Closed remkolodder closed 5 years ago
Not sure about the cause. I have looked at the source code for Lasso to try to determine what cases it returns that response, and I don't see any obvious candidates. Could you verify that it is a POST request to /auth/endpoint/postResponse
that returns the 400 Bad Request error?
Bit strange that your SAMLRequest url parameter as mentioned in the error message is empty. Something’s off there.
Hi Thijs,
What does that mean? Should I fill that manually? Is that lacking from the SAMLserver?
Not sure about the cause. I have looked at the source code for Lasso to try to determine what cases it returns that response, and I don't see any obvious candidates. Could you verify that it is a POST request to
/auth/endpoint/postResponse
that returns the 400 Bad Request error?
Hi Olav,
Yes this is a POST request. I can obscure the output if needed...
I still don't see what could be causing this error. What version of mod_auth_mellon and lasso are you using? Any chance you could provide a log produced with the MellonDiagnosticsFile
and MellonDiagnosticsEnable
option enabled?
Hi, Sorry I was out of the office for a little:
libapache2-mod-auth-mellon/xenial,now 0.12.0-1 amd64 [installed] liblasso3/xenial,now 2.5.0-3ubuntu2 amd64 [installed,automatic]
Those are the versions that we currently have installed. I am not sure wether the Diagnostics are available in this build, I had several options that were not accepted due to not compiled in.
Oct 01 08:51:17
An additional update, I upgraded the machine to Ubuntu 18.04 to see whether the lasso pkg was also updated. Mellon and lasso are now version:
ii libapache2-mod-auth-mellon 0.13.1-1build2 amd64 SAML 2.0 authentication module for Apache ii liblasso3 2.5.1-0ubuntu1 amd64 Library for Liberty Alliance and SAML protocols - runtime library
When testing it, I got the following output (which I didn't have before):
func=xmlSecKeyDuplicate:file=keys.c:line=614:obj=unknown:subj=key != NULL:error=100:assertion:
(process:5974): Lasso-CRITICAL **: 11:04:44.490: libxml2: PCDATA invalid Char value 1\n
(process:5974): Lasso-CRITICAL **: 11:04:44.490: libxml2: PCDATA invalid Char value 5\n [Mon Oct 22 11:04:44.490570 2018] [auth_mellon:error] [pid 5974:tid 140286097348352] [client 172.20.20.62:64466] Error processing authn response. Lasso error: [-409] Unsupported protocol profile, referer: https://xx/simplesamlphp/module.php/core/loginuserpass.php? [Mon Oct 22 11:04:44.525672 2018] [proxy:error] [pid 5973:tid 140286063777536] [client 172.20.20.62:64727] AH00898: DNS lookup failure for: xxfavicon.ico returned by /favicon.ico, referer: https://yyyl/auth/endpoint/postResponse
bump
Apologies for the lack of follow up on this issue. I don't really have any suggestions except double checking all your configuration. Does for example the IdP metadata you have configured in mod_auth_mellon exactly match the metadata generated by your IdP. You may also want to take a look at the actual response sent from the IdP to the SP using something like SAML Tracer.
Hi,
we get the very same error message and probably we have the same problem:
func=xmlSecKeyDuplicate:file=keys.c:line=614:obj=unknown:subj=key != NULL:error=100:assertion:
We are on Ubuntu with recent lasso and a recent mellon module compiled from the sources 0.14.1.
Please let me know if you need more information.
Thanks!
I am also experiencing this. Upgrading to libapache2-mod-auth-mellon 0.14.2 and liblasso3 2.6.0 I can see the same messages in the Apache error log:
(process:4403): Lasso-CRITICAL **: 15:46:21.623: libxml2: PCDATA invalid Char value 1\n
(process:4403): Lasso-CRITICAL **: 15:46:21.623: libxml2: PCDATA invalid Char value 5\n
(process:4403): lasso-CRITICAL **: 15:46:21.624: lasso_node_get_name: assertion 'LASSO_IS_NODE(node)' failed
mellon_diagnostics.log does not contain the SAML message as promised, but I can see it with a browser extension and it looks okay. The Mellon log has little of use but
SAML Response (am_handle_post_reply):
node is NULL
[APLOG_ERR auth_mellon_handler.c:2054] Error processing authn response. Lasso error: [-409] Unsupported protocol profile, SAML Response: error, expected LassoSamlp2StatusResponse but got (null)
My config (both IdP and SP) is almost entirely a cut and paste of an existing setup with the IdP modified to use a LDAP backend for authentication, and all the sites are http instead of https. The SAML messages look valid.
-davidc
Extracting and base64-decoding the response from the diagnostics file and running it through xmllint, I found invalid special characters being sent by the IdP in one of the attributes (specifically objectSid).
The troubleshooting for this was extremely painful and it would be helpful if Mellon and/or Lasso could be more helpful and produce more informative log output!
I removed the attribute at the IdP and it is working now. In my case, it was simplesamlphp. I will file a bug with them, but in case anyone else comes looking for how to fix it in the meantime, this is how I am removing the attribute in the "authproc" section of config.php:
'authproc.idp' => array(
...
25 => array(
'class' => 'core:PHP',
'code' => 'unset($attributes["objectSid"]);'
),
...
);
Closing this issue as part of archiving this project. See the announcement for details:
https://github.com/Uninett/mod_auth_mellon/blob/info/README.md
Hi,
For a customer I need to setup mod_auth_mellon, so that an application gains SSO supported. We have setup the module using the documentation from: https://groups.google.com/forum/#!topic/simplesamlphp/2ND8PA0WaXA
With our without encryption in the settings, we get a "400 bad request" message back after being authenticated by the simplesamlphp machine and an error in the log:
Error processing authn response. Lasso error: [-409] Unsupported protocol profile, referer:simplesamlphp/saml2/idp/SSOService.php?SAMLRequest=&RelayState=%2Fauth
What does the error mean and how can I solve it? did I over look something?