consoleme
consoleme copied to clipboard
Published
20 hours ago •
Netflix
Netflix
Consoleme and aws sso integration bug
The following error occurs while linking with aws sso in local
2022-08-05 15:37:23,402 - WARNING - tornado.access - [web.py:2271 - log_request() ] - 403 GET /api/v2/user_profile (::1) 377.89ms
{"asctime": "2022-08-05T15:37:23Z+0900", "name": "consoleme", "processName": "MainProcess", "filename": "exceptions.py", "funcName": "__init__", "levelname": "ERROR", "lineno": 14, "module": "exceptions", "threadName": "MainThread", "message": "Unable to authenticate the user by SAML. Redirecting to authentication endpoint", "eventTime": "2022-08-04T23:36:13.551503-07:00", "hostname": "", "timestamp": "2022-08-05T15:37:23Z+0900"}
{"asctime": "2022-08-05T15:37:23Z+0900", "name": "consoleme", "processName": "MainProcess", "filename": "saml.py", "funcName": "authenticate_user_by_saml", "levelname": "ERROR", "lineno": 70, "module": "saml", "threadName": "MainThread", "message": null, "function": "consoleme.lib.saml.authenticate_user_by_saml", "error": "SAML Response not found, Only supported HTTP_POST Binding", "eventTime": "2022-08-04T23:36:13.551503-07:00", "hostname": "", "timestamp": "2022-08-05T15:37:23Z+0900"}
my saml config
# Warning: The following configuration file is an example, and it is insecure by default. Please carefully
# review and change values accordingly before deploying to a production environment. You are responsible
# for your deployment.
extends:
- example_config_base.yaml
- example_secrets.yaml
auth:
get_user_by_saml: true
set_auth_cookie: true
force_redirect_to_identity_provider: false
get_user_by_saml_settings:
idp_metadata_url: https://portal.sso.ap-northeast-2.amazonaws.com/saml/metadata/************
saml_path: example_config/saml_examples
jwt:
expiration_hours: 1
email_key: email
groups_key: groups
attributes:
user: user
groups: groups
email: email
saml_settings:
debug: true
# idp:
# entityId: https://portal.sso.ap-northeast-2.amazonaws.com/saml/assertion/*********
# singleLogoutService:
# binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# url: https://portal.sso.ap-northeast-2.amazonaws.com/saml/logout/************
# singleSignOnService:
# binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# url: https://portal.sso.ap-northeast-2.amazonaws.com/saml/assertion/**********
# x509cert:
********************
sp:
NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
assertionConsumerService:
binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
url: http://127.0.0.1:8081/saml/acs
entityId: http://127.0.0.1:8081
singleLogoutService:
binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
url: http://127.0.0.1:8081/saml/sls
strict: false
support:
emailAddress: [email protected]
givenName: support_name
technical:
emailAddress: [email protected]
givenName: technical_name
# security:
# authnRequestsSigned: true
# digestAlgorithm: http://www.w3.org/2000/09/xmldsig#sha1
# logoutRequestSigned: true
# logoutResponseSigned: true
# nameIdEncrypted: true
# signMetadata: true
# signatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
# wantAssertionsEncrypted: true
# wantAssertionsSigned: true
# wantMessagesSigned: true
# wantNameId: true
# wantNameIdEncrypted: false
url: http://127.0.0.1:8081
http://127.0.0.1:3000/auth?redirect_url=http://127.0.0.1:3000 403 Forbidden http://127.0.0.1:3000/api/v2/user_profile. 403 Forbidden
If you remove the start url in aws sso, it will temporarily work, but you will get the above error again
consoleme <-> aws sso <-> ldp
When analyzed by saml tracer, consoleme requests data with get instead of post
GET https://portal.sso.ap-northeast-2.amazonaws.com/saml/assertion/MzU3ODM2OTI0MzAzX2lucy0yOTgzNzE0YmE4YTE5YjVi?SAMLRequest=fVNdb9owFH3vr4jynsT5GB8WIGXANqRCIkirsZfJdS4lU2JntlMgv352oC2VOvJi%2Bfqec%2B8592YkSVXWO************** HTTP/1.1