search

grafana / django-saml2-auth

Django SAML2 Authentication Made Easy. Easily integrate with SAML2 SSO identity providers like Okta, Azure AD and others.
Other
189 stars 56 forks source link

AuthnResponse fails to extract name_id (NAME_ID_FORMAT) #315

Closed popovicnenad closed 4 months ago

popovicnenad commented 4 months ago

I'm using latest version 3.12, and Google as both identity and service provider and i'm getting SamlAuthError("No name_id in SAML response.") at django_saml2_auth/saml.py line 315.
I've been debugging for quite some time but I'm unable to figure out what is causing the problem, or find any solution online.

This is my config:

SAML2_AUTH = {
    ...
    "NAME_ID_FORMAT": "<urn:oasis:names:tc:SAML:2.0:nameid-format:transient>"
}

GoogleIDPMetadata.xml:

<md:EntityDescriptor>
  <md:IDPSSODescriptor>
  ...
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=<ID>"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=<ID>"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Auth response received:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="..." ID="..." IssueInstant="..." Version="2.0">
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="..." IssueInstant="..." Version="2.0">
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">test-email@domain.com</saml2:NameID>
            ...
        </saml2:Subject>
        ...
    </saml2:Assertion>
</saml2p:Response>

Seems like NameID Format is consistent and valid but regardless it's always None. Only place a was able to find value being set is in response.py at line 765 in get_subject method, called from _assertion method, but those methods are not called before saml response is decoded:

        # The subject may contain a name_id

        if subject.name_id:
            self.name_id = subject.name_id

There is a related pr #264 but solution doesn't work for me. Result is the same regardless of what I set as NAME_ID_FORMAT so I'm suspecting problem lies somewhere else.

Any help would be much appreciated

popovicnenad commented 4 months ago

Indeed, it was a problem somewhere else. For anyone having similar problem in the future: