search

singularityhub / sregistry

server for storage and management of singularity images
https://singularityhub.github.io/sregistry
Mozilla Public License 2.0
103 stars 42 forks source link

saml auth fails #373

Closed craigwindell closed 3 years ago

craigwindell commented 3 years ago

Describe the bug Using the SAML AUTH module results in an error page and auth fails

The uwsgi container reports an error with the /login/saml url

Internal Server Error: /login/saml/
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/utils/datastructures.py", line 78, in __getitem__
    list_ = super().__getitem__(key)
KeyError: 'idp'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/social_core/backends/saml.py", line 282, in auth_url
    idp_name = self.strategy.request_data()['idp']
  File "/usr/local/lib/python3.6/site-packages/django/utils/datastructures.py", line 80, in __getitem__
    raise MultiValueDictKeyError(key)
django.utils.datastructures.MultiValueDictKeyError: 'idp'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.6/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_django/views.py", line 23, in auth
    return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
  File "/usr/local/lib/python3.6/site-packages/social_core/actions.py", line 29, in do_auth
    return backend.start()
  File "/usr/local/lib/python3.6/site-packages/social_core/backends/base.py", line 35, in start
    return self.strategy.redirect(self.auth_url())
  File "/usr/local/lib/python3.6/site-packages/social_core/backends/saml.py", line 284, in auth_url
    raise AuthMissingParameter(self, 'idp')
social_core.exceptions.AuthMissingParameter: Missing needed parameter idp

To Reproduce Clone the repo commit 620e4ae

update config.py

...
PLUGINS_ENABLED = [
    'saml_auth'
]

# SAML Authentication (saml)
# Only required if 'saml_auth' is added to PLUGINS_ENABLED in config.py

AUTH_SAML_IDP = 'SITE'
AUTH_SAML_INSTITUTION = 'SITE'

build a secret.py file

# Secret Key
# You must uncomment, and set SECRET_KEY to a secure random value

SECRET_KEY = 'xxxx'

SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
SOCIAL_AUTH_SAML_SP_ENTITY_ID = 'https://sregistry.site'
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT = xxxx
SOCIAL_AUTH_SAML_SP_PRIVATE_KEY = xxxx
SOCIAL_AUTH_SAML_ORG_INFO = {
    "en": {
        "name": 'SITE',
        "displayname": 'SITE',
        "url": 'https://www.site',
    }
}
SOCIAL_AUTH_SAML_TECHNICAL_CONTACT = {
    "givenName": 'xxxx',
    "emailAddress": 'xxx@site'
}
SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
    "givenName": 'xxxx',
    "emailAddress": 'xxxx@site',
}
SOCIAL_AUTH_SAML_ENABLED_IDPS = {
    "SITE": {
        "entity_id": "https://idp.site/idp/...",
        "url": "https://idp.site/idp/...",
        "x509cert": "xxxx",
        # "attr_user_permanent_id": "email",
        # "attr_first_name": "first_name",
        # "attr_last_name": "last_name",
        # "attr_username": "email",
        # "attr_email": "email",
    }
}

Build and run the containers

Note, sregistry with SAML was successfully deployed at our site during November 2020 with these settings. Redeploying now results in this error

Expected behavior SAML Auth succeeds and people are able to logon.

vsoch commented 3 years ago

The error message suggests there is a new key, idp, did you look into that?

craigwindell commented 3 years ago

We found the URL being generated looked like: https://sregistry.site/login/saml/?next=/login/;idp=SITE

Changing to https://sregistry.site/login/saml/?next=/login/&idp=SITE

Resulted in a successful login.

I can submit a PR if you like? -Craig

vsoch commented 3 years ago

I would absolutely love that. Thank you!

vsoch commented 3 years ago

Fixed with #374