Why can't I get attributes ?

IzyI commented 2 years ago

hello guys . I did everything according to this manual . https://developers.onelogin.com/saml/python But I didn 't succeed . I get an error

Errors:
invalid_response
There is no AttributeStatement on the Response

{
  "strict": true,
  "debug": true,
  "sp": {
    "entityId": "http://siteproxy.ru/metadata/",
    "assertionConsumerService": {
      "url": "http://siteproxy.ru/?acs",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    },
    "singleLogoutService": {
      "url": "http://siteproxy.ru/?sls",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    },
    "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "x509cert": "",

    "privateKey": ""
  },
  "idp": {
    "entityId": "https://app.onelogin.com/saml/metadata/918d180a-a86a-406f-88db-a4dc44d9c150",
    "singleSignOnService": {
      "url": "https://supertestapp-dev.onelogin.com/trust/saml2/http-post/sso/918d180a-a86a-406f-88db-a4dc44d9c150",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    },
    "singleLogoutService": {
      "url": "https://supertestapp-dev.onelogin.com/trust/saml2/http-redirect/slo/1668425",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    },
    "x509cert": "MIID7jCCAtagAwIBAgIUA0HawEb/ruz25jOJEj9cBcKdcKswDQYJKoZIhvcNAQEFBQAwSzEWMBQGA1UECgwNTW9ub3NuYXAgSW5jLjEVMBMGA1UECwwMT25lTG9naW4gSWRQMRowGAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDAeFw0yMDEwMTIxMjI0MzVaFw0yNTEwMTIxMjI0MzVaMEsxFjAUBgNVBAoMDU1vbm9zbmFwIEluYy4xFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+kpEaaUr3zbftURxz1c05hVHMdCn4IlZ+fV5TmX0y3JgTCN0H5Y0cXrgCVmY3LvdcqjL8LEXlbsZyvMnzXLIChcXQoAp5JSMtKdl+KG4j6aPi37MWlxADV7bJoAtclxJayhO0AldIz3wdAhzfYkbQctYuamnm7Y6Qpyd3elctYNajVYVIxrYwWzMQjwdapDGfRsjK509u1fyYxkxwEnvfVDG2e77TJLD4SY+4bkHiMXVQf87E19xZtmT0tW7ANCCrOpn4D2Uf7OFUJRYHLPRJA+BD9AVjRbWnobcRd1wM69c+24z5G4S6ly4T0PqwM/Spms33lRqOE6uYacmW6i07AgMBAAGjgckwgcYwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVAaut68tuEQGq9fYYzN4NpNqYS8wgYYGA1UdIwR/MH2AFFQGrrevLbhEBqvX2GMzeDaTamEvoU+kTTBLMRYwFAYDVQQKDA1Yw25vc25hcCBJbmMuMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgghQDQdrARv+u7PbmM4kSP1wFwp1wqzAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAEghILiZNTJJ8T+8iyOQ6JWtO5LYgpr/rjDJxxyL8hBCtpLHO4ruM5ZBLTytZBTbLJVc0fBUtivRXlCypJuEtCueH7mHf9YwEFsTHZvmY9Ywy9cDa3GydygugLPpABYzgDXRxcps7N4xcs83/4m5uZBFcQCu5YwPsUwZHwOX+CjIyPPs5lZd4ybBEviykDDXkE1LPaQtFhXHJ1X6OChG6QTxtVZWfVyDr8Js1fSxBU2mnEEhCBMQZoFe8aViahUqrCjKm429oHk1ibgTcZ23rIxY9ZaB/88PV+vfrbj1BJGs0MfStuX7YwgAiUSynbg3cw/tnj/9e1Sk9wDEhYEf+k8="
  }
}

{
    "security": {
        "nameIdEncrypted": false,
        "authnRequestsSigned": false,
        "logoutRequestSigned": false,
        "logoutResponseSigned": false,
        "signMetadata": false,
        "wantMessagesSigned": false,
        "wantAssertionsSigned": false,
        "wantNameId" : true,
        "wantNameIdEncrypted": false,
        "wantAssertionsEncrypted": false,
        "allowSingleLabelDomains": false,
        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
        "rejectDeprecatedAlgorithm": true
    },
    "contactPerson": {
        "technical": {
            "givenName": "technical_name",
            "emailAddress": "technical@example.com"
        },
        "support": {
            "givenName": "support_name",
            "emailAddress": "support@example.com"
        }
    },
    "organization": {
        "en-US": {
            "name": "siteproxy",
            "displayname": "siteproxy",
            "url": "http://siteproxy.ru"
        }
    }
}

I realized that if I pass "wantAttributeStatement": false, It looks like the registration will take place. but I won't be able to get email and other attributes. maybe I need to set up onelogin somehow

server {
        listen 80;
        server_name siteproxy.com www.siteproxy.com;

    location / {
        # Вот порт, указывающий на сервер 
        proxy_pass http://localhost:5000;
    }

}

What am I doing wrong?

pitbulk commented 2 years ago

Have you verified that at the "Parameters" section of your OneLogin app you have defined attributes to be released in the SAMLResponse?

IzyI commented 2 years ago

Have you verified that at the "Parameters" section of your OneLogin app you have defined attributes to be released in the SAMLResponse?

Yes, I have the parameters set up.

pitbulk commented 2 years ago

The first one gonna be provided as NameID. When you added the custom ddd, have you marked it to be included in the SAMLResponse?

Can you install SAML Tracer extension on Firefox or Chrome in order to record the SAMLResponse and inspect it to determine if the attributes are inside?

Have you called auth.get_attributes() after a call to auth.process_response(), is auth->get_last_error_reason) returning None?

IzyI commented 2 years ago

I understood everything, figured it out using SAML Tracer. thank you

saromba commented 1 year ago

@IzyI What was the solution here? I've the same issue

pitbulk commented 1 year ago

@IzyI can you check if the saml response was properly validated? Can you check if attributes were sent by the IdP (use SAML Tracer browser plugin)?

IzyI commented 1 year ago

I connected SAML Tracer and debugged through it. I don't remember, but the problem was Onelogin's setup.

KaperIT commented 1 year ago

for me add (Include in SAML assertion)

mdmuzakkir86 commented 7 months ago

@saromba What was the solution here? I've the same issue

@pitbulk @saromba @IzyI @KaperIT @jborg I too have similar issue but little diff, please check, https://github.com/SAML-Toolkits/python3-saml/issues/394

talhakum commented 3 months ago

I experienced similar case. Resolved it after applying below comment. Thanks! @KaperIT

for me add (Include in SAML assertion)

SAML-Toolkits / python3-saml

Why can't I get attributes ? #301