djangosaml2idp icon indicating copy to clipboard operation
djangosaml2idp copied to clipboard

Published 20 hours ago verified publisher icon OTA-Insight

exception on missing optional metadata ValidUntil

Open RamonvdW opened this issue 4 years ago • 11 comments

When adding my SP via the Admin interface and clicking the save button I get the exception shown below. Metadata at the bottom of this message. Django side is the IdP. SP is running simplesamlphp 1.18.3 validUntil is optional, yet code seems to assume it is present.

Context: django 2.2.12 djangosaml2idp 0.7.2 pysaml2 5.0.0 (if more context is needed, just ask)

Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner response = get_response(request) File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response response = self.process_exception_by_middleware(e, request) File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 606, in wrapper return self.admin_site.admin_view(view)(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/django/utils/decorators.py", line 142, in _wrapped_view response = view_func(request, *args, **kwargs) File "/usr/local/lib/python3.6/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/sites.py", line 223, in inner return view(request, *args, **kwargs) File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1645, in add_view return self.changeform_view(request, None, form_url, extra_context) File "/usr/local/lib/python3.6/site-packages/django/utils/decorators.py", line 45, in _wrapper return bound_method(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/django/utils/decorators.py", line 142, in _wrapped_view response = view_func(request, *args, **kwargs) File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1529, in changeform_view return self._changeform_view(request, object_id, form_url, extra_context) File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1572, in _changeform_view self.save_model(request, new_object, form, not add) File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1088, in save_model obj.save() File "/usr/local/lib/python3.6/site-packages/djangosaml2idp/models.py", line 155, in save self.metadata_expiration_dt = extract_validuntil_from_metadata(self.local_metadata).replace(tzinfo=None) File "/usr/local/lib/python3.6/site-packages/djangosaml2idp/utils.py", line 69, in extract_validuntil_from_metadata raise ValidationError(f'Could not extra ValidUntil timestamp from metadata: {e}') django.core.exceptions.ValidationError: ["Could not extra ValidUntil timestamp from metadata: 'validUntil'"]

SP metadata:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/metadata.php/default-sp"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-logout.php/default-sp"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-logout.php/default-sp"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml1-acs.php/default-sp" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/> </md:SPSSODescriptor> <md:ContactPerson contactType="technical"> md:GivenNameRamon</md:GivenName> md:EmailAddress[email protected]</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor>

RamonvdW avatar May 03 '20 09:05 RamonvdW

Hi @RamonvdW , it is indeed always considered present now (I never encountered one where it was not present). I've had a look at the metadata specification for this (https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) and that one states that the entitydescriptor must contain either a validUntil or a cacheDuration, which yours does not have. I'll have a look to deal with this, so either properties could be provided.

mhindery avatar May 03 '20 11:05 mhindery

Thanks for looking into this. As you indicated either field needs to be present, I will check with the 'the other side' what can be done to activate these fields.

RamonvdW avatar May 05 '20 11:05 RamonvdW

@mhindery validUntil could be absent in a real scenario

peppelinux avatar May 05 '20 12:05 peppelinux

Getting "Could not extra ValidUntil timestamp from metadata: 'validUntil'" when trying to integrate with Zammad (metadata is here: https://support.zammad.com/auth/saml/metadata). The metadata is (probably) generated by ruby-saml, which doesn't add any of the required attributes, see https://github.com/onelogin/ruby-saml/blob/63f43a7f9b830dfd690457a78a78fac48359944f/lib/onelogin/ruby-saml/metadata.rb#L28.

While it seems to violate the specification, it seems quite widespread.

PS: Same thing happens with https://samltest.id/saml/sp

nijel avatar May 06 '20 14:05 nijel

https://github.com/IdentityPython/pysaml2/commit/324656e6321fdf5a80184951d2ecaea644a737d8#diff-66edb09e937a4de1d15f8066572c425aR236

that's for MDQ use cases but I think that should be applied widely in the field of freshness of metadata. Btw I often suggest to use a MDQ as a stop-application :)

peppelinux avatar May 06 '20 14:05 peppelinux

Unfortunately I'm also running into this issue, while trying to integrate with Questionmark. It looks like they are using some homebuilt php script.

Would you be open to a pull request which makes this field not required, for the sake of all the people who work with non standards compliant service providers?

okke-formsma avatar Aug 31 '20 17:08 okke-formsma

I've found a workaround for our use case; just add a validUntil in the far future and don't fill in the metadata url.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="xxx">

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="xxx" validUntil="2030-12-09T09:13:31.006Z">

okke-formsma avatar Aug 31 '20 17:08 okke-formsma

@mhindery validUntil could be absent in a real scenario

ping

peppelinux avatar Aug 31 '20 18:08 peppelinux

I've created an issue for ruby-saml, so that it might be eventually addressed there: https://github.com/onelogin/ruby-saml/issues/563 (it's probably not the only one SP generating such metadata, but it is certainly quite widespread).

nijel avatar Jan 04 '21 14:01 nijel

How about adding configuration option to provide fallback for expiration? See https://github.com/OTA-Insight/djangosaml2idp/pull/114

nijel avatar Feb 08 '21 08:02 nijel

FWIW, Splunk does not include validUntil on its Metadata.

zbragg-s5 avatar Mar 31 '21 16:03 zbragg-s5