pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard
verified publisher icon IdentityPython

Error handling for an edge case of KeyError encountered during 'global_logout'

Open kmsunmin opened this issue 1 year ago • 1 comments

Hi pysaml2 team, we've been using djangosaml2 library which uses pysaml2 for SAML SSO for many years. Since a few years ago, we started noticing issues during global_logout method where pysaml2 tries to find out IdPs/AAs that are associated with the given name_id of a SAML subject. When I follow the stack trace, I see the KeyError occurs in saml/cache.py 'entities' method where it returns the list of the subject's entities.

Code Version

pysaml2: 7.5.0 (djangosaml2 1.9.3)

Expected Behavior

KeyError is handled. For instance, by raising a logout-related exception. This way, the request can be redirected and the SP application can handle the logout situation (ex: by overriding djangosaml2's handle_unsupported_slo_exception method).

Current Behavior

KeyError raised during global_logout method when pysaml2 cannot find out any IdPs/AAs that are associated with the SAML subject who wants to log out. The KeyError occurs in saml/cache.py 'entities' method where it returns the list of the subject's entities:

def entities(self, name_id):
    """Returns all the entities of assertions for a subject, disregarding
    whether the assertion still is valid or not.

    :param name_id: The subject identifier, a NameID instance
    :return: A possibly empty list of entity identifiers
    """
    cni = code(name_id)
    # KeyError for self._db[cni]
    return list(self._db[cni].keys())

Possible Solution

Error handling of KeyError such as raising an exception like LogOutError so that djangosaml2 can catch the exception and redirect the request to handle the situation (ex: SP application overriding djangosaml2's handle_unsupported_slo_exception()).

  • We also wonder about what maintainers think about this KeyError such that if this error might indicate any serious security implications which we don't want to ignore.

Steps to Reproduce

Unfortunately, we have not been able to reproduce this issue but received reports of this KeyError issue regularly during the last few years. Although we don't know the exact scenario where this issue occurs, we think that user's session on Django application (SP) might have been expired and the user tries to access the SP application again.

We also have a guess that clearing browser cache might help resolve this issue but we are not certain on this as we cannot reproduce the issue.

I searched the "Issues" section and found several posts related to this KeyError but I haven't been able to find a solution for this issue (most of them are a few years old) so I wanted to reach out here.

Thank you.

kmsunmin avatar Nov 01 '24 21:11 kmsunmin

Unfortunately, we have not been able to reproduce this issue but received reports of this KeyError issue regularly during the last few years. Although we don't know the exact scenario where this issue occurs, we think that user's session on Django application (SP) might have been expired and the user tries to access the SP application again.

Hi! I would like to add that you can consistently reproduce this by not sending saml_session cookie from your client. This often occurs inadvertently because of SameSite=None attribute when the cookie is exchanged over insecure (HTTP) connection. As you know, cookies with SameSite=None must be sent over secure channel.

dino8890 avatar May 13 '25 07:05 dino8890