django-saml2-auth
django-saml2-auth copied to clipboard
fangli
getting none for authn_response variable
Line no 127, views.py:
authn_response = saml_client.parse_authn_request_response( resp, entity.BINDING_HTTP_POST) if authn_response is None: return HttpResponseRedirect(get_reverse([denied, 'denied', 'django_saml2_auth:denied']))
I am getting None value for this authn_response variable, so my website redirecting to denied page.
I am helpless for this
Same problem for me. It is working for Chrome and Firefox, but not for Safari and Internet Explorer. I've used this to integrate my own webapp with Okta
So I actually am having the same issues with this.
after digging in further it seems the issue happens in parse_authn_request_response which makes a call to _parse_response in the pysaml2 repo: pysaml2/entities.py.
where it hits this block
1155 if response:
1156 keys = None
1157 if outstanding_certs:
1158 try:
1159
1160 cert = outstanding_certs[response.in_response_to]
1161 except KeyError:
1162 keys = None
1163 else:
1164 if not isinstance(cert, list):
1165 cert = [cert]
1166 keys = []
1167 for _cert in cert:
1168 keys.append(_cert["key"])
1169 only_identity_in_encrypted_assertion = False
1170 if "only_identity_in_encrypted_assertion" in kwargs:
1171 only_identity_in_encrypted_assertion = kwargs[
1172 "only_identity_in_encrypted_assertion"]
1173
1174 response = response.verify(keys)
since outstanding_certs is none by default, key gets set to none by this and then does not get anything appended to it, so when response = response.verify(keys) is called response gets set equal to None. If you comment out that line it will work because then response is no longer written over as None.
Not really sure the implications of such a change, but wanted to provide more detail into where its breaking down.
Would really like to know the proper fix for this.
So NVM to my previous statment, after increasing verbosity of logs, and changing django log config to show all logs for modules i identified this error.
2017-03-10 02:21:22 - ERROR response.verify 995 - Verification error on the response: 2017-03-10 02:21:22 - ERROR client_base.parse_authn_request_response 606 - XML parse error:
which lead to finding
2017-03-10 02:12:23 - ERROR response._verify 402 - https://mydomain.net/saml2_auth/acs/ not in [u'http://mydomain.net/saml2_auth/acs/']
Essentially it looks like it was expecting the POST via HTTP and not HTTPS, not sure where it got this because Ive set the audience and post back uri all to HTTPS.
I temporarily worked around this by setting my okta settings to use HTTP instead confirming this. So next step is identify where in the world that http url is getting set.
Will update as I learn more.
Do you have any updates on this? I have the same problem as described here.
So for me it was because r.is_secure() inside of get_current_domain(r) was returning false. So it was expecting a http url instead of https url. I have a nginx reverse proxy taking https connections to the django app running as a gUnicorn process so the url was indeed a https thus resulting in my error. I just forced it to expected a https url in that function and all was fixed for me.
Hi @all, if you are using a proxy behind django app, you may forget to set https/http forward headers on proxy properly.(just like X_FORWARD balabala)
So django will get incorrect URL of your app.
In order to provide a quick fix, I released a new pypi version 2.1.1 last night, which added ASSERTION_URL in SETTINGS. you may want to use it to overwrite the incorrect one which detected automatically by django.
Depend on your http schema, this setting should like "ASSERTION_URL": "http(s)://your.domain.name" (No postfix "/")
this is the related PR thread: https://github.com/fangli/django-saml2-auth/pull/23
hope this works.