_1 | [2022-09-09 20:04:11,843] [ERROR] [satosa.proxy_server.__call__] Unknown error
satosa-proxy_1 | Traceback (most recent call last):
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 240, in run
satosa-proxy_1 | resp = self._run_bound_endpoint(context, spec)
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 180, in _run_bound_endpoint
satosa-proxy_1 | return spec(context)
satosa-proxy_1 | File "/src/satosa/src/satosa/backends/saml2.py", line 363, in authn_response
satosa-proxy_1 | return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 141, in _auth_resp_callback_func
satosa-proxy_1 | subject_id = [
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 142, in <listcomp>
satosa-proxy_1 | "".join(internal_response.attributes[attr]) for attr in
satosa-proxy_1 | KeyError: 'mail'
satosa-proxy_1 |
satosa-proxy_1 | The above exception was the direct cause of the following exception:
satosa-proxy_1 |
satosa-proxy_1 | Traceback (most recent call last):
satosa-proxy_1 | File "/src/satosa/src/satosa/proxy_server.py", line 148, in __call__
satosa-proxy_1 | resp = self.run(context)
satosa-proxy_1 | File "/src/satosa/src/satosa/base.py", line 258, in run
satosa-proxy_1 | raise SATOSAUnknownError("Unknown error") from err
satosa-proxy_1 | satosa.exception.SATOSAUnknownError: Unknown error
Hi all,
I need to install Satosa under a path instead of the root of the
webserver, but I can not make endpoint routing work if BASE in
proxy_conf.yaml contains a path (ie. "https://example.com/path"). For
long I was thinking it was a configuration error on my side, but I
realised that also the flow (unit) tests fail if I change the BASE to
such a value.
I've filed a bug under
https://github.com/IdentityPython/SATOSA/issues/404, and I'm already
more than halfway fixing it, but I still can hardly believe that
everybody installs Satosa under "/".
Rewriting the request in the webserver breaks metadata generation,
because it needs to know the external URLs and not the rewritten ones.
It is a possibility to run metadata generation with a slightly different
configuration file, but I'd like to avoid maintaining two sets of
configurations if possible.
Has anybody run into a similar issue?
Kristof
Hello,
after completing another project I had some time to dig into the issue a
little bit deeper. I've come across this site:
https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full…
I turns out my interface was misconfigured. Disabling some offloads solved
the issue and overall loss has dropped significantly.
Thank you for your help!
Jakub
czw., 2 wrz 2021 o 16:02 Vlad Grigorescu <vlad at es.net> napisał(a):
> Jakub,
>
> Sorry for the delay on this, I was also out and then it fell off my radar.
>
> I think your answer lies in the missed_bytes field of the conn log. All of
> the connections from your ssh.log had traffic that Zeek did not see. Since
> Zeek has no way of knowing what transpired in those missed bytes, the SSH
> analyzer will never flag those connections as successful or failed.
>
> The mailing list or Slack might have some suggestions on how to determine
> the cause of your missed bytes, and what the solution might be.
>
> --Vlad
>
> On Thu, Aug 19, 2021 at 9:58 AM Jakub Niezabitowski <
> kuba.michal.n at gmail.com> wrote:
>
>> Hello,
>>
>> I will be out for about a week. Sorry for your inconvenience. If there
>> will be any update I will write as soon as I can.
>>
>> Thank you for your support.
>> Jakub
>>
>> czw., 19 sie 2021 o 15:25 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>> napisał(a):
>>
>>> This is output of zeek -v:
>>> ./zeek version 4.1.0-dev.750
>>>
>>> ssh.log:
>>>
>>> {"ts":1629353969.834005,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629355319.70739,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629355326.102184,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363511.517178,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359395.93802,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359403.032656,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629362225.296699,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629361952.911338,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368286.231978,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368323.887805,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368384.265589,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369473.554433,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369478.658333,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629363611.176921,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363530.397083,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629366392.592983,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629365717.892757,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>>
>>> conn.log:
>>>
>>> {"ts":1629353969.732991,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1343.1681571006776,"orig_bytes":10765,"resp_bytes":1249389,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":372560,"history":"ShADadCGcggctgtcFRf","orig_pkts":2290,"orig_ip_bytes":128761,"resp_pkts":1878,"resp_ip_bytes":1005437}
>>>
>>> {"ts":1629355322.821648,"uid":"CBGul41OnibExQK9O6","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":88.76865911483765,"orig_bytes":0,"resp_bytes":1048,"conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^dt","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":4,"resp_ip_bytes":4400}
>>>
>>> {"ts":1629355319.682793,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3674.8831601142885,"orig_bytes":5049,"resp_bytes":2136781,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":9868,"history":"ShADadcgttR","orig_pkts":4225,"orig_ip_bytes":225141,"resp_pkts":4243,"resp_ip_bytes":2382129}
>>>
>>> {"ts":1629355326.076816,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3696.138195991516,"orig_bytes":8641,"resp_bytes":2227993,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":47024,"history":"ShADadcggttcGR","orig_pkts":4504,"orig_ip_bytes":243421,"resp_pkts":4411,"resp_ip_bytes":2454697}
>>>
>>> {"ts":1629363511.478,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":26.2694411277771,"orig_bytes":3497,"resp_bytes":45209,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":28080,"history":"ShADadCGcggFRft","orig_pkts":88,"orig_ip_bytes":6557,"resp_pkts":66,"resp_ip_bytes":23653}
>>>
>>> {"ts":1629363542.919383,"uid":"CpYDAh26XA0tnFjqE8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363548.264316,"uid":"CKIeJ02kp7bqmZHQGa","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363558.951295,"uid":"Cy70hG3xbe0YraNLQ","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363580.29527,"uid":"ClzNXf3uL9jMAKVFN8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363623.047142,"uid":"CM6AG64ej3HoBNCmV6","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629359395.898961,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2406.9871258735659,"orig_bytes":14529,"resp_bytes":1270377,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":231140,"history":"ShADadCGcggtcgTt","orig_pkts":2670,"orig_ip_bytes":152449,"resp_pkts":2337,"resp_ip_bytes":1196833}
>>>
>>> {"ts":1629359402.915081,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2431.203042984009,"orig_bytes":22009,"resp_bytes":3986829,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":401516,"history":"ShADadCGcgtTtgcGgc","orig_pkts":8571,"orig_ip_bytes":467389,"resp_pkts":8341,"resp_ip_bytes":4070913}
>>>
>>> {"ts":1629362225.253584,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":1795.6165931224824,"orig_bytes":23017,"resp_bytes":1719917,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":249976,"history":"ShAdDacggtctTg","orig_pkts":3808,"orig_ip_bytes":221809,"resp_pkts":3676,"resp_ip_bytes":1708085}
>>>
>>> {"ts":1629361952.865328,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2072.1008388996126,"orig_bytes":27917,"resp_bytes":1165281,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":322496,"history":"ShADadCGcgtTgctgc","orig_pkts":3158,"orig_ip_bytes":191313,"resp_pkts":2439,"resp_ip_bytes":1014905}
>>>
>>> {"ts":1629368286.226311,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":31.089575052261354,"orig_bytes":4095,"resp_bytes":7573,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGtFf","orig_pkts":50,"orig_ip_bytes":5807,"resp_pkts":35,"resp_ip_bytes":4377}
>>>
>>> {"ts":1629368323.882291,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":39.62539982795715,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":38,"orig_ip_bytes":4983,"resp_pkts":26,"resp_ip_bytes":3385}
>>>
>>> {"ts":1629368384.260782,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":95.20389604568482,"orig_bytes":4699,"resp_bytes":8045,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":78,"orig_ip_bytes":7855,"resp_pkts":48,"resp_ip_bytes":5441}
>>>
>>> {"ts":1629369473.551176,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4.286886930465698,"orig_bytes":3907,"resp_bytes":7169,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":5108,"history":"ShADadcgtFf","orig_pkts":42,"orig_ip_bytes":6111,"resp_pkts":29,"resp_ip_bytes":3661}
>>>
>>> {"ts":1629369478.65472,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1.974303960800171,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgtTCGFf","orig_pkts":39,"orig_ip_bytes":5535,"resp_pkts":27,"resp_ip_bytes":3909}
>>>
>>> {"ts":1629363611.137711,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":4322.946979999542,"orig_bytes":83385,"resp_bytes":4093093,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":1280948,"history":"ShADadcgcggttcTt","orig_pkts":9754,"orig_ip_bytes":592549,"resp_pkts":7344,"resp_ip_bytes":3280677}
>>>
>>> {"ts":1629363530.35789,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4444.6867852211,"orig_bytes":16493,"resp_bytes":2455029,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":99340,"history":"ShADadCGcgtgctT","orig_pkts":5389,"orig_ip_bytes":295961,"resp_pkts":5126,"resp_ip_bytes":2670001}
>>>
>>> {"ts":1629366392.574032,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5154.938705921173,"orig_bytes":14113,"resp_bytes":49097,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":17616,"history":"ShADadcgCGgc","orig_pkts":699,"orig_ip_bytes":49321,"resp_pkts":433,"resp_ip_bytes":55169}
>>>
>>> {"ts":1629365717.871532,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5869.062443971634,"orig_bytes":25417,"resp_bytes":123257,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":68778,"history":"ShADadcgCGTtgc","orig_pkts":1409,"orig_ip_bytes":97629,"resp_pkts":764,"resp_ip_bytes":96079}
>>>
>>> {"ts":1629378908.289358,"uid":"CgpvjA2SRGDerkjnt7","id.orig_h":"149.156.4.93","id.orig_p":33276,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":12.938737154006958,"orig_bytes":4699,"resp_bytes":8277,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6047,"history":"ShaGADdcgCtFf","orig_pkts":83,"orig_ip_bytes":8127,"resp_pkts":51,"resp_ip_bytes":5913}
>>>
>>> I also append new pcap in case logs for older one have been already
>>> rotated.
>>>
>>> Jakub
>>>
>>> czw., 19 sie 2021 o 13:42 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>
>>>> When I run the PCAP through try.zeek.org, it reports auth_success as
>>>> T, https://try.zeek.org/#/tryzeek/saved/527994
>>>>
>>>> What version of Zeek? To verify that capture loss isn't an issue, can
>>>> you share the line from conn.log that you see for that connection?
>>>>
>>>> On Thu, Aug 19, 2021 at 5:47 AM Jakub Niezabitowski <
>>>> kuba.michal.n at gmail.com> wrote:
>>>>
>>>>> To add some context this is my node.cfg:
>>>>>
>>>>> [logger-1]
>>>>> type=logger
>>>>> host=localhost
>>>>> #
>>>>> [manager]
>>>>> type=manager
>>>>> host=localhost
>>>>> #
>>>>> [proxy-1]
>>>>> type=proxy
>>>>> host=localhost
>>>>> #
>>>>> [worker-1]
>>>>> type=worker
>>>>> host=localhost
>>>>> lb_procs=8
>>>>> lb_method=pf_ring
>>>>> pin_cpus=0,1,2,3,4,5,6,7
>>>>> interface=eth-mirror
>>>>>
>>>>> This machine can handle up to 8GBit/s of traffic, during capture it
>>>>> was about 1GBit/s.
>>>>>
>>>>>
>>>>> czw., 19 sie 2021 o 12:42 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>>>>> napisał(a):
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> The data was gathered on same network interface as zeek. It was
>>>>>> filtered though to include only related traffic.
>>>>>>
>>>>>> I have logged in using host 149.156.4.93 to machine 149.156.9.136 and
>>>>>> executed few commands. Zeek is not showing auth_success field.
>>>>>>
>>>>>> After reading provided docs (
>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…).
>>>>>> I assume it could be related to capture losses but it shouldn't. The amount
>>>>>> of traffic was way below average.
>>>>>>
>>>>>> Thank you for your help!
>>>>>> Jakub
>>>>>>
>>>>>>
>>>>>> śr., 18 sie 2021 o 14:27 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski <
>>>>>>> kuba.michal.n at gmail.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1
>>>>>>>> Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm at openssh.com
>>>>>>>> ","mac_alg":"hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org
>>>>>>>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"}
>>>>>>>>
>>>>>>>
>>>>>>> This connection had “auth_attempts: 0,” so there was nothing to make
>>>>>>> a determination on.
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":"
>>>>>>>> chacha20-poly1305 at openssh.com","mac_alg":"
>>>>>>>> hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}
>>>>>>>>
>>>>>>> This connection has “auth_success: false,” so it seems like a
>>>>>>> determination was made?
>>>>>>>
>>>>>>> The docs (
>>>>>>>
>>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>>> have a bit more info, but essentially, yes it is expected, and Zeek goes to
>>>>>>> some lengths to avoid false positives and negatives, at the expense of true
>>>>>>> positives. However, that doesn’t seem to be the case here?
>>>>>>>
>>>>>>> —Vlad
>>>>>>>
>>>>>>
Hi,
I have updated metadata_tostring_fix function in metadata.py. It's ugly but
it gets the job done:
```python
def metadata_tostring_fix(desc, nspair, xmlstring=""):
if not xmlstring:
xmlstring = desc.to_string(nspair)
try:
if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS)
except TypeError:
if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS)
xmlstring_decoded = xmlstring.decode("utf-8") #JN
xmlstring = re.sub(r'(<\/ns0:ContactPerson>)', r'\1<md:ContactPerson
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" contactType="other"
remd:contactType="http://refeds.org/metadata/contactType/security"
xmlns:remd="http://refeds.org/metadata"><md:GivenName>Security Response
Team</md:GivenName><md:EmailAddress>mailto:security at xxxxxxxxxxxxxxx</md:EmailAddress></md:ContactPerson>',
xmlstring_decoded) #JN
xmlstring = bytes(xmlstring, 'utf-8') #JN
return xmlstring
```
czw., 2 wrz 2021 o 16:05 Jakub Niezabitowski <kuba.michal.n at gmail.com>
napisał(a):
> Hello Ivan,
>
> thank you for your quick response. Adding assurance_certification works
> great!
>
> czw., 2 wrz 2021 o 15:55 Ivan Kanakarakis <ivan.kanak at gmail.com>
> napisał(a):
>
>> hello Jakub,
>>
>> ## refeds metadata
>>
>> the refeds metadata is not known to pysaml2, and thus there is no way
>> to do this.
>> We can look into adding support and exposing that as part of the
>> configuration.
>>
>> Until that is in place, you can add a post processing rule on your
>> deployment proceed to inject the namespace and element as needed.
>>
>>
>> ## assurance certification
>>
>> To add an assurance certification you can add the following in your
>> saml frontend configuration:
>>
>> ```yaml
>> module: ...
>> name: ...
>> config:
>> idp_config:
>> ...
>> assurance_certification:
>> - https://refeds.org/sirtfi
>> ...
>> ```
>>
>>
>> On Thu, 2 Sept 2021 at 15:25, Jakub Niezabitowski
>> <kuba.michal.n at gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > does anybody know how to specify remd:contactType for Satosa front-end?
>> It is necessary for Refeds. Example:
>> >
>> > <md:ContactPerson contactType="other" remd:contactType="
>> http://refeds.org/metadata/contactType/security">
>> > <md:Company>XYZ</md:Company>
>> > <md:GivenName>ABC</md:GivenName>
>> > <md:SurName>Security</md:SurName>
>> > <md:EmailAddress>mailto:security at example.com</md:EmailAddress>
>> > </md:ContactPerson>
>> >
>> > I would be also very thankful for help in adding this static string to
>> metadata:
>> >
>> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> ...>
>> > <md:Extensions>
>> > <mdattr:EntityAttributes
>> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
>> > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> >
>> Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
>> > <saml:AttributeValue>https://refeds.org/sirtfi
>> </saml:AttributeValue>
>> > </saml:Attribute>
>> > </mdattr:EntityAttributes>
>> > </md:Extensions>
>> > </md:EntityDescriptor>
>> >
>> > Thank you in advance for any help
>> > Jakub
>> > _______________________________________________
>> > satosa-users mailing list
>> > satosa-users at lists.sunet.se
>> > https://lists.sunet.se/listinfo/satosa-users
>>
>>
>>
>> --
>> Ivan c00kiemon5ter Kanakarakis >:3
>>
>
Hello,
does anybody know how to specify remd:contactType for Satosa front-end? It
is necessary for Refeds. Example:
<md:ContactPerson contactType="other" remd:contactType="
http://refeds.org/metadata/contactType/security">
<md:Company>XYZ</md:Company>
<md:GivenName>ABC</md:GivenName>
<md:SurName>Security</md:SurName>
<md:EmailAddress>mailto:security at example.com</md:EmailAddress>
</md:ContactPerson>
I would be also very thankful for help in adding this static string to
metadata:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...>
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
</md:EntityDescriptor>
Thank you in advance for any help
Jakub
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful
login backend receives attributes and tries to route them to frontend
named Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func
context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func
context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful login
backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG]
[satosa.attribute_mapping.to_internal] backend attribute ['sn',
'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG]
[satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received
attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend:
Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py",
line 350, in authn_response
return self.auth_callback_func(context,
self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
149, in _auth_resp_callback_func
context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py",
line 350, in authn_response
return self.auth_callback_func(context,
self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
149, in _auth_resp_callback_func
context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py",
line 118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful
login backend receives attributes and tries to route them to frontend
named Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run] [urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func
context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line 350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in _auth_resp_callback_func
context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py", line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line 118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!