Issue with JupyterHub 3.1

[cmbits]

I tried upgrading to Jupyterhub 3.1 and I get the following error when trying to load the samlauthenticator package;

Bad config encountered during initialization: The 'authenticator_class' trait of <jupyterhub.app.JupyterHub object at 0x7f24768dd850> instance must be a type, but 'samlauthenticator. SAMLAuthenticator' could not be imported

Any idea if this could be an incompatibility or a simple pythen env issue?

jupyter_client 7.4.8 jupyter_core 5.0.0 jupyter-server 1.23.4 jupyter-telemetry 0.1.0 jupyterhub 3.1.0 jupyterhub-samlauthenticator 0.0.9 jupyterlab 3.5.2 jupyterlab-pygments 0.2.2 jupyterlab_server 2.18.0 jupyterlab-widgets 3.0.5

[distortedsignal]

Could you post the relevant jupyterhub config file?

[cmbits]

Below are the SAML related settings. I've been using this for 2 years without issue. The last time I updated the container image was 4 months ago which I believe was Jupyterhub version 3.0. When I tested that build SAML worked fine. The Dockerfile I was using last time had issues building from the recent (3.1) jupyterhub/jupyterhub:latest image due to python compatibility issues with miniconda/mamba so I switched to micromamba for the package installs. This SAMLAuthenticator import error might be related to the switch in package management. I checked the permissions on the /opt/conda/lib/python3.9/site-packages/jupyterhub_samlauthenticator-0.0.9.dist-info folder and it looks correct.

c.JupyterHub.authenticator_class = 'samlauthenticator.SAMLAuthenticator' c.SAMLAuthenticator.metadata_filepath = '/srv/jupyterhub/idp.xml' c.SAMLAuthenticator.audience = 'jupyterhub.domain:30050' c.SAMLAuthenticator.recipient = 'https://jupyterhub.domain:30050/hub/login?next=' c.SAMLAuthenticator.time_format_string = '%Y-%m-%dT%H:%M:%S.%fZ' c.SAMLAuthenticator.entity_id = 'jupyterhub.domain:30050' c.SAMLAuthenticator.acs_endpoint_url = 'https://jupyterhub.domain:30050/hub/login?next=' c.SAMLAuthenticator.organization_name = 'Company' c.SAMLAuthenticator.organization_display_name = ''Full Company Name''' c.SAMLAuthenticator.organization_url = 'https://www.domain' c.SAMLAuthenticator.create_system_users = True

[distortedsignal]

The thing that's bugging me here is that in your opening message there's a line break between the package and the classname. Is there maybe an unprintable character that is sneaking into the config file? If you open python and do an import samlauthenticator, are you able to import the SAMLAuthenticator?

[cmbits]

I think you are correct. I pulled the Dockerfile from the build that worked 4 months ago. I was able to get it to build with Jupyterhub 3.1 after some edits. The samlauthenticator package is loading now. :-)

I've hit my next hurtle with the following error; "JupyterHub samlauthenticator:346] Exception: Signature method RSA_SHA1 forbidden by configuration". The IdP I'm using has RSA_SHA256 based certs. I'm looking through the samlauthenticator.py code to see where the cipher is being set. I'm also looking to see if my IdP.xml can be modified to specify the cipher.

[distortedsignal]

Are there logs earlier than that? If you show me the full log from the error, I can understand better where that error is coming from.

Also, it might be helpful for me to see your metadata.xml that you got from your IdP.

As a reference, that line is printed by this function which is called in several places. Just getting the explanation of the exception is not super helpful here.

[cmbits]

Thank you for your time and help with this!
SAML_error-idp_xml.zip

[distortedsignal]

I have no idea what's going on here. None of your config files say anything about SHA-1 vs SHA-256. I would talk to your IdP and see if they can use SHA-256 (why aren't they? SHA-1 is... not doing great these days...) instead of SHA-1.

[cmbits]

I forgot to follow up and let you know the issues was due to a config setting on the SAML IdP side. I changed the signature algorithm to SHA256 with RSA and problem went away.