TomasKulhanek
commented
5 years ago The same issue remains in CernVM 4.1.0.7 (derivative of RHEL 7.5). While on pure Scientific Linux 7.5 it works.
Closed TomasKulhanek closed 5 years ago
TomasKulhanek
commented
5 years ago The same issue remains in CernVM 4.1.0.7 (derivative of RHEL 7.5). While on pure Scientific Linux 7.5 it works.
TomasKulhanek
commented
5 years ago Attached goodsamlresponse.log. badsamlresponse.log
On SL 7.5 with same libraries, the SAML response send back to http://localhost:8080/postMessage is validated === Response === Status: 200 OK(200) user: 2bde43faa1ab9f5e36c9323e1b73405d89ee2523 auth_type=Mellon Response Headers: Cache-Control: private, max-age=0, must-revalidate X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/json;charset=utf-8 Content-Length: 246 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Response Error Headers: Cache-Control: private, max-age=0, must-revalidate Environment: UNIQUE_ID: WuG7rR5FNfXTJYwebuT4FAAAAAI MELLON_NAME_ID: 2bde43faa1ab9f5e36c9323e1b73405d89ee2523 MELLON_NAME_ID_0: 2bde43faa1ab9f5e36c9323e1b73405d89ee2523 MELLON_urn:oid:1.3.6.1.4.1.5923.1.1.1.13: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu MELLON_urn:oid:1.3.6.1.4.1.5923.1.1.1.13_0: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu MELLON_name: Tomas Kulhanek MELLON_name_0: Tomas Kulhanek MELLON_mail: tomas.kulhanek@stfc.ac.uk MELLON_mail_0: tomas.kulhanek@stfc.ac.uk MELLON_entitlement: members MELLON_entitlement_0: members MELLON_eppn: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu MELLON_eppn_0: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu
While on CernVM 4.7.0.1 the SAML response send back to http://localhost:8080/postMessage isn't validated. [APLOG_ERR auth_mellon_handler.c:2054] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"
=== Response === Status: 400 Bad Request(400) user: (null) auth_type=(null) Response Headers: Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 Response Error Headers: Environment: UNIQUE_ID: WuHOwpkpSr-xN7nIlLepfQAAAAM GRST_CRED_AURI_0: dns:gateway GRST_CRED_VALID_0: notbefore=0 notafter=2147483647 delegation=0 nist-loa=0 GRST_CRED_AURI_1: ip:10.0.2.2 GRST_CRED_VALID_1: notbefore=0 notafter=2147483647 delegation=0 nist-loa=0 GRST_PERM: 0 GRST_REQUIRE_PASSCODE: off GRST_DIR_PATH: /vagrant/frontend GRST_ADMIN_FILE: gridsite-admin.cgi GRST_EDITABLE: txt shtml html htm css js php jsp GRST_HEAD_FILE: gridsitehead.txt GRST_FOOT_FILE: gridsitefoot.txt GRST_DN_LISTS: /etc/grid-security/dn-lists/ GRST_DN_LISTS_URI: /gridsite/dn-lists/ GRST_GSIPROXY_LIMIT: 1000 GRST_ACL_FORMAT: GACL GRST_DISK_MODE: 0x0600
TomasKulhanek
commented
5 years ago The issue reported at https://github.com/UNINETT/mod_auth_mellon/issues/59 seems not to be related. Need subsequent debug of validation of the response.
This is the same issue as https://github.com/h2020-westlife-eu/wp6-repository/issues/42
Installed VF on cernvm4. Login via West-Life SSO fails on HTTP 400 Bad Request. Installed manually lasso (2.5.1), mod_auth_mellon (0.11.0) and dependencies by
After that still HTTP 400 is returned. /var/log/httpd/error_log contains:
The same configuration works if installed on pure Scientific Linux 7.4 (where lasso 2.5.1 and mod_auth_mellon 0.11.0 is already in distribution repository), login via West-Life SSO works.