search

SAML-Toolkits / python-saml

Python SAML Toolkit
MIT License
660 stars 308 forks source link

Error: "The NameID of the Response is not encrypted and the SP require it." #59

Closed futureimperfect closed 9 years ago

futureimperfect commented 9 years ago

Hello,

I'm working on adding SAML support to a few internal tools and I'm running into a problem when I set the security values to true in advanced_settings.json. For what it's worth, I have no issues when all of these are set to false except for signMetadata. The above error message is displayed when I call auth.get_last_error_reason(), and I can confirm that the response is not encrypted. I have used SAML Tool to create the self-signed certificates and placed in saml/certs, as well as placed directly in saml/settings.json.

Here's my settings.json file:

{
    "strict": true,
    "debug": false,
    "sp": {
        "entityId": "https://foo.example.com/metadata/",
        "assertionConsumerService": {
            "url": "https://foo.example.com/?acs",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        },
        "singleLogoutService": {
            "url": "https://foo.example.com/?sls",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
        "x509cert": "<REDACTED_X509_CERT>",
        "privateKey": "<REDACTED_PRIVATE_KEY>"
    },
    "idp": {
        "entityId": "https://app.onelogin.com/saml/metadata/<MY-ID>",
        "singleSignOnService": {
            "url": "https://app.onelogin.com/trust/saml2/http-post/sso/<MY-ID>",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "singleLogoutService": {
            "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/<MY-ID>",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "certFingerprint": "564df564c64748bacda8ecd635dc7f9cb268a50e",
        "x509cert": "MIICMTCCAiWgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEyMDcyMzE5NTQ1M1oXDTE3MDcyMzE5NTQ1M1owZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvKT88t/5qvL8ELLPcXeEfMkpwkM2PoZvuPV6LNfKr56aqdi8zKI78Tfbdlt0lM0cX9NmHoE6aS9IBAq/rszhmP9ogfeyOHI6rg3tDVy/VsOEvBYEs4/ayXIztzcoEL9f3Cj9fSVLeliOIuva8GfDr3dEELNOHPfDlS1Y7dEsASWP72/9oFOAwspsWEeKI6PD9Od4xShIAYn48cLaegXpUy5HtfqCEy62n8VE8dQoC22lAOJ68vXT/aaDsrbYim8eojxQ4fYAPRwxQnri4LrjjOLZ+pmlc2KxJcSrAvBP+KBTS7f/67aw9+jd+NZdK078PCBjW7xpJ2DyvtrG4cXqVAgMBAAEwAwYBAAMBAA=="
    }
}

And here's my advanced_settings.json file:

{
    "security": {
        "nameIdEncrypted": true,
        "authnRequestsSigned": true,
        "logoutRequestSigned": true,
        "logoutResponseSigned": true,
        "signMetadata": true,
        "wantMessagesSigned": true,
        "wantAssertionsSigned": true,
        "wantNameIdEncrypted": true
    },
    "contactPerson": {
        "technical": {
            "givenName": "it",
            "emailAddress": "it@example.com"
        },
        "support": {
            "givenName": "techsupport",
            "emailAddress": "techsupport@example.com"
        }
    },
    "organization": {
        "en-US": {
            "name": "example",
            "displayname": "Example",
            "url": "https://foo.example.com"
        }
    }
}

I'm using version 2.1.2 of python-saml on Ubuntu with a Flask app, and nginx as the reverse proxy.

Any help is appreciated. Thanks!

pitbulk commented 9 years ago

When you set "wantNameIdEncrypted": true the Service Provider expects that the Identity Provider sent a SAMLResponse with a saml:EncryptedID in the Assertion element instead of a saml:NameID.

If not, you get the "The NameID of the Response is not encrypted and the SP require it." message.

futureimperfect commented 9 years ago

Thanks, @pitbulk. Do you know what OneLogin, (the identity provider in this case), expects these values to be? Is it contingent on how I've configured the SAML Test Connector in OneLogin, (e.g., the assertions that are included in the response)?

pitbulk commented 9 years ago

By default OneLogin NameID is unencrypted so set wantNameIdEncrypted as false.