Azure AD-IdP redirect loop

I am not a web developer, so, I apologize in advance, I get the details wrong. I have been assigned an SSO login task for a client, who uses Azure. The previous developer created an SSO Login for another client who uses Okta and it works. I tried to copy what previous developers did and it didn't work. The login gets stuck in the infinite loop once I type my password to SSO. I am doing these tests on a local version of the pyramid application. Other issues here didn't help me.

Code Version

Python 3.8.5 saml2 4.0.3

Expected Behavior

I am excepting a login into my application, after typing in my azure account credentials.

Current Behavior

I get a login screen. I type my password and then, it gets stuck on the infinite loop and never logs me in.

Steps to Reproduce

Unfortunately, I can't provide a reproducible example but here are the functions I am using,

from saml2 import (
BINDING_HTTP_POST,
BINDING_HTTP_REDIRECT, entity,)
from saml2.client import Saml2Client
from saml2.config import Config as Saml2Config
from pyramid.url import route_url
import requests

def saml_client_client(request):

    rv = '''<?xml version="1.0" encoding="utf-8"? Some long xml metadata string>'''
    acs_url = route_url("idp_initiated_client", request)
    https_acs_url = route_url("idp_initiated_client", request, _scheme="https")

    settings = {
        'entityid':'https://sts.windows.net/something-more',
        'metadata': {
            'inline': [rv],
            },
        'service': {
        'sp': {
                'endpoints': {
                    'assertion_consumer_service': [
                        (acs_url, BINDING_HTTP_REDIRECT),
                        (acs_url, BINDING_HTTP_POST),
                        (https_acs_url, BINDING_HTTP_REDIRECT),
                        (https_acs_url, BINDING_HTTP_POST)
                    ],
                },

                'allow_unsolicited': True,
                'authn_requests_signed': False,
                'logout_requests_signed': True,
                'want_assertions_signed': True,
                'want_response_signed': False,
            },
        },
    "cert_file": "/home/me/Downloads/key.pem",
    }
    spConfig = Saml2Config()
    spConfig.load(settings)
    spConfig.allow_unknown_attributes = True
    saml_client = Saml2Client(config=spConfig)
    return saml_client

def sp_initiated_client(request):

    saml_client = saml_client_client(request)
    reqid, info = saml_client.prepare_for_authenticate()

    redirect_url = None
    for key, value in info['headers']:
        if key is 'Location':
            redirect_url = value

    return Response(status_int=302,
                    location=redirect_url)

def idp_initiated_client(request):

    cid = "client_name"
    saml_client = saml_client_client(request)
    print(saml_client)
    authn_response = saml_client.parse_authn_request_response(
        request.POST.get('SAMLResponse'),
        entity.BINDING_HTTP_POST)
    authn_response.get_identity()
    user_info = authn_response.get_subject()

    login = authn_response.ava['Email'][0]
    userid = User.make_userid(cid, login)

    user = S.query(User).filter(func.lower(User.id) == func.lower(login), User.cid==cid).one()
    if isinstance(user, User):
        headers = remember(request, userid)

        return HTTPFound(location="/", headers=headers)
    else:
        return dict(
            message=_('You are not authorized to view this page'),
            title=title
        )

## Routes

config.add_route("sp_initiated_client", '/saml/login/client')
        config.add_view(route_name="sp_initiated_client" ,
                        view=login.sp_initiated_client)

## IDP response after SAML login
config.add_route("idp_initiated_client", '/saml/sso/client')
config.add_view(route_name="idp_initiated_client",
                        view=login.sp_initiated_client,
                        request_method='POST')

Let me know if I can provide any other information.

Thanks,

It seems that something is wrong with the URLs that you set. It is not clear at which stage the loop takes place. If you use a SAML tracer tell us what you see there. Check the AssertionConsumerServiceURL on the AuthnRequest, and ensure it matches the Destination on the Response.

I checked that before. The acs url, I see matches the one, I set on Azure. Also, Azure complains if that is not done correctly.

Here is a screenshot of my settings on Azure. Screenshot from 2021-04-06 15-46-12

Also, the logs generated from saml2

2021-04-06 15:46:59,367 INFO  [saml2.client][CP Server Thread-5][request=ff81fe62-7571-4039-8e27-527106028c83] AuthNReq: 
<ns0:AuthnRequest 
  xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" 
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" 
  ID="id-3ShLw9LKxvY3aFCCN" 
  Version="2.0" 
  IssueInstant="2021-04-06T13:46:59Z" 
  Destination="https://login.microsoftonline.com/something_more/saml2"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/client"
>
  <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer>
  <ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" />
</ns0:AuthnRequest>

Hi,

@c00kiemon5ter Is there any more information that I can provide which will help in resolving the issue?

I'm not certain

does the IdP create a saml:Response?
does your SP receive that saml:Response? I see HTTP-POST binding is used
is the IdP happy with a localhost URL?

At which point does the flow stop or loop? If you have debug logs that could help.

@c00kiemon5ter
Thanks a lot. My printing logs suggest that it never reaches Idp_initiated (i.e. Receive POST from IDP). Furthermore, I tried the login with an HTTPS-based deployment server with the same result (same tracer logs attached below). Can we please let me know if anything is missing/incompatible in settings? I added entityId myself in there. The previous developers never needed that with Okta. I see that being present in the metadata anyway. However, if I don't add entityID then it complains and gives me an XML-related error.

Here are the debugging logs with localhost urls:

2021-04-12 10:47:00,187 INFO  [saml2.client][CP Server Thread-3][request=beedd1c6-7150-4c83-9624-42cba67f1db3] destination to provider: https://login.microsoftonline.com/something_more
2021-04-12 10:47:00,187 INFO  [saml2.entity][CP Server Thread-3][request=beedd1c6-7150-4c83-9624-42cba67f1db3] REQUEST: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-Ajn2bn7jOLalF8G8v" Version="2.0" IssueInstant="2021-04-12T08:47:00Z" Destination="https://login.microsoftonline.com/something_more2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:00,188 INFO  [saml2.client][CP Server Thread-3][request=beedd1c6-7150-4c83-9624-42cba67f1db3] AuthNReq: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-Ajn2bn7jOLalF8G8v" Version="2.0" IssueInstant="2021-04-12T08:47:00Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:00,188 INFO  [saml2.entity][CP Server Thread-3][request=beedd1c6-7150-4c83-9624-42cba67f1db3] HTTP REDIRECT
2021-04-12 10:47:00,189 DEBUG [txn.140173824341760][CP Server Thread-3] commit
2021-04-12 10:47:46,228 DEBUG [txn.140173815949056][CP Server Thread-4] new transaction
2021-04-12 10:47:46,231 DEBUG [saml2.mdstore][CP Server Thread-4][request=95d61408-5508-4518-9042-d31fa91d6fac] service(https://sts.windows.net/something_more/, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2021-04-12 10:47:46,232 DEBUG [saml2.mdstore][CP Server Thread-4][request=95d61408-5508-4518-9042-d31fa91d6fac] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'location': 'https://login.microsoftonline.com/something_more'}]
2021-04-12 10:47:46,232 INFO  [saml2.client][CP Server Thread-4][request=95d61408-5508-4518-9042-d31fa91d6fac] destination to provider: https://login.microsoftonline.com/something_more
2021-04-12 10:47:46,232 INFO  [saml2.entity][CP Server Thread-4][request=95d61408-5508-4518-9042-d31fa91d6fac] REQUEST: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-LBTlWtSeuQfY4yMIf" Version="2.0" IssueInstant="2021-04-12T08:47:46Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:46,232 INFO  [saml2.client][CP Server Thread-4][request=95d61408-5508-4518-9042-d31fa91d6fac] AuthNReq: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-LBTlWtSeuQfY4yMIf" Version="2.0" IssueInstant="2021-04-12T08:47:46Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:46,232 INFO  [saml2.entity][CP Server Thread-4][request=95d61408-5508-4518-9042-d31fa91d6fac] HTTP REDIRECT
2021-04-12 10:47:46,233 DEBUG [txn.140173815949056][CP Server Thread-4] commit
2021-04-12 10:47:46,630 DEBUG [txn.140173807556352][CP Server Thread-5] new transaction
2021-04-12 10:47:46,634 DEBUG [saml2.mdstore][CP Server Thread-5][request=7549ab03-1227-437f-a28f-920b5a0a3918] service(https://sts.windows.net/something_more/, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2021-04-12 10:47:46,634 DEBUG [saml2.mdstore][CP Server Thread-5][request=7549ab03-1227-437f-a28f-920b5a0a3918] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'location': 'https://login.microsoftonline.com/something_more'}]
2021-04-12 10:47:46,635 INFO  [saml2.client][CP Server Thread-5][request=7549ab03-1227-437f-a28f-920b5a0a3918] destination to provider: https://login.microsoftonline.com/something_more
2021-04-12 10:47:46,635 INFO  [saml2.entity][CP Server Thread-5][request=7549ab03-1227-437f-a28f-920b5a0a3918] REQUEST: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-CQm6T1sQ5I1vmHild" Version="2.0" IssueInstant="2021-04-12T08:47:46Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:46,635 INFO  [saml2.client][CP Server Thread-5][request=7549ab03-1227-437f-a28f-920b5a0a3918] AuthNReq: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-CQm6T1sQ5I1vmHild" Version="2.0" IssueInstant="2021-04-12T08:47:46Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:46,635 INFO  [saml2.entity][CP Server Thread-5][request=7549ab03-1227-437f-a28f-920b5a0a3918] HTTP REDIRECT
2021-04-12 10:47:46,636 DEBUG [txn.140173807556352][CP Server Thread-5] commit
2021-04-12 10:47:46,829 DEBUG [txn.140173799163648][CP Server Thread-6] new transaction
2021-04-12 10:47:46,832 DEBUG [saml2.mdstore][CP Server Thread-6][request=f1d39f7a-e49b-44ed-8de5-3282366b3b3b] service(https://sts.windows.net/something_more/, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
2021-04-12 10:47:46,832 DEBUG [saml2.mdstore][CP Server Thread-6][request=f1d39f7a-e49b-44ed-8de5-3282366b3b3b] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'location': 'https://login.microsoftonline.com/something_more'}]
2021-04-12 10:47:46,832 INFO  [saml2.client][CP Server Thread-6][request=f1d39f7a-e49b-44ed-8de5-3282366b3b3b] destination to provider: https://login.microsoftonline.com/something_more
2021-04-12 10:47:46,833 INFO  [saml2.entity][CP Server Thread-6][request=f1d39f7a-e49b-44ed-8de5-3282366b3b3b] REQUEST: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-8QlxmIdUMCt9p1Gqd" Version="2.0" IssueInstant="2021-04-12T08:47:46Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:46,833 INFO  [saml2.client][CP Server Thread-6][request=f1d39f7a-e49b-44ed-8de5-3282366b3b3b] AuthNReq: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-8QlxmIdUMCt9p1Gqd" Version="2.0" IssueInstant="2021-04-12T08:47:46Z" Destination="https://login.microsoftonline.com/something_more" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer><ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false" /></ns0:AuthnRequest>
2021-04-12 10:47:46,833 INFO  [saml2.entity][CP Server Thread-6][request=f1d39f7a-e49b-44ed-8de5-3282366b3b3b] HTTP REDIRECT

Also, I used SAML tracer here saml_output

On your code you set entityID to

    settings = {
        'entityid':'https://sts.windows.net/something-more',
        ...

The AuthnRequest correctly shows that the Issuer is

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sts.windows.net/something_more/</ns1:Issuer>

and the Destination as

Destination="https://login.microsoftonline.com/something_more/saml2"

On Azure however, you set the entityID to http://127.0.0.1:6543/saml/login/client

The tracer shows that

an AuthnRequest using the HTTP-Redirect binding is going towards login.microsoftonline.com.
a Response using the HTTP-POST binding is returned towards https://XXX/saml/sso/telenor

From there, the client redirects back to the IdP using HTTP-Redirect, the IdP has an active session and returns a Response back to the client using HTTP-POST, and the cycle continues.

So, the response is not directed to the right ACS URL and is not handled correctly on the client-side.

@c00kiemon5ter okay. Thanks so much for the help. Based on your suggestion, I made a few changes in the settings. For the completeness sake,

Here are my updated settings:

    settings = {
        'metadata': {
                "remote": [
        {
            "url": "https://login.microsoftonline.com/something-more/federationmetadata/2007-06/federationmetadata.xml?appid=something-more",
            },
        ]},
        'service': {
            'sp': {
                'endpoints': {
                    'assertion_consumer_service': [
                        (acs_url, BINDING_HTTP_REDIRECT),
                        (acs_url, BINDING_HTTP_POST),
                        (https_acs_url, BINDING_HTTP_REDIRECT),
                        (https_acs_url, BINDING_HTTP_POST)
                    ],
                },
                'allow_unsolicited': True,
                'authn_requests_signed': False,
                'logout_requests_signed': True,
                'want_assertions_signed': True,
                'want_response_signed': False,
            },
        },
    }

which generates the following request :

<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
                  ID="id-QUY2EUcRK60ApSz"
                  Version="2.0"
                  IssueInstant="2021-04-13T09:24:17Z"
                  Destination="https://login.microsoftonline.com/something-more/saml2"
                  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                  AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor">
  <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" />
</ns0:AuthnRequest>

I noticed that this request works fine with Okta but Azure doesn't like it. It throws the following error.

Screenshot from 2021-04-13 11-31-13

Based on some research here, I found out that azure likes request to be like this:

<samlp:AuthnRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="id6c1c178c166d486687be4aaf5e482730"
Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
</samlp:AuthnRequest>

Therefore, I changed my settings to include entityid:

    settings = {
        'entityid':'test-app',

<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
                  ID="id-kUqcbJNT90fD2YXa9"
                  Version="2.0"
                  IssueInstant="2021-04-13T09:53:27Z"
                  Destination="https://login.microsoftonline.com/something-more/saml2"
                  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                  AssertionConsumerServiceURL="http://127.0.0.1:6543/saml/sso/telenor">
  <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">test-app</ns1:Issuer>
</ns0:AuthnRequest>

and Azure settings like this: Screenshot from 2021-04-13 12-00-44

Partial SAML response from Azure:

<samlp:Response ID="_someid"
                Version="2.0"
                IssueInstant="2021-04-13T09:53:28.387Z"
                Destination="http://127.0.0.1:6543/saml/sso/telenor"
                InResponseTo="id-GkaZp8Pzvuxo5P5C"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/something-more</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>

This doesn't throw that error above but reinitiates that infinite login loop again. I am not sure sign-on URL is needed or not as it says it is optional and also, doesn't support http:// url. I am not sure how to really test SSO. The response is being redirected correctly and not correctly being handled in the code. So, it boils down to something that is wrong in the settings. and I am not sure what's wrong there. Where do I include the Base64 encoded .cer/pem file that I obtained from azure? If I include below metadata:

 abled-reference-uris empty,same-doc --enabled-key-data raw-x509-cert --pubkey-cert-pem /home/vikas/Downloads/RevealCX.cer --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --output /tmp/tmpm_kjbi0e.xml /tmp/tmpz547t8_s.xml
2021-04-13 12:23:42,238 ERROR [saml2.sigver][CP Server Thread-3][request=c9c89ef2-bcc8-40c0-a311-9c11092f3f92] returncode=1
error=func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_d1d20ca0-30b')); xml error: 0: NULL
func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed: 
func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1408:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Error: signature failed 
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/tmpz547t8_s.xml"

You should be receiving a POST request at http://127.0.0.1:6543/saml/sso/telenor, and should be handling this request with your code -- from above, the idp_initiated_client function should be called when that happens. Does this happen? When that method ends processing it returns HTTPFound(location="/", ...). Is there a handler for the root / route to return actual protected content?

You define the metadata URL for the Azure-IdP on the settings.

    settings = {
        'metadata': {
            "remote": [
                {
                    "url": "https://login.microsoftonline.com/something-more/federationmetadata/2007-06/federationmetadata.xml?appid=something-more",
                },
            ]
        },

I am not sure sign-on URL is needed or not as it says it is optional and also, doesn't support http:// url.

I am not sure what this field is about, but, the metadata from Azure should define a SingleSignOnService element within the IDPSSODescriptor element. If that is in place you should be good.

Where do I include the Base64 encoded .cer/pem file that I obtained from azure?

The metadata should contain a KeyDescriptor element that holds the cert by Azure, within the IDPSSODescriptor element. You shouldn't need to do anything with the extra files (*.cer/*pem file).

@c00kiemon5ter Thanks for your insight and immense help. Things are working fine now. I have learnt a lot. I corrected an error in the view saml route which got rid of the redirect loop. From there, it was just a matter of getting things from the response. There is a handler for the root/route in the application. So, now I see the logged version. Thanks once again for the help and have a great day!

Hi @vikas-nexcom , I know the problem occurred more than one year ago but do you remember by any chance what the solution was in your case? I have the same problem, I tried pysaml2 and python3-saml too so my config should contain something that causes this redirect loop but I cannot figure it what. Also apologise to use this issue as chat but I am pretty desperate. :) Regards, V.

IdentityPython / pysaml2