OTA-Insight / djangosaml2idp

SAML 2.0 Identity Provider in Django
Apache License 2.0
104 stars 96 forks source link

saml2.response.IncorrectlySigned Internal Server Error #135

Open MySecondLanguage opened 2 years ago

MySecondLanguage commented 2 years ago

I am implementing SSO with SAML2 but i am going through trouble. I am using these lib: https://github.com/OTA-Insight/djangosaml2idp


The SP is working well, there issue with the idp

This is the error i am getting:

 raise IncorrectlySigned()
Internal Server Error: /idp/login/process/

and this is my url pattern

urlpatterns = [
    path('accounts/', include('django.contrib.auth.urls')),
    path('idp/', include('djangosaml2idp.urls')),
    path('', TemplateView.as_view(template_name="index.html")),

and this is my settings.py file

import saml2
import os
from saml2.sigver import get_xmlsec_binary

LOGIN_URL = '/accounts/login/'
BASE_URL = 'http://localhost:8000/idp'

    'debug' : DEBUG,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin']),
    'entityid': '%s/metadata' % BASE_URL,
    # 'entityid': os.path.join(BASE_DIR, 'metadata'),
    'description': 'Example IdP setup',

    'service': {
        'idp': {
            'name': 'Django localhost IdP',
            'endpoints': {
                'single_sign_on_service': [
                    ('http://localhost:8000/idp/sso/post/', saml2.BINDING_HTTP_POST),
                    ('http://localhost:8000/idp/sso/redirect/', saml2.BINDING_HTTP_REDIRECT),
                "single_logout_service": [
                    ("http://localhost:8000/idp/slo/post/", saml2.BINDING_HTTP_POST),
                    ("http://localhost:8000/idp/slo/redirect/", saml2.BINDING_HTTP_REDIRECT)
            'sign_response': True,
            'sign_assertion': True,
            'want_authn_requests_signed': True,

    # Signing
    'key_file': os.path.join(BASE_DIR, 'certificates/private.key'),
    'cert_file': os.path.join(BASE_DIR, 'certificates/public.cert'),
    # Encryption
    'encryption_keypairs': [{
        'key_file': os.path.join(BASE_DIR, 'certificates/private.key'),
        'cert_file': os.path.join(BASE_DIR, 'certificates/public.cert'),
    'valid_for': 365 * 24,

    "metadata": {
        "local": [
            os.path.join(BASE_DIR, 'metadata')

# Each key in this dictionary is a SP our IDP will talk to

    'http://localhost:8000/saml2/metadata': {
        'processor': 'djangosaml2idp.processors.BaseProcessor',
        'attribute_mapping': {
            'email': 'email',
            'first_name': 'first_name',
            'last_name': 'last_name',
            'is_staff': 'is_staff',
            'is_superuser':  'is_superuser',

Everyting is working well but when it redirect to /idp/login/process/ url, then it fires the error. Can anyone help me to solve this issue?

charron-tom commented 2 years ago

Do you know which binding is being used? If you are using the HTTP-REDIRECT binding, the signature must be in the Authn request itself as the pysaml2 library doesn't yet support passing the signature via a URL query parameter. See this pull request.

If you are using the HTTP-POST binding, double check there is a signature in the Authn request.

MySecondLanguage commented 2 years ago

How to use HTTP-POST binding? I am using this djangosaml2idp example source code?

How can use HTTP-POST binding, as the request handle djangosaml2idp this /idp/login/process/ ?

Can you please have a look at my settings? i have already added above?

MySecondLanguage commented 2 years ago

Hi, Can anyone help me to fix this?

subbergunz commented 2 years ago

It appears to be supported now, in https://github.com/IdentityPython/pysaml2/commit/718cf98a3baba4642ca9321e05115157c0d387dd

subbergunz commented 2 years ago

I am now testing this diff:

# diff -c /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py.orig /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py
*** /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py.orig 2022-01-18 15:08:14.414687736 +0100
--- /usr/local/lib/python3.9/dist-packages/djangosaml2idp/views.py  2022-01-18 16:01:56.845308818 +0100
*** 56,61 ****
--- 56,66 ----
      request.session['Binding'] = binding
      request.session['SAMLRequest'] = saml_request
      request.session['RelayState'] = passed_data.get('RelayState', '')
+     if binding == BINDING_HTTP_REDIRECT:
+         if 'SigAlg' in passed_data:
+             request.session['SigAlg'] = passed_data.get('SigAlg')
+         if 'Signature' in passed_data:
+             request.session['Signature'] = passed_data.get('Signature')

*** 233,239 ****
              idp_server = IDP.load()

              # Parse incoming request
!             req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding)

              # check SAML request signature
--- 238,247 ----
              idp_server = IDP.load()

              # Parse incoming request
!             if binding == BINDING_HTTP_REDIRECT:
!                 req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding, relay_state=request.session.get('RelayState', None), sigalg=request.session.get('SigAlg', None), signature=request.session.get('Signature', None))
!             else:
!                 req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding)

              # check SAML request signature

MathieuB1 commented 2 years ago

In my case to get the example working I had to set:

            'sign_response': False,
            'sign_assertion': False,
            'want_authn_requests_signed': False,

to sp.settings.py and idp.settings.py