djangosaml2idp
djangosaml2idp copied to clipboard
OTA-Insight
saml2.response.IncorrectlySigned Internal Server Error
I am implementing SSO with SAML2 but i am going through trouble.
I am using these lib:
https://github.com/OTA-Insight/djangosaml2idp
https://github.com/IdentityPython/djangosaml2
The SP is working well, there issue with the idp
This is the error i am getting:
raise IncorrectlySigned()
saml2.response.IncorrectlySigned
Internal Server Error: /idp/login/process/
and this is my url pattern
urlpatterns = [
path('accounts/', include('django.contrib.auth.urls')),
path('idp/', include('djangosaml2idp.urls')),
path('', TemplateView.as_view(template_name="index.html")),
]
and this is my settings.py file
import saml2
import os
from saml2.saml import NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED
from saml2.sigver import get_xmlsec_binary
LOGIN_URL = '/accounts/login/'
BASE_URL = 'http://localhost:8000/idp'
SAML_IDP_CONFIG = {
'debug' : DEBUG,
'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin']),
'entityid': '%s/metadata' % BASE_URL,
# 'entityid': os.path.join(BASE_DIR, 'metadata'),
'description': 'Example IdP setup',
'service': {
'idp': {
'name': 'Django localhost IdP',
'endpoints': {
'single_sign_on_service': [
('http://localhost:8000/idp/sso/post/', saml2.BINDING_HTTP_POST),
('http://localhost:8000/idp/sso/redirect/', saml2.BINDING_HTTP_REDIRECT),
],
"single_logout_service": [
("http://localhost:8000/idp/slo/post/", saml2.BINDING_HTTP_POST),
("http://localhost:8000/idp/slo/redirect/", saml2.BINDING_HTTP_REDIRECT)
],
},
'name_id_format': [NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED],
'sign_response': True,
'sign_assertion': True,
'want_authn_requests_signed': True,
},
},
# Signing
'key_file': os.path.join(BASE_DIR, 'certificates/private.key'),
'cert_file': os.path.join(BASE_DIR, 'certificates/public.cert'),
# Encryption
'encryption_keypairs': [{
'key_file': os.path.join(BASE_DIR, 'certificates/private.key'),
'cert_file': os.path.join(BASE_DIR, 'certificates/public.cert'),
}],
'valid_for': 365 * 24,
"metadata": {
"local": [
os.path.join(BASE_DIR, 'metadata')
],
},
}
# Each key in this dictionary is a SP our IDP will talk to
SAML_IDP_SPCONFIG = {
'http://localhost:8000/saml2/metadata': {
'processor': 'djangosaml2idp.processors.BaseProcessor',
'attribute_mapping': {
'email': 'email',
'first_name': 'first_name',
'last_name': 'last_name',
'is_staff': 'is_staff',
'is_superuser': 'is_superuser',
}
}
}
Everyting is working well but when it redirect to /idp/login/process/ url, then it fires the error. Can anyone help me to solve this issue?
Do you know which binding is being used? If you are using the HTTP-REDIRECT binding, the signature must be in the Authn request itself as the pysaml2 library doesn't yet support passing the signature via a URL query parameter. See this pull request.
If you are using the HTTP-POST binding, double check there is a signature in the Authn request.
How to use HTTP-POST binding? I am using this djangosaml2idp example source code?
How can use HTTP-POST binding, as the request handle djangosaml2idp this /idp/login/process/ ?
Can you please have a look at my settings? i have already added above?
It appears to be supported now, in https://github.com/IdentityPython/pysaml2/commit/718cf98a3baba4642ca9321e05115157c0d387dd
I am now testing this diff:
# diff -c /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py.orig /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py
*** /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py.orig 2022-01-18 15:08:14.414687736 +0100
--- /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py 2022-01-18 16:01:56.845308818 +0100
***************
*** 56,61 ****
--- 56,66 ----
request.session['Binding'] = binding
request.session['SAMLRequest'] = saml_request
request.session['RelayState'] = passed_data.get('RelayState', '')
+ if binding == BINDING_HTTP_REDIRECT:
+ if 'SigAlg' in passed_data:
+ request.session['SigAlg'] = passed_data.get('SigAlg')
+ if 'Signature' in passed_data:
+ request.session['Signature'] = passed_data.get('Signature')
@never_cache
***************
*** 233,239 ****
idp_server = IDP.load()
# Parse incoming request
! req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding)
# check SAML request signature
try:
--- 238,247 ----
idp_server = IDP.load()
# Parse incoming request
! if binding == BINDING_HTTP_REDIRECT:
! req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding, relay_state=request.session.get('RelayState', None), sigalg=request.session.get('SigAlg', None), signature=request.session.get('Signature', None))
! else:
! req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding)
# check SAML request signature
try:
In my case to get the example working I had to set:
'sign_response': False,
'sign_assertion': False,
'want_authn_requests_signed': False,
to sp.settings.py and idp.settings.py
