search

SAML-Toolkits / python3-saml

MIT License
672 stars 302 forks source link

AttributeValue is not defined error #353

Closed sayginify closed 1 year ago

sayginify commented 1 year ago

EDIT: The problem is probably related to with Python 3.11. It seems to be working with 3.10 but I'll update here if everything works.

I have problem with getting some namespace errors. I have the following versions : 

**Python 3.11.2**
google-auth==2.16.3
google_auth_oauthlib==0.8.0
google-auth-httplib2==0.1.0
google-api-python-client==2.82.0
**python3-saml==1.15.0**
redis==4.5.3
cryptography==40.0.0
certifi==2022.12.7

I'm not sure which ones are related to python3-saml.

Recently I've updated to 1.15.0, previously I had following versions, and never had such problem:

**Python 3.9**
google-auth==2.12.0
google_auth_oauthlib==0.5.3
google-auth-httplib2==0.1.0
google-api-python-client==2.63.0
**python3-saml==1.14.0**
redis==4.3.4
cryptography==38.0.1
certifi==2022.12.7

Here's the error messages I got. 

namespace error : Namespace prefix xmlns for xs on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix xmlns for xsi on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix xsi for type on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix saml2 on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix saml2 on Attribute is not defined
"last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                                                                               ^
namespace error : Namespace prefix xmlns for xs on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix xmlns for xsi on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix xsi for type on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
namespace error : Namespace prefix saml2 on AttributeValue is not defined
hema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
                                                                               ^
Errors validating the metadata: 
Element 'saml2:AttributeValue': This element is not expected. Expected is ( {urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue ).
Element 'saml2:Attribute': This element is not expected.
Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd

If you want, I can remove the encrypt certificates etc and send you the decoded xml.

I have the following settings : 

     SAML_SETTINGS = {
        "strict": True,
        "debug": True,
        "sp": {
            "entityId": "",
            "assertionConsumerService": {
                "url": "",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            },
            "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            "x509cert": "",
            "privateKey": ""
        },
        "idp": {
            "entityId": "",
            "singleSignOnService": {
                "url": "",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            },
            "singleLogoutService": {
                "url": "",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            },
            "x509cert": ""
        },
        "security": {
            "wantAttributeStatement": True
        }
    }
sayginify commented 1 year ago

is it related to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress ? should it be SAML:2.0 ?

Here's the xml I received : 

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="some_dest_url" ID="id1456464819472223518982387" InResponseTo="ONELOGIN_99cbb45089fca8cac355bf23da01e1fc2e504876" IssueInstant="2023-04-27T19:51:06.654Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">some_entity_url
    </saml2:Issuer>
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#id1456464819472223518982387">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>digest_value=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>signature_value</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>cert_data</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:EncryptedAssertion
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Id="_8c094e4207e1f750b3d65fb59ebda7e6" Type="http://www.w3.org/2001/04/xmlenc#Element"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
                xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
                <ds:KeyInfo
                    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_c2df852f59ec0c4b42f2ca5b4d9934aa"/>
                </ds:KeyInfo>
                <xenc:CipherData
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:CipherValue>cipher_value</xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedData>
            <xenc:EncryptedKey Id="_c2df852f59ec0c4b42f2ca5b4d9934aa"
                xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo
                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                            <ds:X509Certificate>certificate_value</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData
                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue>cipher_value</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_8c094e4207e1f750b3d65fb59ebda7e6"/>
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml2:EncryptedAssertion>
        </saml2p:Response>
pitbulk commented 1 year ago

The right value is

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

no

urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress

@sayginify I believe this is related to an issue with libxml2.

As suggested in the docs can you try to install lxml as follows, before installing python3-saml:

pip install --force-reinstall --no-binary lxml lxml
sayginify commented 1 year ago

Once I have some free time to check, I'll try to reinstall libxml2. but so far everything seems ok with Python 3.10

pitbulk commented 1 year ago

@sayginify , were you able to test?

sayginify commented 1 year ago

Hopefully this week I'll @pitbulk

sayginify commented 1 year ago

I couldn't install lxml - even with the instructions https://lxml.de/installation.html - and previously lxml was also causing this issue. We're fine with python3.10 so far, after official 3.11 support we might try again

I'm closing the issue, since 3.11 is not supported.