2:40 p.m.
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful login
backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG]
[satosa.attribute_mapping.to_internal] backend attribute ['sn',
'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG]
[satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received
attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend:
Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py",
line 350, in authn_response
return self.auth_callback_func(context,
self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
149, in _auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
180, in _run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py",
line 350, in authn_response
return self.auth_callback_func(context,
self._translate_response(authn_response, context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
149, in _auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line
120, in _auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in __getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py",
line 118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in
run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
3:14 p.m.
Hi Jakub,
It seems to be and inconsistent state of the session.
Did you start the authn flow directly from a Discovery Service Page? This
could be a cause.
Is there the possibility that the satosa cookies have not been passed by
the browser?
Il gio 5 ago 2021, 14:40 Jakub Niezabitowski <kuba.michal.n at gmail.com> ha
scritto:
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful login
backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line
118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in
run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
--
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
<http://www.unical.it/5x1000>
3:38 p.m.
Hi Giuseppe,
thank you for Your response.
The flow starts with SP sending request to Satosa frontend, then request is
passed to backend and processed by Keycloak (the only IdP, so discovery
shouldn't be needed if I'm right).
After successful login Keycloak shows active session for user and there is
no need to type in credentials after refreshing/revisiting site. I think
cookies should be passed.
Correct me if I get something wrong. I can provide my config for reference.
Thank You for your support
czw., 5 sie 2021 o 15:15 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
Hi Jakub,
It seems to be and inconsistent state of the session.
Did you start the authn flow directly from a Discovery Service Page? This
could be a cause.
Is there the possibility that the satosa cookies have not been passed by
the browser?
Il gio 5 ago 2021, 14:40 Jakub Niezabitowski <kuba.michal.n at gmail.com> ha
scritto:
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful login
backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line
118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in
run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
3:48 p.m.
Just debug the http response headers from keycloack
Can you see the satosa state cookie when you post the response to your
saml2 backend ? To ACS url
Another one Is, do you allow unsolicited_responses in your Saml2 backend
when you execute satosa in a pool of workers?
Il gio 5 ago 2021, 15:38 Jakub Niezabitowski <kuba.michal.n at gmail.com> ha
scritto:
Hi Giuseppe,
thank you for Your response.
The flow starts with SP sending request to Satosa frontend, then request
is passed to backend and processed by Keycloak (the only IdP, so discovery
shouldn't be needed if I'm right).
After successful login Keycloak shows active session for user and there is
no need to type in credentials after refreshing/revisiting site. I think
cookies should be passed.
Correct me if I get something wrong. I can provide my config for reference.
Thank You for your support
czw., 5 sie 2021 o 15:15 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
--
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
<http://www.unical.it/5x1000>
Hi Jakub,
It seems to be and inconsistent state of the session.
Did you start the authn flow directly from a Discovery Service Page? This
could be a cause.
Is there the possibility that the satosa cookies have not been passed by
the browser?
Il gio 5 ago 2021, 14:40 Jakub Niezabitowski <kuba.michal.n at gmail.com>
ha scritto:
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful
login backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line
118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in
run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
10:15 a.m.
Hi,
sorry for the late response.
Both SATOSA_STATE and SATOSA_STATE_LEGACY exist as seen in my browser
(/Saml2IDP/acs/post):
[image: image.png]
Same cookies are also visible in logs from satosa
[satosa.base._load_state]. I have captured requests to /acs/post using zap,
SATOSA_STATE cookie is visible in request header.
I have analyzed response from keycloak. Field InResponseTo matches ID from
AuthnRequest. What other fields should I look for?
I have set unsolicited_responses: true in backend config, but the errors
are still occuring.
Thank you for your help.
Jakub
czw., 5 sie 2021 o 15:48 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
Just debug the http response headers from keycloack
Can you see the satosa state cookie when you post the response to your
saml2 backend ? To ACS url
Another one Is, do you allow unsolicited_responses in your Saml2 backend
when you execute satosa in a pool of workers?
Il gio 5 ago 2021, 15:38 Jakub Niezabitowski <kuba.michal.n at gmail.com> ha
scritto:
Hi Giuseppe,
thank you for Your response.
The flow starts with SP sending request to Satosa frontend, then request
is passed to backend and processed by Keycloak (the only IdP, so discovery
shouldn't be needed if I'm right).
After successful login Keycloak shows active session for user and there
is no need to type in credentials after refreshing/revisiting site. I think
cookies should be passed.
Correct me if I get something wrong. I can provide my config for
reference.
Thank You for your support
czw., 5 sie 2021 o 15:15 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
Hi Jakub,
It seems to be and inconsistent state of the session.
Did you start the authn flow directly from a Discovery Service Page?
This could be a cause.
Is there the possibility that the satosa cookies have not been passed by
the browser?
Il gio 5 ago 2021, 14:40 Jakub Niezabitowski <kuba.michal.n at gmail.com>
ha scritto:
Hello,
We are trying to use Satosa as proxy for Keycloak. After successful
login backend receives attributes and tries to route them to frontend named
Saml2IDP (same name as in the example) but fails:
[2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['sn', 'surname'] mapped to surname
[2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
{
"sn": [
"czterna"
]
}
[2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
[2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
[2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240, in
run
resp = self._run_bound_endpoint(context, spec)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180, in
_run_bound_endpoint
return spec(context)
File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py", line
350, in authn_response
return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149, in
_auth_resp_callback_func
context, internal_response)
File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
return super().process(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py",
line 33, in process
return self.next(context, data)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120, in
_auth_resp_finish
return frontend.handle_authn_response(context, internal_response)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
86, in handle_authn_response
return self._handle_authn_response(context, internal_response, self.idp)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
317, in _handle_authn_response
request_state = self.load_state(context.state)
File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py", line
149, in load_state
state_data = state[self.name]
File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
raise KeyError(key)
KeyError: 'Saml2IDP'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py", line
118, in __call__
resp = self.run(context)
File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258, in
run
raise SATOSAUnknownError("Unknown error") from err
satosa.exception.SATOSAUnknownError: Unknown error
Thank you in advance for any help!
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
3:01 p.m.
I feel like a moron.
I have debugged satosa/frontends/saml2.py using some prints. It seems that
frontend and backend can't have the same name. After changing Saml2IDP to
Saml2IDP-front in plugins/frontends/saml2_frontend.yaml everythink works
fine.
As stated in documentation: The name must be unique to ensure correct
functionality
Thank you for your help
Jakub
pon., 9 sie 2021 o 10:15 Jakub Niezabitowski <kuba.michal.n at gmail.com>
napisał(a):
Hi,
sorry for the late response.
Both SATOSA_STATE and SATOSA_STATE_LEGACY exist as seen in my browser
(/Saml2IDP/acs/post):
[image: image.png]
Same cookies are also visible in logs from satosa
[satosa.base._load_state]. I have captured requests to /acs/post using zap,
SATOSA_STATE cookie is visible in request header.
I have analyzed response from keycloak. Field InResponseTo matches ID from
AuthnRequest. What other fields should I look for?
I have set unsolicited_responses: true in backend config, but the errors
are still occuring.
Thank you for your help.
Jakub
czw., 5 sie 2021 o 15:48 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
Just debug the http response headers from
keycloack
Can you see the satosa state cookie when you post the response to your
saml2 backend ? To ACS url
Another one Is, do you allow unsolicited_responses in your Saml2 backend
when you execute satosa in a pool of workers?
Il gio 5 ago 2021, 15:38 Jakub Niezabitowski <kuba.michal.n at gmail.com>
ha scritto:
Hi Giuseppe,
thank you for Your response.
The flow starts with SP sending request to Satosa frontend, then request
is passed to backend and processed by Keycloak (the only IdP, so discovery
shouldn't be needed if I'm right).
After successful login Keycloak shows active session for user and there
is no need to type in credentials after refreshing/revisiting site. I think
cookies should be passed.
Correct me if I get something wrong. I can provide my config for
reference.
Thank You for your support
czw., 5 sie 2021 o 15:15 Giuseppe De Marco <giuseppe.demarco at unical.it>
napisał(a):
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
Hi Jakub,
It seems to be and inconsistent state of the session.
Did you start the authn flow directly from a Discovery Service Page?
This could be a cause.
Is there the possibility that the satosa cookies have not been passed
by the browser?
Il gio 5 ago 2021, 14:40 Jakub Niezabitowski <kuba.michal.n at gmail.com>
ha scritto:
> Hello,
>
> We are trying to use Satosa as proxy for Keycloak. After successful
> login backend receives attributes and tries to route them to frontend named
> Saml2IDP (same name as in the example) but fails:
>
> [2021-08-05 11:03:50,412] [DEBUG] [satosa.attribute_mapping.to_internal] backend
attribute ['sn', 'surname'] mapped to surname
>
> [2021-08-05 11:03:50,413] [DEBUG] [satosa.backends.saml2._translate_response]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] backend received attributes:
>
> {
>
> "sn": [
>
> "czterna"
>
> ]
>
> }
>
> [2021-08-05 11:03:50,413] [DEBUG] [satosa.routing.frontend_routing]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Routing to frontend: Saml2IDP
>
> [2021-08-05 11:03:50,413] [ERROR] [satosa.base.run]
[urn:uuid:6e039cb0-5454-4224-987e-1965c623cad9] Uncaught exception
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240,
in run
>
> resp = self._run_bound_endpoint(context, spec)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180,
in _run_bound_endpoint
>
> return spec(context)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py",
line 350, in authn_response
>
> return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149,
in _auth_resp_callback_func
>
> context, internal_response)
>
> File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
>
> return super().process(context, data)
>
> File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33,
in process
>
> return self.next(context, data)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120,
in _auth_resp_finish
>
> return frontend.handle_authn_response(context, internal_response)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 86, in handle_authn_response
>
> return self._handle_authn_response(context, internal_response, self.idp)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 317, in _handle_authn_response
>
> request_state = self.load_state(context.state)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 149, in load_state
>
> state_data = state[self.name]
>
> File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
>
> raise KeyError(key)
>
> KeyError: 'Saml2IDP'
>
> [2021-08-05 11:03:50,416] [ERROR] [satosa.proxy_server.__call__] Unknown error
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 240,
in run
>
> resp = self._run_bound_endpoint(context, spec)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 180,
in _run_bound_endpoint
>
> return spec(context)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/backends/saml2.py",
line 350, in authn_response
>
> return self.auth_callback_func(context, self._translate_response(authn_response,
context.state))
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 149,
in _auth_resp_callback_func
>
> context, internal_response)
>
> File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/attribute_modifications.py",
line 17, in process
>
> return super().process(context, data)
>
> File
"/usr/local/lib/python3.6/site-packages/satosa/micro_services/base.py", line 33,
in process
>
> return self.next(context, data)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 120,
in _auth_resp_finish
>
> return frontend.handle_authn_response(context, internal_response)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 86, in handle_authn_response
>
> return self._handle_authn_response(context, internal_response, self.idp)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 317, in _handle_authn_response
>
> request_state = self.load_state(context.state)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/frontends/saml2.py",
line 149, in load_state
>
> state_data = state[self.name]
>
> File "/usr/lib64/python3.6/collections/__init__.py", line 991, in
__getitem__
>
> raise KeyError(key)
>
> KeyError: 'Saml2IDP'
>
> The above exception was the direct cause of the following exception:
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/site-packages/satosa/proxy_server.py",
line 118, in __call__
>
> resp = self.run(context)
>
> File "/usr/local/lib/python3.6/site-packages/satosa/base.py", line 258,
in run
>
> raise SATOSAUnknownError("Unknown error") from err
>
> satosa.exception.SATOSAUnknownError: Unknown error
>
>
> Thank you in advance for any help!
> _______________________________________________
> satosa-users mailing list
> satosa-users at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-users
>
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
[image: http://www.unical.it/5x1000] <http://www.unical.it/5x1000>
1186
days inactive
1191
days old
5 comments
2 participants
participants (2)
-
giuseppe.demarco@unical.it -
kuba.michal.n@gmail.com