authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

GET /api/v3/providers/saml/7/metadata/

Open justinb-dfw opened this issue 6 months ago • 4 comments

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Logs

Stacktrace from authentik 
Traceback (most recent call last):
  File "/ak-root/.venv/lib/python3.12/site-packages/asgiref/sync.py", line 518, in thread_handler
    raise exc_info[1]
  File "/ak-root/.venv/lib/python3.12/site-packages/django/core/handlers/base.py", line 253, in _get_response_async
    response = await wrapped_callback(
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/asgiref/sync.py", line 468, in __call__
    ret = await asyncio.shield(exec_coro)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py", line 40, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/asgiref/sync.py", line 522, in thread_handler
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/rest_framework/viewsets.py", line 125, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/rest_framework/views.py", line 515, in dispatch
    response = self.handle_exception(exc)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.12/site-packages/rest_framework/views.py", line 475, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/ak-root/.venv/lib/python3.12/site-packages/rest_framework/views.py", line 486, in raise_uncaught_exception
    raise exc
  File "/ak-root/.venv/lib/python3.12/site-packages/rest_framework/views.py", line 512, in dispatch
    response = handler(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/saml/api/providers.py", line 278, in metadata
    metadata = proc.build_entity_descriptor()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/saml/processors/metadata.py", line 194, in build_entity_descriptor
    self._sign(entity_descriptor)
  File "/authentik/providers/saml/processors/metadata.py", line 162, in _sign
    ctx.sign(signature_node)
xmlsec.Error: (1, 'failed to sign')

Version and Deployment (please complete the following information):

  • authentik version: 2025.4.1
  • Deployment: [e.g. docker-compose, helm]

Additional context Add any other context about the problem here.

justinb-dfw avatar Jun 05 '25 15:06 justinb-dfw

@waynenilsen your second snippet should already work as is...

// Define the AWS WAF Web ACL
const waf = new aws.wafv2.WebAcl("MyWaf", {
  ...
});
const router = new sst.aws.Router("MyRouter", {
  domain: {
    name: `...`,
    dns: sst.cloudflare.dns(),
  },
  transform: {
    webAclId: waf.id
  }
});

A generic waf:true may not be correct as SST would need to know what id to attach

ajaishankar avatar May 30 '25 13:05 ajaishankar

Oh neat ok yeah I did figure out how to transform the proper thing now that you mention that its possible, it is somewhat buried but its doable. I think this may be somewhat difficult for someone to figure out without documentation.

// Define the AWS WAF Web ACL
const waf = new aws.wafv2.WebAcl("MyWaf", {
  ...
});
const router = new sst.aws.Router("MyRouter", {
  domain: {
    name: `...`,
    dns: sst.cloudflare.dns(),
  },
  transform: {
    cdn: {
      transform: {
        distribution: {
          webAclId: waf.id
        }
      }
    }
  }
});

Regarding the waf: true, sst creates and manages its own resources all the time right? My thought on that was having a "managed mode" to just "take the reasonable defaults that make sense" would be nice. Like sst.aws.Vpc i mean it creates an insane number of resources, routing tables, internet gateways, nat traversal bla bla bla (bastion!). Router is already doing this to some degree I think right? But then, somehow make it configurable? The reason I thought of { waf: true } is because of the way {bastion: true} works.

waynenilsen avatar Jun 03 '25 12:06 waynenilsen

@waynenilsen it does make sense to add { waf: true }, specially if we can come up with a set of sensible defaults for aws.wafv2.WebAcl

do you have anything in mind? how are you currently using it?

vimtor avatar Oct 23 '25 14:10 vimtor

@vimtor I'm not experienced with SST internals, but I suspect that it's trivial to make this a union type in the future, in case you want to more granularly configure WAF?

For example:

  • enable/disable bot control
  • change individual rules from block to count
  • add new rules (e.g. router.waf.addRule())

E.g. { waf: true } might be a bit too restrictive for us, but if it's trivial to add something like this in the future: waf: bool | WafOptions, then it's fine!

straygar avatar Nov 23 '25 12:11 straygar