search

iwayvietnam / zm-sso

Zm SSO is the Zimbra Collaboration Open Source Edition extension for single sign-on authentication to the Zimbra Web Client.
GNU Affero General Public License v3.0
14 stars 20 forks source link

SAMLException: Error decoding HTTP-Redirect SAML message and When looking for an assertion we did not found it #7

Open tuxcrafter opened 1 year ago

tuxcrafter commented 1 year ago

Hello everybody,

Can someone help me debug this SAML setup, I got a working sign-on, but I can not get the logout to work, neither initiated by the client or from the IDP. I am using versions of the zm-sso-1.0.0-1.jar and ipsilon-3.0.4-3.fc36.noarch. I have other clients rocket.chat, nextcloud working with both sign-on and sign-out.

[Mon Oct 03 08:28:11.868392 2022] [wsgi:error] [pid 28717:tid 28827] [remote 192.168.40.14:39124] [03/Oct/2022:08:28:11]  DEBUG(ipsilon/providers/saml2idp.py:406 IdpProvider.idp_initiated_logout()): IdP-initiated SAML2 logout
[Mon Oct 03 08:28:11.990792 2022] [wsgi:error] [pid 28717:tid 28827] [remote 192.168.40.14:39124] [03/Oct/2022:08:28:11]  DEBUG(ipsilon/providers/saml2idp.py:456 IdpProvider.idp_initiated_logout()): Sending initial logout request to https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true
2022-10-03 08:28:12,015 INFO  [qtp1665620686-8722:https:https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true] [] extensions - SSO callback with: SAML2Client
2022-10-03 08:28:12,029 ERROR [qtp1665620686-8722:https:https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true] [] extensions - org.pac4j.saml.exceptions.SAMLException: Error decoding HTTP-Redirect SAML message

2022-10-03 08:29:41,111 INFO  [qtp1665620686-8746:https:https://mail.example.org/service/extension/sso/logout] [] extensions - Destroy front channel sso session
2022-10-03 08:29:41,115 INFO  [qtp1665620686-8746:https:https://mail.example.org/service/extension/sso/logout] [] extensions - SSO logout is performed
[Mon Oct 03 08:29:41.166252 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  DEBUG(providers/saml2/logout.py:35 Logout._handle_logout_request()): saml2: Logout request
[Mon Oct 03 08:29:41.169006 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  DEBUG(providers/saml2/logout.py:61 Logout._handle_logout_request()): saml2: SLO from https://mail.example.org/service/extension/saml/metadata with ('_7E20499B436F643441D8F044C64573DE',) sessions
[Mon Oct 03 08:29:41.180022 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  ERROR: SLO validation failed: <lasso.ProfileMissingAssertionError(-427): When looking for an assertion we did not found it.>
[zimbra@mail root]$ cat /opt/zimbra/conf/zm.sso.properties | grep -v "#"
sso.defaultClient = SAML2Client
sso.callbackUrl = https://mail.example.org/service/extension/sso/callback
saml.callbackUrl = https://mail.example.org/service/extension/saml/callback
sso.saveInSession = true
sso.multiProfile = true
sso.renewSession = true
sso.localLogout = true
sso.destroySession = true
sso.centralLogout = true
sso.postLogoutURL = https://mail.example.org/
saml.keystorePath = /opt/zimbra/conf/saml/keystore.jks
saml.keystorePassword = <secret>
saml.privateKeyPassword = <secret>
saml.keystoreAlias = samlkey
saml.identityProviderMetadataPath = https://saml.example.org/idp/saml2/metadata
saml.serviceProviderEntityId = https://mail.example.org/service/extension/saml/metadata
saml.spLogoutRequestBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
saml.spLogoutResponseBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
saml.authnRequestSigned = true
saml.logoutRequestSigned = true
saml.logoutRequestSigned = true
saml.allSignatureValidationDisabled = true
saml.wantsAssertionsSigned = false
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_d60ed73e163045cd924b5a893651fc3f7c0f3b4" entityID="https://mail.example.org/service/extension/saml/metadata" validUntil="2042-10-03T01:12:03.052Z">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIESUCWSjANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIyMTAwMjE4Mzc1NloXDTMyMDkyOTE4 Mzc1NlowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93 bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHiQjUBBJWkGNrE2NjGHjOuOfFtDa0T tPR3H6OUta4KXyzTyyBskPlFO7RVJtSU+X0hq40Yzr8eRbzgT1k+O+Qnn3SOXTG/361Wkp5YyqfP rfOx/XJyzKbCNcYomWLbj1ZW49vYFcMhd59oNzF37gqAyCene48zPW+5iKPl3q+gLNV8GPJJNZel LV60Ilw2YS28y4AJSSdPRqjO5yOUnn4V821a1VbsXo8bFvgBp64k3xnBAh+gA926u3HqkIcT67sI m05km/Wu8RzRoCWIaMYah34YVEyk837RcG8csp+9XEb6QT6aX21C7cVg1Ebd2vti8G1x9w0e+fAE mcxMBssCAwEAAaMhMB8wHQYDVR0OBBYEFHbJMfYpBKi9/1JiF++8hSfg5gABMA0GCSqGSIb3DQEB CwUAA4IBAQBLF2ZTXeSZR1vDLLjLbJJxPR/NtTE3uBNTJeAxY4/U3tyYrbROBZTwepI5Fq8alpqd iqo1iwDxivwKHzS+l8YrMW7QBHmC1xjpMNhTeqeGPgbEqDVR0bgCDjUpilGeFc3zgWRzVDO6TCCE /zFAKmR3chXVRW4pF9+DDCiyYI41QNCzZG4S/ziAmH+ISllDYqLM3mtHKH2g3GUKFdeQ01rDXqGe KaOXQbiouwIr7V9pi7Ba64A0OP/+5doa8jcR/V8jV+fnDF/ZCxvIq837mkqkt1DRd5DTH88BPMZy 5QK2T12Ft5iF1/KiAT0D7xXTd2CMPuB9AhXmJ+uAD70l9T9+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIESUCWSjANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIyMTAwMjE4Mzc1NloXDTMyMDkyOTE4 Mzc1NlowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93 bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHiQjUBBJWkGNrE2NjGHjOuOfFtDa0T tPR3H6OUta4KXyzTyyBskPlFO7RVJtSU+X0hq40Yzr8eRbzgT1k+O+Qnn3SOXTG/361Wkp5YyqfP rfOx/XJyzKbCNcYomWLbj1ZW49vYFcMhd59oNzF37gqAyCene48zPW+5iKPl3q+gLNV8GPJJNZel LV60Ilw2YS28y4AJSSdPRqjO5yOUnn4V821a1VbsXo8bFvgBp64k3xnBAh+gA926u3HqkIcT67sI m05km/Wu8RzRoCWIaMYah34YVEyk837RcG8csp+9XEb6QT6aX21C7cVg1Ebd2vti8G1x9w0e+fAE mcxMBssCAwEAAaMhMB8wHQYDVR0OBBYEFHbJMfYpBKi9/1JiF++8hSfg5gABMA0GCSqGSIb3DQEB CwUAA4IBAQBLF2ZTXeSZR1vDLLjLbJJxPR/NtTE3uBNTJeAxY4/U3tyYrbROBZTwepI5Fq8alpqd iqo1iwDxivwKHzS+l8YrMW7QBHmC1xjpMNhTeqeGPgbEqDVR0bgCDjUpilGeFc3zgWRzVDO6TCCE /zFAKmR3chXVRW4pF9+DDCiyYI41QNCzZG4S/ziAmH+ISllDYqLM3mtHKH2g3GUKFdeQ01rDXqGe KaOXQbiouwIr7V9pi7Ba64A0OP/+5doa8jcR/V8jV+fnDF/ZCxvIq837mkqkt1DRd5DTH88BPMZy 5QK2T12Ft5iF1/KiAT0D7xXTd2CMPuB9AhXmJ+uAD70l9T9+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="2027-09-25T10:52:14.946448Z" entityID="https://saml.example.org/idp/saml2/metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUEE0tOBVESVIzpYStV3wVwoWcyNwwDQYJKoZIhvcNAQEL BQAwIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1hbWFjYXNoLmxvY2FsMB4XDTIyMDky NjEwNTIxNFoXDTI3MDkyNTEwNTIxNFowIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1h bWFjYXNoLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC9s 9ch5D2UgPR5ka62i8Maq6QDy6GK9/ZjG68jZOPpl9bnpmIDD4EgFUyBvtshnaPQc BqSBlDE2N3OKXDF9+5MCKXU1wnz0YBn02H49PG8J1TOS8lYmGuNmf88bfxX02ahg xwA4ZtHhRwbLhsIV3aRRUXvocHOg5PZbymb/JYqnQbKByXKHUnmjbzI8h3WcgmHE 848x8GwQCW1MLNA2eUITV7rUE+aN9P+UucBS9FnbjvoCCyAfzHTTuGiTh29KjRo+ 1YdYGrfYoMIQ9wAI6laW9xWqptDpumFGrzdi493sIXX6flEN2qY5+7nM6ffPZrXT PMqFMbqI3uetJJq8lQIDAQABo1MwUTAdBgNVHQ4EFgQU4ygBodjpXIYmUXZcQ0Cj vsiZJtkwHwYDVR0jBBgwFoAU4ygBodjpXIYmUXZcQ0CjvsiZJtkwDwYDVR0TAQH/ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAD2lTKmmnVMBjaljgUTRO44sAS35E IUH1Bgp1HkL9YxSjrBOsQVttZw+ZcAzLUsSoFkokLcn74bYUvNYcMXGRffqmxF9M Z4MwaAWqOeJqDKp6CqCGpGBKxf9Usw7Lgr5WUtK6aZdlhUs29/OhqstAfTOr8olS 9C+ApTCQy7jvjQDb0mE+Lw/8MAsIR1CEwu/rvhl3QDBdYj8R8zFAf6R12ZANyDJX +XxZjWHGwpFYEaiv0V4wvVv9cM1XlNVN+v716N6tF+fgW52r9n9p010hnDITV59n 8fLf4l+r0JMIOmGnAsUhWwr8j06HhNEGwmm+Ye8sMBPnMOyX6QXAnbqBSA== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUEE0tOBVESVIzpYStV3wVwoWcyNwwDQYJKoZIhvcNAQEL BQAwIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1hbWFjYXNoLmxvY2FsMB4XDTIyMDky NjEwNTIxNFoXDTI3MDkyNTEwNTIxNFowIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1h bWFjYXNoLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC9s 9ch5D2UgPR5ka62i8Maq6QDy6GK9/ZjG68jZOPpl9bnpmIDD4EgFUyBvtshnaPQc BqSBlDE2N3OKXDF9+5MCKXU1wnz0YBn02H49PG8J1TOS8lYmGuNmf88bfxX02ahg xwA4ZtHhRwbLhsIV3aRRUXvocHOg5PZbymb/JYqnQbKByXKHUnmjbzI8h3WcgmHE 848x8GwQCW1MLNA2eUITV7rUE+aN9P+UucBS9FnbjvoCCyAfzHTTuGiTh29KjRo+ 1YdYGrfYoMIQ9wAI6laW9xWqptDpumFGrzdi493sIXX6flEN2qY5+7nM6ffPZrXT PMqFMbqI3uetJJq8lQIDAQABo1MwUTAdBgNVHQ4EFgQU4ygBodjpXIYmUXZcQ0Cj vsiZJtkwHwYDVR0jBBgwFoAU4ygBodjpXIYmUXZcQ0CjvsiZJtkwDwYDVR0TAQH/ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAD2lTKmmnVMBjaljgUTRO44sAS35E IUH1Bgp1HkL9YxSjrBOsQVttZw+ZcAzLUsSoFkokLcn74bYUvNYcMXGRffqmxF9M Z4MwaAWqOeJqDKp6CqCGpGBKxf9Usw7Lgr5WUtK6aZdlhUs29/OhqstAfTOr8olS 9C+ApTCQy7jvjQDb0mE+Lw/8MAsIR1CEwu/rvhl3QDBdYj8R8zFAf6R12ZANyDJX +XxZjWHGwpFYEaiv0V4wvVv9cM1XlNVN+v716N6tF+fgW52r9n9p010hnDITV59n 8fLf4l+r0JMIOmGnAsUhWwr8j06HhNEGwmm+Ye8sMBPnMOyX6QXAnbqBSA== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://saml.example.org/idp/saml2/SSO/POST"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.org/idp/saml2/SSO/Redirect"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://saml.example.org/idp/saml2/SSO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.org/idp/saml2/SLO/Redirect"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat>
</md:IDPSSODescriptor>
</md:EntityDescriptor>