Simplesamlphp idp gives 'lasso error -409 unsupported protocol profile'

[remkolodder]

Hi,

For a customer I need to setup mod_auth_mellon, so that an application gains SSO supported. We have setup the module using the documentation from: https://groups.google.com/forum/#!topic/simplesamlphp/2ND8PA0WaXA

With our without encryption in the settings, we get a "400 bad request" message back after being authenticated by the simplesamlphp machine and an error in the log:

Error processing authn response. Lasso error: [-409] Unsupported protocol profile, referer: simplesamlphp/saml2/idp/SSOService.php?SAMLRequest=&RelayState=%2Fauth

What does the error mean and how can I solve it? did I over look something?

<Location /auth>
        Require valid-user
        AuthType "Mellon"
        MellonEnable "auth"
        MellonVariable "saml"
        MellonSecureCookie On
        MellonCookiePath /
        MellonUser "cn"
        MellonIdP "IDP"
        MellonSetEnv "e-mail" "mail"
        MellonSessionDump Off
        MellonSamlResponseDump Off
        MellonEndpointPath "/auth/endpoint"
        MellonDefaultLoginPath "/"
        MellonSessionLength 86400
        MellonNoCookieErrorPage "/no_cookie.html"
        MellonSPMetadataFile /etc/apache2/mellon/local.xml
        #MellonSPentityId "<url host>"
        MellonSPPrivateKeyFile /etc/apache2/mellon/local.key
        MellonSPCertFile /etc/apache2/mellon/local.cert
        MellonIdPMetadataFile /etc/apache2/mellon/idp-simplesamlphp.xml
        #MellonIdPPublicKeyFile /etc/apache2/mellon/idp-simplesamlphp.pem
        MellonSamlResponseDump Off
        MellonSessionDump On
</Location>

[olavmrk]

Not sure about the cause. I have looked at the source code for Lasso to try to determine what cases it returns that response, and I don't see any obvious candidates. Could you verify that it is a POST request to /auth/endpoint/postResponse that returns the 400 Bad Request error?

[thijskh]

Bit strange that your SAMLRequest url parameter as mentioned in the error message is empty. Something’s off there.

[remkolodder]

Hi Thijs,

What does that mean? Should I fill that manually? Is that lacking from the SAMLserver?

[remkolodder]

Not sure about the cause. I have looked at the source code for Lasso to try to determine what cases it returns that response, and I don't see any obvious candidates. Could you verify that it is a POST request to /auth/endpoint/postResponse that returns the 400 Bad Request error?

Hi Olav,

Yes this is a POST request. I can obscure the output if needed...

[olavmrk]

I still don't see what could be causing this error. What version of mod_auth_mellon and lasso are you using? Any chance you could provide a log produced with the MellonDiagnosticsFile and MellonDiagnosticsEnable option enabled?

[remkolodder]

Hi, Sorry I was out of the office for a little:

libapache2-mod-auth-mellon/xenial,now 0.12.0-1 amd64 [installed] liblasso3/xenial,now 2.5.0-3ubuntu2 amd64 [installed,automatic]

Those are the versions that we currently have installed. I am not sure wether the Diagnostics are available in this build, I had several options that were not accepted due to not compiled in.

Oct 01 08:51:17 apache2[19595]: Invalid command 'MellonDiagnosticsFile', perhaps misspelled or defined by a module not included in the server configuration Oct 01 08:51:17 apache2[19595]: Action 'configtest' failed.

[remkolodder]

An additional update, I upgraded the machine to Ubuntu 18.04 to see whether the lasso pkg was also updated. Mellon and lasso are now version:

dpkg -l | egrep 'lasso|mellon'

ii libapache2-mod-auth-mellon 0.13.1-1build2 amd64 SAML 2.0 authentication module for Apache ii liblasso3 2.5.1-0ubuntu1 amd64 Library for Liberty Alliance and SAML protocols - runtime library

When testing it, I got the following output (which I didn't have before):

func=xmlSecKeyDuplicate:file=keys.c:line=614:obj=unknown:subj=key != NULL:error=100:assertion:

(process:5974): Lasso-CRITICAL **: 11:04:44.490: libxml2: PCDATA invalid Char value 1\n

(process:5974): Lasso-CRITICAL **: 11:04:44.490: libxml2: PCDATA invalid Char value 5\n [Mon Oct 22 11:04:44.490570 2018] [auth_mellon:error] [pid 5974:tid 140286097348352] [client 172.20.20.62:64466] Error processing authn response. Lasso error: [-409] Unsupported protocol profile, referer: https://xx/simplesamlphp/module.php/core/loginuserpass.php? [Mon Oct 22 11:04:44.525672 2018] [proxy:error] [pid 5973:tid 140286063777536] [client 172.20.20.62:64727] AH00898: DNS lookup failure for: xxfavicon.ico returned by /favicon.ico, referer: https://yyyl/auth/endpoint/postResponse

[remkolodder]

bump

[olavmrk]

Apologies for the lack of follow up on this issue. I don't really have any suggestions except double checking all your configuration. Does for example the IdP metadata you have configured in mod_auth_mellon exactly match the metadata generated by your IdP. You may also want to take a look at the actual response sent from the IdP to the SP using something like SAML Tracer.

[steffenfritz]

Hi,

we get the very same error message and probably we have the same problem:

func=xmlSecKeyDuplicate:file=keys.c:line=614:obj=unknown:subj=key != NULL:error=100:assertion:

We are on Ubuntu with recent lasso and a recent mellon module compiled from the sources 0.14.1.

1. In SAMLTracer we see the correct assertion with the unspecified NameID,
2. but the browser is in a loop and re-sends requests to the IdP

Please let me know if you need more information.

Thanks!

[davidc]

I am also experiencing this. Upgrading to libapache2-mod-auth-mellon 0.14.2 and liblasso3 2.6.0 I can see the same messages in the Apache error log:

(process:4403): Lasso-CRITICAL **: 15:46:21.623: libxml2: PCDATA invalid Char value 1\n

(process:4403): Lasso-CRITICAL **: 15:46:21.623: libxml2: PCDATA invalid Char value 5\n

(process:4403): lasso-CRITICAL **: 15:46:21.624: lasso_node_get_name: assertion 'LASSO_IS_NODE(node)' failed

mellon_diagnostics.log does not contain the SAML message as promised, but I can see it with a browser extension and it looks okay. The Mellon log has little of use but

SAML Response (am_handle_post_reply):
  node is NULL
[APLOG_ERR auth_mellon_handler.c:2054] Error processing authn response. Lasso error: [-409] Unsupported protocol profile, SAML Response: error, expected LassoSamlp2StatusResponse but got (null)

My config (both IdP and SP) is almost entirely a cut and paste of an existing setup with the IdP modified to use a LDAP backend for authentication, and all the sites are http instead of https. The SAML messages look valid.

-davidc

[davidc]

Extracting and base64-decoding the response from the diagnostics file and running it through xmllint, I found invalid special characters being sent by the IdP in one of the attributes (specifically objectSid).

The troubleshooting for this was extremely painful and it would be helpful if Mellon and/or Lasso could be more helpful and produce more informative log output!

I removed the attribute at the IdP and it is working now. In my case, it was simplesamlphp. I will file a bug with them, but in case anyone else comes looking for how to fix it in the meantime, this is how I am removing the attribute in the "authproc" section of config.php:

'authproc.idp' => array(
...
         25 => array(
             'class' => 'core:PHP',
             'code' => 'unset($attributes["objectSid"]);'
         ),
...
);

[olavmrk]

Closing this issue as part of archiving this project. See the announcement for details:

https://github.com/Uninett/mod_auth_mellon/blob/info/README.md