Closed TomasKulhanek closed 5 years ago
The same issue remains in CernVM 4.1.0.7 (derivative of RHEL 7.5). While on pure Scientific Linux 7.5 it works.
Attached goodsamlresponse.log. badsamlresponse.log
On SL 7.5 with same libraries, the SAML response send back to http://localhost:8080/postMessage is validated === Response === Status: 200 OK(200) user: 2bde43faa1ab9f5e36c9323e1b73405d89ee2523 auth_type=Mellon Response Headers: Cache-Control: private, max-age=0, must-revalidate X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/json;charset=utf-8 Content-Length: 246 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Response Error Headers: Cache-Control: private, max-age=0, must-revalidate Environment: UNIQUE_ID: WuG7rR5FNfXTJYwebuT4FAAAAAI MELLON_NAME_ID: 2bde43faa1ab9f5e36c9323e1b73405d89ee2523 MELLON_NAME_ID_0: 2bde43faa1ab9f5e36c9323e1b73405d89ee2523 MELLON_urn:oid:1.3.6.1.4.1.5923.1.1.1.13: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu MELLON_urn:oid:1.3.6.1.4.1.5923.1.1.1.13_0: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu MELLON_name: Tomas Kulhanek MELLON_name_0: Tomas Kulhanek MELLON_mail: tomas.kulhanek@stfc.ac.uk MELLON_mail_0: tomas.kulhanek@stfc.ac.uk MELLON_entitlement: members MELLON_entitlement_0: members MELLON_eppn: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu MELLON_eppn_0: 30d14bd81ab385bdccb3286406131f39021ba308@west-life.eu
While on CernVM 4.7.0.1 the SAML response send back to http://localhost:8080/postMessage isn't validated. [APLOG_ERR auth_mellon_handler.c:2054] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"
=== Response === Status: 400 Bad Request(400) user: (null) auth_type=(null) Response Headers: Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 Response Error Headers: Environment: UNIQUE_ID: WuHOwpkpSr-xN7nIlLepfQAAAAM GRST_CRED_AURI_0: dns:gateway GRST_CRED_VALID_0: notbefore=0 notafter=2147483647 delegation=0 nist-loa=0 GRST_CRED_AURI_1: ip:10.0.2.2 GRST_CRED_VALID_1: notbefore=0 notafter=2147483647 delegation=0 nist-loa=0 GRST_PERM: 0 GRST_REQUIRE_PASSCODE: off GRST_DIR_PATH: /vagrant/frontend GRST_ADMIN_FILE: gridsite-admin.cgi GRST_EDITABLE: txt shtml html htm css js php jsp GRST_HEAD_FILE: gridsitehead.txt GRST_FOOT_FILE: gridsitefoot.txt GRST_DN_LISTS: /etc/grid-security/dn-lists/ GRST_DN_LISTS_URI: /gridsite/dn-lists/ GRST_GSIPROXY_LIMIT: 1000 GRST_ACL_FORMAT: GACL GRST_DISK_MODE: 0x0600
The issue reported at https://github.com/UNINETT/mod_auth_mellon/issues/59 seems not to be related. Need subsequent debug of validation of the response.
This is the same issue as https://github.com/h2020-westlife-eu/wp6-repository/issues/42
Installed VF on cernvm4. Login via West-Life SSO fails on HTTP 400 Bad Request. Installed manually lasso (2.5.1), mod_auth_mellon (0.11.0) and dependencies by
After that still HTTP 400 is returned. /var/log/httpd/error_log contains:
The same configuration works if installed on pure Scientific Linux 7.4 (where lasso 2.5.1 and mod_auth_mellon 0.11.0 is already in distribution repository), login via West-Life SSO works.