VXJ7137
commented
4 years ago In the link :- https://github.com/bluedatainc/jupyterhub-samlauthenticator. I am assuming this might be something to do with proxy .There is a statement mentioned in the above link
"If the JupyterHub instance is sitting behind a proxy or if the entity_id provided above is not a url that refers to where the JupyterHub instance is listening, the acs_endpoint_url MUST be set. This is where a user should POST data to complete a SAML Login procedure.".
Not sure what config i need to be putting in to make that work .
Tried following steps for jupyter hub deployment with SAML authentication on EKS . 1)Changes in Docker image for jupyter hub+ saml authenticator + metadata.xml copied Source :- https://github.com/jupyterhub/zero-to-jupyterhub-k8s/tree/0.8.2/images/hub Following lines were added in docker image :- ----ADD qa_metadata.xml /etc/jupyterhub/qa_metadata.xml
Following line was added in requirements.txt -> ----- jupyterhub-samlauthenticator==0.0.7
2)Once this docker image was built and pushed to ecr .Downloaded the helm deployment fro jupyterhub on eks . Steps to download : - -------helm fetch jupyterhub/jupyterhub -------tar -xvf jupyterhub-0.8.2.tgz -------cd jupyterhub
3)Next is making following change in the above jupyterhub folder values.yaml image: name: jupyterhub/k8s-hub tag: '0.8.2'
Changed it to :
image: name: <ECR path created in point 1> tag: <Tag of image created in point 1> 4)Next created a config.yaml file with following configurations for SMAL -Authentication :-
hub: cookieSecret: 5dc84d73c19dd1621a03e2bbb791e17caf06d34c0595e5ae8d3a406b324bb252 extraConfig: myConfig.py: | c.JupyterHub.authenticator_class = 'samlauthenticator.SAMLAuthenticator' c.SAMLAuthenticator.metadata_filepath = '/etc/jupyterhub/qa_metadata.xml' c.JupyterHub.log_level = 'DEBUG' c.LocalProcessSpawner.debug = True c.Spawner.debug = True 5)Next setp is to do deloyment using helm .Following command was used to do helm deployment .
helm upgrade jhub-saml1 -f values.yaml . --values ../config.yaml --namespace jhub-saml1 After following all the steps above when i try to log in to jupyter hub using the ELB link and put in user/password i get following information in the logs of jupyet hub : -
[I 2020-04-08 10:40:49.159 JupyterHub app:1673] Using Authenticator: samlauthenticator.samlauthenticator.SAMLAuthenticator [I 2020-04-08 10:40:49.159 JupyterHub app:1673] Using Spawner: kubespawner.spawner.KubeSpawner [I 2020-04-08 10:40:49.159 JupyterHub app:1012] Loading cookie_secret from env[JPY_COOKIE_SECRET] [D 2020-04-08 10:40:49.160 JupyterHub app:1071] Connecting to db: sqlite:///jupyterhub.sqlite [D 2020-04-08 10:40:49.173 JupyterHub orm:685] database schema version found: 896818069c98 [D 2020-04-08 10:40:49.180 JupyterHub orm:685] database schema version found: 896818069c98 [W 2020-04-08 10:40:49.182 JupyterHub app:1131] JupyterHub.hub_connect_port is deprecated as of 0.9. Use JupyterHub.hub_connect_url to fully specify the URL for connecting to the Hub. [W 2020-04-08 10:40:49.185 JupyterHub app:1173] No admin users, admin interface will be unavailable. [W 2020-04-08 10:40:49.185 JupyterHub app:1174] Add any administrative users to
c.Authenticator.admin_usersin config. [I 2020-04-08 10:40:49.185 JupyterHub app:1201] Not using whitelist. Any authenticated user will be allowed. [D 2020-04-08 10:40:49.213 JupyterHub app:1489] Loaded users:[I 2020-04-08 10:40:49.220 JupyterHub app:1855] Hub API listening on http://0.0.0.0:8081/hub/ [I 2020-04-08 10:40:49.220 JupyterHub app:1857] Private Hub API connect url http://10.0.1.4:8081/hub/ [I 2020-04-08 10:40:49.220 JupyterHub app:1870] Not starting proxy [D 2020-04-08 10:40:49.220 JupyterHub proxy:296] Fetching routes to check [D 2020-04-08 10:40:49.221 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes [I 2020-04-08 10:40:49.222 JupyterHub proxy:301] Checking routes [W 2020-04-08 10:40:49.222 JupyterHub proxy:314] Updating default route http://172.20.187.1:8081 → http://10.0.1.4:8081 [I 2020-04-08 10:40:49.222 JupyterHub proxy:370] Adding default route for Hub: / => http://10.0.1.4:8081 [D 2020-04-08 10:40:49.223 JupyterHub proxy:686] Proxy: Fetching POST http://172.20.149.211:8001/api/routes/ [I 2020-04-08 10:40:49.224 JupyterHub app:1912] JupyterHub is now running at http://172.20.24.188:80/ [D 2020-04-08 10:41:49.224 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes [I 2020-04-08 10:41:49.225 JupyterHub proxy:301] Checking routes [D 2020-04-08 10:42:49.224 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes [I 2020-04-08 10:42:49.226 JupyterHub proxy:301] Checking routes [I 2020-04-08 10:43:39.844 JupyterHub log:158] 302 GET / -> /hub (@10.16.40.165) 0.73ms [D 2020-04-08 10:43:49.224 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes [I 2020-04-08 10:43:49.226 JupyterHub proxy:301] Checking routes [I 2020-04-08 10:44:00.389 JupyterHub log:158] 302 GET / -> /hub (@10.16.40.165) 0.86ms [I 2020-04-08 10:44:00.689 JupyterHub log:158] 302 GET /hub -> /hub/ (@10.16.40.165) 0.60ms [I 2020-04-08 10:44:01.000 JupyterHub log:158] 302 GET /hub/ -> /hub/login (@10.16.40.165) 0.70ms [I 2020-04-08 10:44:01.634 JupyterHub samlauthenticator:711] Starting SP-initiated SAML Login [D 2020-04-08 10:44:01.635 JupyterHub samlauthenticator:616] Got metadata etree [D 2020-04-08 10:44:01.635 JupyterHub samlauthenticator:622] Got valid metadata etree [D 2020-04-08 10:44:01.635 JupyterHub samlauthenticator:628] Final xpath is: //md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']/@Location [I 2020-04-08 10:44:01.636 JupyterHub log:158] 302 GET /hub/login -> https://qafedsso.yum.com/idp/SSO.saml2 (@10.16.40.165) 1.44ms There is no error in jupyter hub logs . But the issue is i dont see any SAMLRequest with the URL. Using SAML tracer for chrome got to understand that the SAMLRequest is not passed along as HTTP parameters with the SSO request and thats why i am getting 500 error .
Not sure what needs to be done to get a fix for this .Our Service provider says that they need a SAMLRequest along with the SSO request . Something like the following(copied from wiki https://en.wikipedia.org/wiki/SAML_2.0 ) also needs to sent .
**<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0">