search

OTA-Insight / djangosaml2idp

SAML 2.0 Identity Provider in Django
Apache License 2.0
104 stars 96 forks source link

Initial /idp/sso/post/ redirects to /idp/sso/post/ #127

Closed zbragg-s5 closed 3 years ago

zbragg-s5 commented 3 years ago

I am trying to setup Splunk as the SP.

Splunk correctly forwards traffic back to Django, but the requests always fail with a 400:

ValidationError not a valid SAMLRequest: MultiValueDictKeyError('SAMLRequest')

This error occurs in both Firefox and Chromium, but oddly enough not when I make the request with Postman.

Firefox & Chrome Request Sequence:

  1. POST /idp/sso/post/ >>> 301 Redirect
  2. GET /idp/sso/post/ >>> 400 Bad Request

Postman (and the example project)

  1. POST /idp/sso/post/ >>> 302 Redirect
  2. GET /idp/login/process/ >>> 302 Redirect
  3. GET /account/login?next=/idp/login/process/ >>> 200 OK

I have installed REFERRER_POLICY plugin and experimented with lax cookies in the browser but to no avail. I cannot figure out what is causing the issue and am at the end of things that I know to do to troubleshoot.

Thanks in advance.

lgarvey commented 3 years ago
  1. POST /idp/sso/post/ >>> 301 Redirect. <- that is strange. What endpoints are listed in your metadata? How have you configured saml in the settings file?

On Thu, 25 Mar 2021 at 01:16, zbragg-s5 @.***> wrote:

I am trying to setup Splunk as the SP.

Splunk correctly forwards traffic back to Django, but the requests always fail with a 400:

ValidationError not a valid SAMLRequest: MultiValueDictKeyError('SAMLRequest')

This error occurs in both Firefox and Chromium, but oddly enough not when I make the request with Postman.

Firefox & Chrome Request Sequence:

  1. POST /idp/sso/post/ >>> 301 Redirect
  2. GET /idp/sso/post/ >>> 400 Bad Request

Postman (and the example project)

  1. POST /idp/sso/post/ >>> 302 Redirect
  2. GET /idp/login/process/ >>> 302 Redirect
  3. GET /account/login?next=/idp/login/process/ >>> 200 OK

I have installed REFERRER_POLICY plugin and experimented with lax cookies in the browser but to no avail. I cannot figure out what is causing the issue and am at the end of things that I know to do to troubleshoot.

Thanks in advance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OTA-Insight/djangosaml2idp/issues/127, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB2CY5GP2XRPXEBZKK3N63TFKFGLANCNFSM4ZYMBJUQ .

zbragg-s5 commented 3 years ago

Settings: SAML_IDP_CONFIG = { 'debug' : DEBUG, 'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']), 'entityid': '%s/metadata' % IDP_BASE_URL, 'description': 'Example IdP setup', 'service': { 'idp': { 'name': 'Django localhost IdP', 'endpoints': { 'single_sign_on_service': [ (IDP_BASE_URL + '/sso/post/', saml2.BINDING_HTTP_POST), (IDP_BASE_URL + '/sso/redirect/', saml2.BINDING_HTTP_REDIRECT), ], "single_logout_service": [ (IDP_BASE_URL + "/slo/post/", saml2.BINDING_HTTP_POST), (IDP_BASE_URL + "/slo/redirect/", saml2.BINDING_HTTP_REDIRECT) ], }, 'name_id_format': [NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED], 'sign_response': True, 'sign_assertion': True, 'want_authn_requests_signed': True, }, },

# Signing
'key_file': IDP_CERT_PATH + '/s5_saml_idp.key',
'cert_file': IDP_CERT_PATH + '/s5_saml_idp.crt',
# Encryption
'encryption_keypairs': [{
    'key_file': IDP_CERT_PATH + '/s5_saml_idp.key',
    'cert_file': IDP_CERT_PATH + '/s5_saml_idp.crt',
}],
'valid_for': 365 * 24,

}

Metadata: IDP_metadata.txt SP_metadata.txt

lgarvey commented 3 years ago

The 301 is strange - I can't see anywhere that this would happen in the code. I was thinking maybe you were using the older urls without slashes and django was redirecting, but this clearly isn't the case.

Do you have SESSION_COOKIE_SAMESITE = "None" in your settings file?

On Fri, 26 Mar 2021 at 19:09, zbragg-s5 @.***> wrote:

Settings: SAML_IDP_CONFIG = { 'debug' : DEBUG, 'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']), 'entityid': '%s/metadata' % IDP_BASE_URL, 'description': 'Example IdP setup', 'service': { 'idp': { 'name': 'Django localhost IdP', 'endpoints': { 'single_sign_on_service': [ (IDP_BASE_URL + '/sso/post/', saml2.BINDING_HTTP_POST), (IDP_BASE_URL + '/sso/redirect/', saml2.BINDING_HTTP_REDIRECT), ], "single_logout_service": [ (IDP_BASE_URL + "/slo/post/", saml2.BINDING_HTTP_POST), (IDP_BASE_URL + "/slo/redirect/", saml2.BINDING_HTTP_REDIRECT) ], }, 'name_id_format': [NAMEID_FORMAT_EMAILADDRESS, NAMEID_FORMAT_UNSPECIFIED], 'sign_response': True, 'sign_assertion': True, 'want_authn_requests_signed': True, }, },

Signing

'key_file': IDP_CERT_PATH + '/s5_saml_idp.key', 'cert_file': IDP_CERT_PATH + '/s5_saml_idp.crt',

Encryption

'encryption_keypairs': [{ 'key_file': IDP_CERT_PATH + '/s5_saml_idp.key', 'cert_file': IDP_CERT_PATH + '/s5_saml_idp.crt', }], 'valid_for': 365 * 24,

}

Metadata: IDP_metadata.txt https://github.com/OTA-Insight/djangosaml2idp/files/6213851/IDP_metadata.txt SP_metadata.txt https://github.com/OTA-Insight/djangosaml2idp/files/6213852/SP_metadata.txt

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OTA-Insight/djangosaml2idp/issues/127#issuecomment-808452446, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB2CY3GZGXFL2JJCQCYQZDTFTLV5ANCNFSM4ZYMBJUQ .

zbragg-s5 commented 3 years ago

Not presently, but I have experimenting with that plugin (we are django 2.2.9). with value "lax".

lgarvey commented 3 years ago

With django 2x I had to create some middleware to set the session cookies samesite setting to None. Not pretty, but it worked:

https://github.com/uktrade/staff-sso/blob/activity-stream-active-test/sso/core/middleware.py#L38-L49

On Fri, 26 Mar 2021 at 20:19, zbragg-s5 @.***> wrote:

Not presently, but I have experimenting with that plugin (we are django 2.2.9). with value "lax".

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

challet commented 3 years ago

There is a package that backports the ability to set cookies with SameSite=None : https://github.com/jotes/django-cookies-samesite

Le 26 mars 2021 à 21:38, Lyndon Garvey @.***> a écrit :

With django 2x I had to create some middleware to set the session cookies samesite setting to None. Not pretty, but it worked:

https://github.com/uktrade/staff-sso/blob/activity-stream-active-test/sso/core/middleware.py#L38-L49

On Fri, 26 Mar 2021 at 20:19, zbragg-s5 @.***> wrote:

Not presently, but I have experimenting with that plugin (we are django 2.2.9). with value "lax".

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

zbragg-s5 commented 3 years ago

Just got done trying this, and it had not effect.

zbragg-s5 commented 3 years ago

OK we have success on our end and it seems to be related to sameorigin proxy rules and some odd www. associations on our endpoints.

TY all for the responses.