search

IdentityPython / djangosaml2

Django SAML2 Service Provider based on pySAML2
Apache License 2.0
259 stars 143 forks source link

Error: Logout request is not signed but should be. #159

Closed MohamedA95 closed 5 years ago

MohamedA95 commented 5 years ago

Hello Jozef, Thanks for this great effort. I managed to set the library up and everything is working as it should except the logout, I am trying to connect to cas 6.0.1. when i access /saml2/ logout I get this error Error: Logout request is not signed but should be.

This is what I get in djangosaml2 log

INFO 2019-09-04 15:57:16,063 client.py 157 global_logout :: logout request for: <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="chatbot.xxx.xxx.xxx/saml2/metadata/" SPNameQualifier="chatbot.xx.xxx.xxx/saml2/metadata/">klGhGuh8NIs9FMQFRqHxwNDid5Q=</saml:NameID> DEBUG 2019-09-04 15:57:16,064 client.py 190 do_logout :: Logout from 'https://test-cas.xxx.xxx.xxx/idp' DEBUG 2019-09-04 15:57:16,064 mdstore.py 1008 service :: service(https://test-cas.xxx.xxx.xxx/idp, idpsso_descriptor, single_logout_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST) DEBUG 2019-09-04 15:57:16,064 mdstore.py 584 service :: service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleLogoutService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'location': 'https://test-cas.xxx.xxx.xxx/idp/profile/SAML2/POST/SLO'}] INFO 2019-09-04 15:57:16,064 client.py 208 do_logout :: destination to provider: https://test-cas.xxx.xxx.xxx/idp/profile/SAML2/POST/SLO INFO 2019-09-04 15:57:16,064 entity.py 495 _message :: REQUEST: <samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test-cas.xxx.xxx.xxx/idp/profile/SAML2/POST/SLO" ID="id-UCCBnMCDO0Ks5lWSE" IssueInstant="2019-09-04T12:57:16Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">chatbot.xxx.xxx.xxx/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="chatbot.xxx.xxx.xxx/saml2/metadata/" SPNameQualifier="chatbot.xxx.xxx.xxx/saml2/metadata/">klGhGuh8NIs9FMQFRqHxwNDid5Q=</saml:NameID><samlp:SessionIndex>ST-4--S-ynwwVHCHT0L-6dzfgq2KEbw8-hq01-ssotest01</samlp:SessionIndex></samlp:LogoutRequest> INFO 2019-09-04 15:57:16,065 entity.py 215 apply_binding :: HTTP POST DEBUG 2019-09-04 15:57:16,065 views.py 391 logout :: Returning form to the IdP to continue the logout process

This what I get on cas side

`2019-09-04 15:57:16,183 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

WHO: audit:unknown WHAT: [issuer=chatbot.xxx.xxx.xxx/saml2/metadata/] ACTION: SAML2_REQUEST_CREATED APPLICATION: CAS WHEN: Wed Sep 04 15:57:16 AST 2019 CLIENT IP ADDRESS: xx.xx.xx.xx SERVER IP ADDRESS: xx.xx.xx.xx

2019-09-04 15:57:16,183 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - org.opensaml.saml.common.SAMLException: Logout request is not signed but should be. at org.apereo.cas.support.saml.web.idp.profile.slo.AbstractSamlSLOProfileHandlerController.handleSloProfileRequest(AbstractSamlSLOProfileHandlerController.java:81) ~[cas-server-support-saml-idp-web-6.0.4.jar!/:6.0.4] at org.apereo.cas.support.saml.web.idp.profile.slo.SLOSamlPostProfileHandlerController.handleSaml2ProfileSLOPostRequest(SLOSamlPostProfileHandlerController.java:67) ~[cas-server-support-saml-idp-web-6.0.4.jar!/:6.0.4] at java.lang.Thread.run(Thread.java:834) [?:?] 2019-09-04 15:57:16,183 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - org.opensaml.saml.common.SAMLException: Logout request is not signed but should be. at org.apereo.cas.support.saml.web.idp.profile.slo.AbstractSamlSLOProfileHandlerController.handleSloProfileRequest(AbstractSamlSLOProfileHandlerController.java:81) ~[cas-server-support-saml-idp-web-6.0.4.jar!/:6.0.4] at java.lang.Thread.run(Thread.java:834) [?:?] 2019-09-04 15:57:16,184 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.> 2019-09-04 15:57:16,184 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <SecurityContextHolder now cleared, as request processing completed> 2019-09-04 15:57:16,185 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.opensaml.saml.common.SAMLException: Logout request is not signed but should be.] with root cause> org.opensaml.saml.common.SAMLException: Logout request is not signed but should be. at org.apereo.cas.support.saml.web.idp.profile.slo.AbstractSamlSLOProfileHandlerController.handleSloProfileRequest(AbstractSamlSLOProfileHandlerController.java:81) ~[cas-server-support-saml-idp-web-6.0.4.jar!/:6.0.4]`

I found this line in the metadate generated by djangosaml2, i guess if I set WantAssertionsSigned it might solve the problem

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

Could you direct me on this ?

MohamedA95 commented 5 years ago

Hello Jozet, I solved it by adding "logout_requests_signed": True to SAML_CONFIG
Sorry for the hassle