Skip to content

Unsupported binding HTTP-POST with MDQ #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
craftbyte opened this issue Oct 5, 2022 · 6 comments
Closed

Unsupported binding HTTP-POST with MDQ #410

craftbyte opened this issue Oct 5, 2022 · 6 comments

Comments

@craftbyte
Copy link

I am trying to set up a new SATOSA instance to do eduGAIN SP to local SP federation (use edugain to log into local keycloak). When setting it up, after getting past the discovery service, I get a 500 error and logs relating to Unsupported binding for HTTP-POST. Can anyone help here?

I am running pyFF in an adjacent container.

Here is the backend config:

module: satosa.backends.saml2.SAMLBackend
name: Saml2
config:
        #idp_blacklist_file: /path/to/blacklist.json

  # disco_srv must be defined if there is more than one IdP in the metadata specified above
  disco_srv: https://service.seamlessaccess.org/ds/
  #disco_srv: https://ds-edugain.aai.arnes.si/simplesaml/saml2/sp/idpdisco.php
  entityid_endpoint: true
  mirror_force_authn: no
  memorize_idp: no
  use_memorized_idp_when_force_authn: no
  send_requester_id: no
  enable_metadata_reload: no

  sp_config:
    name: "DragonSec ID Bridge"
    description: "Bridge between DragonSec apps and Educational Institutions"
    key_file: backend.key
    cert_file: backend.crt
    organization: {display_name: DragonSec SI, name: Društvo DragonSec SI, url: 'https://dragonsec.si'}
    contact_person:
    - {contact_type: technical, email_address: [email protected], given_name: DragonSec Tech}

    metadata:
      mdq:
        - url: http://pyff:8080/
          cert: sign.crt

    entityid: <base_url>/<name>/proxy_saml2_backend.xml
    accepted_time_diff: 60
    service:
      sp:
        ui_info:
          display_name:
            - lang: en
              text: "DragonSec ID Bridge"
          description:
            - lang: en
              text: "Bridge between DragonSec apps and Educational Institutions"
          information_url:
            - lang: en
              text: "https://saml.dragonsec.si/"
          privacy_statement_url:
            - lang: en
              text: "https://saml.dragonsec.si/privacy"
          keywords:
            - lang: en
              text: ["DragonSec"]
          logo:
            text: "https://dippers.dragonsec.si/static/dragon-key.png"
            width: "95"
            height: "110"
        authn_requests_signed: true
        want_response_signed: true
        allow_unsolicited: true
        endpoints:
          assertion_consumer_service:
          - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
          discovery_response:
          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
        name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
        # A name_id_format of 'None' will cause the authentication request to not
        # include a Format attribute in the NameIDPolicy.
        # name_id_format: 'None'
        name_id_format_allow_create: true

Code Version

Docker 8.1.1

Expected Behavior

Redirect to IdP works

Current Behavior

satosa    | [2022-10-05 02:41:22,078] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {'entityID': 'https://idp.aai.arnes.si/idp/20090116'}
satosa    | [2022-10-05 02:41:22,079] [INFO] [satosa.base._load_state] [urn:uuid:8f1a2525-d3e6-4cdd-9eff-abe12428771c] Loaded state {'SESSION_ID': 'urn:uuid:8f1a2525-d3e6-4cdd-9eff-abe12428771c', 'Saml2IDP': {'resp_args': {'in_response_to': 'ID_e635a075-f6a7-45a9-97a2-fc3ce8187ab6', 'sp_entity_id': 'https://dippers.dragonsec.si/realms/DragonSec', 'name_id_policy': '<ns0:NameIDPolicy xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" />', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'destination': 'https://dippers.dragonsec.si/realms/DragonSec/broker/aai/endpoint'}, 'relay_state': 'lwFrBwaOeOH7U4IgiohvsZqjSkoKMsIU-0VD9r3_WDE.0MBWVzQdvOg.account-console'}, 'SATOSA_BASE': {'requester': 'https://dippers.dragonsec.si/realms/DragonSec'}, 'ROUTER': 'Saml2IDP', 'force_authn': None} from cookie  SAML_STATE="_Td6WFoAAATm1rRGAgAhARYAAAB0L-Wj4ALrAn5dACuRhgFn33DSwPYVmeCFjo3Xaam9E_dje4KXQeRw2Ou7df8BFVI-8D0xTLF57Gkle2CYErJ1gA_sgTxOsXBYH8XSWnONIv1E_p6eKugjqL0fwqaRuV_Kob4uMsYJb0ToMLtLQz8IfUYz0-SDVUj-ZDQfEwlOc54rHBIeZrza2ko6er86s9_Oq6rZ8JZnsdwJHApIo9wldbZr5NM6ufZ1FpVzyXkwvz6bMACR-vSfyvmn_KmCkgirtwKamg19JNcnx3H4rfWaS_821-u_6EASuNN5pFi_I9u9zYwGXd_cnXvPUJ-KH7BupAN_Mi83HxHBdVu666zjd2aL0hFpPgaBSz7B0HAsh4TYrDkBJtqoZCdiqB6L6EhVuVNKmUqCArtAs1XPDKA8bCKG28IgtvDgEXwH8MKuItmdd5DyglihNwRxu4jsRtW0UBQ9bYV04a6Q9Ss52qXSRfc0g7VuSdfSyvQ-s8Av4SEEgXfOBV4qY03MQnQbAvVLa2Gudqb8XUAUWjmOIFQAZ7gt4eG0N2h3IT6ZHn9AAdkDYxhf326xtlyU4ere_see_s04ko0nNF1GV-6bg2B9aILlyOUwinDC_vi_xX75IW8vEQE72eJ9aeiUtqkOGpFZc8InRBj-BxdvbHn0v1v0GVmmW1lWYqyKg9ER4xw1a7HP_lD4y9DH-UHmbTwv1pZzk36_z2x9WKZOaQPW1F36FFIXGYZpPHYSqJsdsZYECAVRS0Xpo-r0CaG3rf3FLJQKDGoW2W_yNh9Qa3v7InddXE7-r0jMhVgfBxeS57SuP2fFoRKhUyovtYQ8RSYuVK_NicuXcIFtwinKSOY0mOjh9_mZYHifD-wAAAAA5sFCINWKCeYAAZoF7AUAAONSKi2xxGf7AgAAAAAEWVo="
satosa    | [2022-10-05 02:41:22,079] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:8f1a2525-d3e6-4cdd-9eff-abe12428771c] Routing path: Saml2/disco
satosa    | [2022-10-05 02:41:22,080] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:8f1a2525-d3e6-4cdd-9eff-abe12428771c] Found registered endpoint: module name:'Saml2', endpoint: Saml2/disco
satosa    | [2022-10-05 02:41:22,081] [DEBUG] [saml2.mdstore.service] service(https://idp.aai.arnes.si/idp/20090116, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
satosa    | [2022-10-05 02:41:22,082] [DEBUG] [urllib3.connectionpool._new_conn] Starting new HTTP connection (1): pyff:8080
pyff_1    | [05/Oct/2022:02:41:22]  selecting using args: ['{sha1}059912fe2bf6d8083de94e69c4bf34d89f57486f']
pyff_1    | INFO:cherrypy.error.140517523755312:[05/Oct/2022:02:41:22]  selecting using args: ['{sha1}059912fe2bf6d8083de94e69c4bf34d89f57486f']
pyff_1    | 192.168.160.1 - - [05/Oct/2022:02:41:22] "GET /entities/{sha1}059912fe2bf6d8083de94e69c4bf34d89f57486f HTTP/1.1" 200 106231 "" "python-requests/2.28.1"
pyff_1    | INFO:cherrypy.access.140517523755312:192.168.160.1 - - [05/Oct/2022:02:41:22] "GET /entities/{sha1}059912fe2bf6d8083de94e69c4bf34d89f57486f HTTP/1.1" 200 106231 "" "python-requests/2.28.1"
satosa    | [2022-10-05 02:41:22,181] [DEBUG] [urllib3.connectionpool._make_request] http://pyff:8080 "GET /entities/%7Bsha1%7D059912fe2bf6d8083de94e69c4bf34d89f57486f HTTP/1.1" 200 106231
satosa    | [2022-10-05 02:41:22,379] [DEBUG] [saml2.sigver._run_xmlsec] xmlsec command: /usr/bin/xmlsec1 --verify --enabled-reference-uris empty,same-doc --enabled-key-data raw-x509-cert --pubkey-cert-pem sign.crt --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor --output /tmp/tmpui0libvy.xml /tmp/tmpkdc6sd1e.xml
satosa    | [2022-10-05 02:41:22,402] [DEBUG] [saml2.mdstore.service] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'location': 'https://idp.aai.arnes.si/simplesaml/saml2/idp/SSOService.php'}]
satosa    | [2022-10-05 02:41:22,403] [DEBUG] [saml2.mdstore.service] service(https://idp.aai.arnes.si/idp/20090116, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
satosa    | [2022-10-05 02:41:22,403] [DEBUG] [saml2.mdstore.service] service => []
satosa    | [2022-10-05 02:41:22,403] [ERROR] [saml2.mdstore.service] Unsupported binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST (https://idp.aai.arnes.si/idp/20090116)
satosa    | [2022-10-05 02:41:22,403] [INFO] [saml2.client.prepare_for_negotiated_authenticate] destination to provider: https://idp.aai.arnes.si/simplesaml/saml2/idp/SSOService.php
satosa    | [2022-10-05 02:41:22,403] [INFO] [saml2.entity.sign] REQUEST: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-tjz1WI7zWpjBnsPlm" Version="2.0" IssueInstant="2022-10-05T02:41:22Z" Destination="https://idp.aai.arnes.si/simplesaml/saml2/idp/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://saml.dragonsec.si/Saml2/acs/post" ProviderName="DragonSec ID Bridge"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://saml.dragonsec.si/Saml2/proxy_saml2_backend.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ns2:Reference URI="#id-tjz1WI7zWpjBnsPlm"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ns2:DigestValue /></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue /><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDGTCCAgGgAwIBAgIUIupk1e42GKwKMQ1vnpa4KctgqYkwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UEAwwRc2FtbC5kcmFnb25zZWMuc2kwHhcNMjIxMDA0MjMyNjI5WhcNMzIxMDAxMjMyNjI5WjAcMRowGAYDVQQDDBFzYW1sLmRyYWdvbnNlYy5zaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQEtKmbRdbH8eIVOVYr2ahthDZkvzWgfxLZIAQFvc6N7fjAacGza0GMv6IMlG/cWO63HdBhnxCo40yk5iJfh90xLHNk03aae9G4h6GQfMgYvgCq8cOkNhsLXL6nRFOV0d3vUeGSqPuWSooVIPvdJuPJYasmWQIIxQ90uTsfSZv3gbCqAREVV5Hc7H2np+mdQHHNrfLC5wc9fOekHc9KxRrEBXP55nAARvzjUPVGIySDjStOO2WJr4YjBWPokgIu95vKie7Nnw1ciGQW0hc3jdXtmGhmNJYeythYpYqlpjxum3aakcknATe19DC5ZtR5ZGq4gTOnxe4ylabCKLv/2BECAwEAAaNTMFEwHQYDVR0OBBYEFHswzw3q7RxL0yfpVHeInXdsHu9jMB8GA1UdIwQYMBaAFHswzw3q7RxL0yfpVHeInXdsHu9jMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHrVfSd92m9kqIWPFKbyj3ybVrQPDd+XT4xCgAFcSghynShFB7cclMfEVO4wbBHTK0yTwYh9GbQOyXIrgTeFDcHPQbZOqerU9ExeKyWCItvvHLfAyxJkOKAU+WsXG5r4B/se96/fr0V/YDphlpgQ1bjTlU/Hp3c7buhJT97l+N0sytYhkrVhIid/6qh1wgsDEXnRqgkYL/LMt2Krh0eWmXxXw20IOzhMtT4x4jT4iNg3h5eMb/AeYyq2UVUnrvMPrPZEGwvBdrGzVV5u/BYcu7T04ZOzKkXQ/J2CZcc97xi93YSYndYMAMdG+3TQE6HonNnCGlKmm53aD5KRxIPUVWM=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature></ns0:AuthnRequest>
satosa    | [2022-10-05 02:41:22,405] [DEBUG] [saml2.sigver._run_xmlsec] xmlsec command: /usr/bin/xmlsec1 --sign --privkey-pem backend.key --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest --node-id id-tjz1WI7zWpjBnsPlm --output /tmp/tmp4s2c1byp.xml /tmp/tmp6wvpvqwr.xml
satosa    | [2022-10-05 02:41:22,419] [INFO] [saml2.entity._message] REQUEST: <?xml version="1.0"?>
satosa    | <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-tjz1WI7zWpjBnsPlm" Version="2.0" IssueInstant="2022-10-05T02:41:22Z" Destination="https://idp.aai.arnes.si/simplesaml/saml2/idp/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://saml.dragonsec.si/Saml2/acs/post" ProviderName="DragonSec ID Bridge"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://saml.dragonsec.si/Saml2/proxy_saml2_backend.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-tjz1WI7zWpjBnsPlm"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>HDxgsXB75U17bZWuIIo9YMUur5o=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>mwGxrVBSvKElJvHWBpZDZXM0mAq/TbXM72LX7aTCZvKc+IWLWbQf1akVnlD/+R3S
satosa    | JWR7lSdaawSa+L/eCUWJYeRvqjdVdhN4R2aeAurCr1A8wNYpzrtXAgXmI1ovgxJN
satosa    | 1gFxOO49c3Ce/OLrMDqlYeq/5j+B29/D+oNg7JUDXLVPTRit3O6m2txBYIUx8Gpr
satosa    | iFBLjOqoAGjbm3oom24gCEDMASNlpTZXRDnFZw42Pl5EbQK/GFNX7ABa2gb7e4la
satosa    | qkwYEziAvo6WoxHbPMk9987gs9x1Sfxr8qGjZb0FB/JRC4Z8Ve7KBUls9qcCPq9j
satosa    | K/fty+J5ck5NUt2JWVL/kA==</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDGTCCAgGgAwIBAgIUIupk1e42GKwKMQ1vnpa4KctgqYkwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UEAwwRc2FtbC5kcmFnb25zZWMuc2kwHhcNMjIxMDA0MjMyNjI5WhcNMzIxMDAxMjMyNjI5WjAcMRowGAYDVQQDDBFzYW1sLmRyYWdvbnNlYy5zaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQEtKmbRdbH8eIVOVYr2ahthDZkvzWgfxLZIAQFvc6N7fjAacGza0GMv6IMlG/cWO63HdBhnxCo40yk5iJfh90xLHNk03aae9G4h6GQfMgYvgCq8cOkNhsLXL6nRFOV0d3vUeGSqPuWSooVIPvdJuPJYasmWQIIxQ90uTsfSZv3gbCqAREVV5Hc7H2np+mdQHHNrfLC5wc9fOekHc9KxRrEBXP55nAARvzjUPVGIySDjStOO2WJr4YjBWPokgIu95vKie7Nnw1ciGQW0hc3jdXtmGhmNJYeythYpYqlpjxum3aakcknATe19DC5ZtR5ZGq4gTOnxe4ylabCKLv/2BECAwEAAaNTMFEwHQYDVR0OBBYEFHswzw3q7RxL0yfpVHeInXdsHu9jMB8GA1UdIwQYMBaAFHswzw3q7RxL0yfpVHeInXdsHu9jMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHrVfSd92m9kqIWPFKbyj3ybVrQPDd+XT4xCgAFcSghynShFB7cclMfEVO4wbBHTK0yTwYh9GbQOyXIrgTeFDcHPQbZOqerU9ExeKyWCItvvHLfAyxJkOKAU+WsXG5r4B/se96/fr0V/YDphlpgQ1bjTlU/Hp3c7buhJT97l+N0sytYhkrVhIid/6qh1wgsDEXnRqgkYL/LMt2Krh0eWmXxXw20IOzhMtT4x4jT4iNg3h5eMb/AeYyq2UVUnrvMPrPZEGwvBdrGzVV5u/BYcu7T04ZOzKkXQ/J2CZcc97xi93YSYndYMAMdG+3TQE6HonNnCGlKmm53aD5KRxIPUVWM=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature></ns0:AuthnRequest>
satosa    |
satosa    | [2022-10-05 02:41:22,420] [INFO] [saml2.client.prepare_for_negotiated_authenticate] AuthNReq: <?xml version="1.0"?>
satosa    | <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-tjz1WI7zWpjBnsPlm" Version="2.0" IssueInstant="2022-10-05T02:41:22Z" Destination="https://idp.aai.arnes.si/simplesaml/saml2/idp/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://saml.dragonsec.si/Saml2/acs/post" ProviderName="DragonSec ID Bridge"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://saml.dragonsec.si/Saml2/proxy_saml2_backend.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-tjz1WI7zWpjBnsPlm"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>HDxgsXB75U17bZWuIIo9YMUur5o=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>mwGxrVBSvKElJvHWBpZDZXM0mAq/TbXM72LX7aTCZvKc+IWLWbQf1akVnlD/+R3S
satosa    | JWR7lSdaawSa+L/eCUWJYeRvqjdVdhN4R2aeAurCr1A8wNYpzrtXAgXmI1ovgxJN
satosa    | 1gFxOO49c3Ce/OLrMDqlYeq/5j+B29/D+oNg7JUDXLVPTRit3O6m2txBYIUx8Gpr
satosa    | iFBLjOqoAGjbm3oom24gCEDMASNlpTZXRDnFZw42Pl5EbQK/GFNX7ABa2gb7e4la
satosa    | qkwYEziAvo6WoxHbPMk9987gs9x1Sfxr8qGjZb0FB/JRC4Z8Ve7KBUls9qcCPq9j
satosa    | K/fty+J5ck5NUt2JWVL/kA==</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDGTCCAgGgAwIBAgIUIupk1e42GKwKMQ1vnpa4KctgqYkwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UEAwwRc2FtbC5kcmFnb25zZWMuc2kwHhcNMjIxMDA0MjMyNjI5WhcNMzIxMDAxMjMyNjI5WjAcMRowGAYDVQQDDBFzYW1sLmRyYWdvbnNlYy5zaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQEtKmbRdbH8eIVOVYr2ahthDZkvzWgfxLZIAQFvc6N7fjAacGza0GMv6IMlG/cWO63HdBhnxCo40yk5iJfh90xLHNk03aae9G4h6GQfMgYvgCq8cOkNhsLXL6nRFOV0d3vUeGSqPuWSooVIPvdJuPJYasmWQIIxQ90uTsfSZv3gbCqAREVV5Hc7H2np+mdQHHNrfLC5wc9fOekHc9KxRrEBXP55nAARvzjUPVGIySDjStOO2WJr4YjBWPokgIu95vKie7Nnw1ciGQW0hc3jdXtmGhmNJYeythYpYqlpjxum3aakcknATe19DC5ZtR5ZGq4gTOnxe4ylabCKLv/2BECAwEAAaNTMFEwHQYDVR0OBBYEFHswzw3q7RxL0yfpVHeInXdsHu9jMB8GA1UdIwQYMBaAFHswzw3q7RxL0yfpVHeInXdsHu9jMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHrVfSd92m9kqIWPFKbyj3ybVrQPDd+XT4xCgAFcSghynShFB7cclMfEVO4wbBHTK0yTwYh9GbQOyXIrgTeFDcHPQbZOqerU9ExeKyWCItvvHLfAyxJkOKAU+WsXG5r4B/se96/fr0V/YDphlpgQ1bjTlU/Hp3c7buhJT97l+N0sytYhkrVhIid/6qh1wgsDEXnRqgkYL/LMt2Krh0eWmXxXw20IOzhMtT4x4jT4iNg3h5eMb/AeYyq2UVUnrvMPrPZEGwvBdrGzVV5u/BYcu7T04ZOzKkXQ/J2CZcc97xi93YSYndYMAMdG+3TQE6HonNnCGlKmm53aD5KRxIPUVWM=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature></ns0:AuthnRequest>
satosa    |
satosa    | [2022-10-05 02:41:22,420] [INFO] [saml2.entity.apply_binding] HTTP REDIRECT
satosa    | [2022-10-05 02:41:22,456] [DEBUG] [satosa.state.state_to_cookie] [urn:uuid:8f1a2525-d3e6-4cdd-9eff-abe12428771c] Saved state in cookie SAML_STATE with properties [('expires', ''), ('path', '/'), ('comment', ''), ('domain', ''), ('max-age', ''), ('secure', True), ('httponly', ''), ('version', ''), ('samesite', 'None')]
@craftbyte
Copy link
Author

Looks like I was looking at the wrong place.
The SAML request creates a header big enough to break a default nginx config, that we have in front of the docker containers. Setting the following in the location / section (next to proxy_pass) made it work:

 proxy_busy_buffers_size   512k;
 proxy_buffers   4 512k;
 proxy_buffer_size   256k;

@vladimir-mencl-eresearch
Copy link
Contributor

So you are getting errors from too long request URI ... that looks like related to IdentityPython/pysaml2#819 - where the AuthnRequest has a large XML signature embedded (designed for use with HTTP-POST), but it is sent via HTTP-Redirect (where a detached signature should be used instead).

Could it be mixed up HTTP-POST and HTTP-Redirect endpoints/bindings?

Cheers,
Vlad

@craftbyte
Copy link
Author

I checked again and the metadata for the IDP specifies REDIRECT.
If you are in eduGAIN, feel free to test on the ARNES IdP (since this is before login anyway).

Seems like updating NGINX broke some other services for us as well, since they lowered the max size...

@vladimir-mencl-eresearch
Copy link
Contributor

Hi, I'm looking at this now. I see ARNES has in eduGAIN both an SP (https://aai.arnes.si/test/edugain) and an IdP (https://idp.aai.arnes.si/idp/20090116).

What is the sequence of steps to reproduce this in a browser? Where should I start / what to select?

Cheers,
Vlad

@craftbyte
Copy link
Author

It's the IdP that I was transferring to.

@vladimir-mencl-eresearch
Copy link
Contributor

@craftbyte - but what sequence of steps would replicate this issue? If I just pick "an SP in eduGAIN" (like the SWITCH Attribute Viewer)and try logging in with ARNES, I get to this IdP ... but where does the double-signed message come into play? That would be after successful authentication at the IdP - which I'd not have access to?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladimir-mencl-eresearch @craftbyte