10:15 a.m.
Hi,
sorry for the late response.
Both SATOSA_STATE and SATOSA_STATE_LEGACY exist as seen in my browser
(/Saml2IDP/acs/post):
[image: image.png]
Same cookies are also visible in logs from satosa
[satosa.base._load_state]. I have captured requests to /acs/post using zap,
SATOSA_STATE cookie is visible in request header.
I have analyzed response from keycloak. Field InResponseTo matches ID from
AuthnRequest. What other fields should I look for?
I have set unsolicited_responses: true in backend config, but the errors
are still occuring.
Thank you for your help.
Jakub
czw., 5 sie 2021 o 15:48 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
Just debug the http response headers from keycloack
Can you see the satosa state cookie when you post the response to your
saml2 backend ? To ACS url
Another one Is, do you allow unsolicited_responses in your Saml2 backend
when you execute satosa in a pool of workers?
Il gio 5 ago 2021, 15:38 Jakub Niezabitowski <kuba.michal.n at gmail.com> ha
scritto:
Hi Giuseppe,
thank you for Your response.
The flow starts with SP sending request to Satosa frontend, then request
is passed to backend and processed by Keycloak (the only IdP, so discovery
shouldn't be needed if I'm right).
After successful login Keycloak shows active session for user and there
is no need to type in credentials after refreshing/revisiting site. I think
cookies should be passed.
Correct me if I get something wrong. I can provide my config for
reference.
Thank You for your support
czw., 5 sie 2021 o 15:15 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
Hi Jakub,
It seems to be and inconsistent state of the session.
Did you start the authn flow directly from a Discovery Service Page?
This could be a cause.
Is there the possibility that the satosa cookies have not been passed by
the browser?
Il gio 5 ago 2021, 14:40 Jakub Niezabitowski <kuba.michal.n at gmail.com>
ha scritto:
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful
login backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line
118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in
run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>