Closed bhall7718 closed 5 years ago
henrik-me
commented
5 years ago @rayluo @navyasric @abhidnya13 will be the right ones to help you out with the details. @bhall7718 : It seems like you are getting a SAML 1.1 token back from the identity provider. Are you using ADFS or some other provider?
rayluo
commented
5 years ago Thanks @bhall7718 for the in-depth report, and thanks @henrik-me for the accurate triaging!
Although I was not around when those TokenTypeV1...SAML:1.0... and TokenTypeV2...SAML:2.0... were implemented in this library, now I believe we wrote it that way because they were the only two flavors that we tested against. It is still possible that we add support for new SAML types, but first we would need to know what provider issues that SAML 1.1 token, and then determine how we can setup similar environment to test the entire flow.
Or, since @bhall7718 already has such an environment, he can try to hack into the existing code to accept that SAML 1.1 token, and then see whether the subsequent interactions (i.e. the token exchange between his provider and Microsoft AAD) would work.
henrik-me
commented
5 years ago @bhall7718 : Do you have an environment where you will be able to validate a fix for this issue? Also can you pls. describe your setup (which components are included) and the repro steps?
brentschmaltz
commented
5 years ago These seem to be equivalent ways of specifying the same token. see: http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc307397282 Section 3.4
It's most likely that "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" will refer to a Saml11 token AND internal const string OasisWssSaml2TokenProfile11 = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" a SAML2 token.
You may want to expand the constants. https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/c16046515c9f439214637bf2129d585cd63bad1e/adal/constants.py#L174
abhidnya13
commented
5 years ago @bhall7718 I have added support for Wss Saml token 1.1 which you are using in the saml1.1test branch on the repo. Can you test it and let me know if it works? You can use
pip install git+https://github.com/AzureAD/azure-activedirectory-library-for-python.git@saml1.1test to use that package .
abhidnya13
commented
5 years ago The fix was confirmed to be working with the customer and was added in ADAL Python 1.2.1
When the organization I'm working with tries to use this python library to fetch a token from AAD, I get the following error:
Traceback (most recent call last): File "Get-Token.py", line 21, in
user_parameters['clientId'])
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/authentication_context.py", line 164, in acquire_token_with_username_password
return self._acquire_token(token_func)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/authentication_context.py", line 128, in _acquire_token
return token_func(self)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/authentication_context.py", line 162, in token_func
return token_request.get_token_with_username_password(username, password)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/token_request.py", line 288, in get_token_with_username_password
token = self._get_token_username_password_federated(username, password)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/token_request.py", line 257, in _get_token_username_password_federated
username, password)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/token_request.py", line 212, in _perform_username_password_for_access_token_exchange
return self._perform_wstrust_assertion_oauth_exchange(wstrust_response)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/token_request.py", line 184, in _perform_wstrust_assertion_oauth_exchange
grant_type = _get_saml_grant_type(wstrust_response)
File "/Users/user-x/anaconda2/envs/python3env/lib/python3.6/site-packages/adal/token_request.py", line 65, in _get_saml_grant_type
raise AdalError("RSTR returned unknown token type: {}".format(token_type))
adal.adal_error.AdalError: RSTR returned unknown token type: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
From looking at the source, it would seem the problem is that it will always throw this when the type does not match one of the two following constant types found here:
TokenTypeV1 = 'urn:oasis:names:tc:SAML:1.0:assertion'
TokenTypeV2 = 'urn:oasis:names:tc:SAML:2.0:assertion'
Here is where the evaluation is being handled in the source.
Is there something we need to do with our customer's AAD setup to get it to conform to the above constants for this library? Should this library be expanded to include this other type?