hue
hue copied to clipboard
cloudera
SAML attribute mapping failing
Is the issue already present in https://github.com/cloudera/hue/issues or discussed in the forum https://discourse.gethue.com?
No
Describe the bug:
When attempting to authenticate users via SAML attribute mapping, Hue thows the following error: backends ERROR attributes[saml_attr] attribute value is missing. Probably the user session is expired.
Googling this error message shows that it is thrown in djangosaml2.
Steps to reproduce it?
I have extended the latest Hue Docker image (and for now have successfully configured SAML authentication with username_source=nameid as a workaround).
When initially configuring SAML authentication, I had noticed the suggestion of attribute mapping as an alternative option for my use-case. I noticed this approach outlined in a forum post, and further research showed the same style solution in the Cloudera documentation.
As per these examples I had configured [libsaml] with:
username_source=attributes
attribute_map_dir=/opt/cloudera/security/saml/attribute_mapping
user_attribute_mapping='{"uid":"username"}'
I also created the following map at /opt/cloudera/security/saml/attribute_mapping/saml_uri.py:
MAP = {
"identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"fro": {
'uid': 'uid',
},
"to": {
'uid': 'uid',
}
}
Finally, on the IdP side I created a custom attribute named uid for consistency with the examples (I had previously tried with the default Active Directory attributes, which also failed with the same error).
I confirmed that the uid attribute was present in the IdP response before Hue errored out:
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema">MY-CUSTOM-ID</saml:AttributeValue></saml:Attribute>
Finally, as referenced previously, Hue thows the following error on the backend: backends ERROR attributes[saml_attr] attribute value is missing. Probably the user session is expired. On the frontend authentication fails and entires an infinite loop of page redirects with https://[my-domain]/saml2/acs/ returning a 403 error.
Hue version or source? (e.g. open source 4.5, CDH 5.16, CDP 1.0...). System info (e.g. OS, Browser...).
Open Source 4.10.0
This issue is stale because it has been open 30 days with no activity and is not "roadmap" labeled or part of any milestone. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
For reference, I have documented my workaround here - https://medium.com/@bates.oisin/configuring-saml-authentication-for-azure-active-directory-on-hue-73ce784b0e3a
Hi @oisinBates, thanks for reporting this issue and sharing your solution. I apologize for the late reply, we are working on getting our community process back on track.
@wing2fly can you have a look to see if this is something we need to pick up?
@oisinBates,
As the post, please check if the file permission is readable for Hue runtime. You can Hue runtime user by run ps -ef | grep runcpserver or grep rungunicornserver depends on the version.
NOTE2: make sure hue can read from the saml_uri.py file.
For example:
# chown hue:hue saml_uri.py
Also enable the debug in Hue config by setting django_debug_mode=true. I hope we can see more info from https://github.com/IdentityPython/djangosaml2/blob/109fd9e07fc9ec3bd098aa744b3e158fee29be8b/djangosaml2/backends.py#L104.
This issue is stale because it has been open 30 days with no activity and is not labeled "Prevent stale". Remove "stale" label or comment or this will be closed in 10 days.