Project

General

Profile

Support #29663

Lasso Error 440 while receiving SAML response from AzureAD

Added by Marko Rautenberg about 1 year ago. Updated about 1 month ago.

Status:
En cours
Priority:
Normal
Assignee:
-
Category:
SAMLv2
Target version:
-
Start date:
11 Jan 2019
Due date:
% Done:

0%

Patch proposed:
No
Planning:
No

Description

Hi Entrouvert Team,

I hope you can help.

I have a Problem while configuring SAMl SSO for Apache with Azure AD as IdP.
For Apache mod_auth_mellon is used, which uses lasso as SSO library (lasso version 2.5.1).
The problem is as follows:

The redirect to the IdP works fine. After successful authentication the IdP sends the response to the SP (auth_mellon).
"auth_mellon" reported then:

Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success"

So that deals with LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE error.
The error occures in the mod_auth_mellon function "auth_mellon_handler.c" at lasso function: "lasso_login_process_authn_response_msg(login, saml_response)".

It does not matter if we use RSA-SHA1 or RSA-SHA256 as signing algorithm on IdP side.

I checked the SAML Response with the public (signing) key from Azure AD in an online SAML checker tool (https://8gwifi.org/samlverifysign.jsp)
The Signature is valid. (for SHA1 and SHA256)

Any ideas why lasso thinks the signature is invalid?

regards
Marko

Grafana - Public.xml View (13.8 KB) James Kirsop, 12 Feb 2020 02:31 AM

History

#1 Updated by Marko Rautenberg about 1 year ago

additional information

the signatue is valid for the assertion verification not for the response or both.

kindest regards

Marko

#2 Updated by Benjamin Dauvergne about 1 year ago

Could you try to update to lasso 2.6.0 to see if it fixes your problem first ?

#3 Updated by Marko Rautenberg about 1 year ago

Hi together,

I updated the lasso version to 2.6.0, but unfortunately that did not helped very much.
The error-message is still the same.

KR
Marko

#4 Updated by Benjamin Dauvergne 10 months ago

Without a test case to reproduce the problem I'll have to close this issue as non reproductible.

#5 Updated by Benjamin Dauvergne 9 months ago

  • Status changed from Nouveau to Rejeté

Non reproducible.

#6 Updated by James Kirsop about 2 months ago

Benjamin Dauvergne a écrit :

Could you try to update to lasso 2.6.0 to see if it fixes your problem first ?

I'm also having this issue on CentOS 8, running the 2.6.0 packaged release available via the AppStream repository.

Given this is clearly reproducible, what can we do to provide a test case?

#7 Updated by Benjamin Dauvergne about 2 months ago

Copy of a response and metadata of the IdP, so that I can produce a test case on it.

#8 Updated by Benjamin Dauvergne about 2 months ago

  • Status changed from Rejeté to En cours

#9 Updated by James Kirsop about 2 months ago

Benjamin Dauvergne a écrit :

Copy of a response and metadata of the IdP, so that I can produce a test case on it.

I would copy a response, but the mod_auth_mellon package is compiled with debugging disabled, and there's no lasso-devel package for CentOS 8, so I can't recompile to be able to get a response... I've reached out to the package maintainers at RedHat to see if they can assist.

I've got an identical configuration running and working in CentOS 7, but with lasso 2.5.1 instead of 2.6.0. However, there's no 2.5.1 package available for CentOS8.

Attached is the Federation Metadata XML.

#10 Updated by Nicolas Quiniou-Briand about 2 months ago

Hello James,

I'm not a SAML expert but after reading this [1], you should be able to provide a SAML response by watching HTTP request sent by user-agent to your SP using web browser console.
Then you can decode SAML request using tools available here [2]. There is also a Firefox plugin to directly decode request in your web browser [3]

[1] https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#Use
[2] https://www.samltool.com/online_tools.php
[3] https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

#11 Updated by Benjamin Dauvergne about 2 months ago

To precise the last remark it will only work if your mod_mellon is configured for POST binding, with Artifact binding the response is pulled asynchronously by Apache (by a direct SOAP request to the IdP, you cannot see the response going through your browser).

#12 Updated by James Kirsop about 2 months ago

Thanks.
Here's the SAML Response provided via the SAML-Tracer plugin. Hopefully this is what you're after.

<samlp:Response ID="_7014a3b3-d8f6-456c-ad6f-df129ada56d2" 
                Version="2.0" 
                IssueInstant="2020-02-17T00:39:13.702Z" 
                Destination="https://metrics.daraco.com.au/mellon/postResponse" 
                InResponseTo="_191B932302F0ABBBD8DDFCDBCA13C2B0" 
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/f69acc14-568b-43ea-a578-4b8aafcf404d/</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_859b046e-bd37-425a-9bde-65f74b696000" 
               IssueInstant="2020-02-17T00:39:13.689Z" 
               Version="2.0" 
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion" 
               >
        <Issuer>https://sts.windows.net/f69acc14-568b-43ea-a578-4b8aafcf404d/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_859b046e-bd37-425a-9bde-65f74b696000">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>NmaM4PPNlqxJhuPlRqsWUXSZsYftrJG5BgK1DROoi5c=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>gFkAn+lR8QJKUIz3PkuRAA/EIiiKBEabvIO0sFQH44evO5oAWtXg7zMaOQGmrvoYvk6d+eh5/1booV2KviS32m7vxfY+KOcDtoFf/b1Cj76LcUeJMq6oK+sqQA4bNB1qAJDBMqvvsL3Cce/8tSv+IXegxorhazefSeGti/EDoXklBwa/sVbWeQCAvZim+qJYvpBDgHLSir9uNNfifybLjXGR0ONgE/KT07dLGE50g3bRe9Fr0ocMWZujZOMUYUwM3oy/mUdRjRT1ISo3PJY6M2vpTwTbdiWjcS9veBKCMTmMkUcf6gfGqdQtta8hOKYDABGwKHe58oNXUvHuQJdjNQ==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIC8DCCAdigAwIBAgIQLDwlDJ42jJ1FaG6g2JPARTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDAyMTIwMTE4MDFaFw0yMzAyMTIwMTE4MDFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmf5MPkxgf6g33ioT4IdyJ+CGVrkh3NjORxn99w8CDSOoLxr7LtCbBVRIs5uLXh1RUDuqUCNnh7uVEVgLBgruZrGACqpwFH04wFft0KN/17QIUBWewyeWEo/NFBks8tZsfokF5wlmGIxeCnEGAsXqy/FBIPdM9vTdfIpHUc0HNVqFRnNC/01hIKjTzVVc4nW0wmK3IVpmqdjeNnefFsa37oiDM53sbd8w9ZH0UInknDBjC97hvrXagAvPCog4bmFJuUcJgEcWqAw8REOxdOBAdIATlwXRXoMw++pfUXcauqFdOFgDM7OEsEh6NJcC+bYE9ebHID8tiNFNFm6zRfcyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBAL+whdIuqHDlEHnVa3FvEhCCjeNZStECQoTcgSLlg9q0WT7Zg8diZp/Mynr5dYCl5lQYZUoJXhv6OpYbou4DviOjgYzTCFLBI3IPydGKAW6L0uYr2subquxqqGPXWdIR8a+pc9PW0zzMDpr6/Lf+h0pKfszrt741ywdAGAoFd5JsQVj2Y0DDDzC3QBTBV2pVDoYgFiB2+u0ZTwewEdtT+vR/ksaCIDZpivujvc8CFyqH3mPIpOZwkOspfuLfuwsLSjeX1D6C/DdMAzS6qUYk3s8MoKkFtWIzp3tDb5A8zIUAltc0xz+QNXW6f3iLlhTTsQ5PvmPRIxzSA2ZZLnB0p</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">dtuv0FIhRHYmeHRjk8+E98RxKYWIJ6XZErMKrDHpAZM=</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_191B932302F0ABBBD8DDFCDBCA13C2B0" 
                                         NotOnOrAfter="2020-02-17T01:39:13.421Z" 
                                         Recipient="https://metrics.daraco.com.au/mellon/postResponse" 
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2020-02-17T00:34:13.421Z" 
                    NotOnOrAfter="2020-02-17T01:39:13.421Z" 
                    >
            <AudienceRestriction>
                <Audience>urn:metrics.daraco.com.au</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>f69acc14-568b-43ea-a578-4b8aafcf404d</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>ed336ea9-ffd9-4cc7-a08d-192bfd954f32</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
                <AttributeValue>James Kirsop</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>https://sts.windows.net/f69acc14-568b-43ea-a578-4b8aafcf404d/</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>James</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>Kirsop</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>JKirsop@daraco.com.au</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>JKirsop@daraco.com.au</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2020-02-17T00:38:03.500Z" 
                        SessionIndex="_859b046e-bd37-425a-9bde-65f74b696000" 
                        >
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

#13 Updated by Benjamin Dauvergne about 2 months ago

James Kirsop a écrit :

Thanks.
Here's the SAML Response provided via the SAML-Tracer plugin. Hopefully this is what you're after.

[...]

I would prefere le POST response content, but I'll try to use that.

#14 Updated by James Kirsop about 2 months ago

Benjamin Dauvergne a écrit :

James Kirsop a écrit :

Thanks.
Here's the SAML Response provided via the SAML-Tracer plugin. Hopefully this is what you're after.

[...]

I would prefere le POST response content, but I'll try to use that.

Here's the POST response content:

POST
SAMLResponse: PHNhbWxwOlJlc3BvbnNlIElEPSJfNzAxNGEzYjMtZDhmNi00NTZjLWFkNmYtZGYxMjlhZGE1NmQyIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0wMi0xN1QwMDozOToxMy43MDJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9tZXRyaWNzLmRhcmFjby5jb20uYXUvbWVsbG9uL3Bvc3RSZXNwb25zZSIgSW5SZXNwb25zZVRvPSJfMTkxQjkzMjMwMkYwQUJCQkQ4RERGQ0RCQ0ExM0MyQjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2Y2OWFjYzE0LTU2OGItNDNlYS1hNTc4LTRiOGFhZmNmNDA0ZC88L0lzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfODU5YjA0NmUtYmQzNy00MjVhLTliZGUtNjVmNzRiNjk2MDAwIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDItMTdUMDA6Mzk6MTMuNjg5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwczovL3N0cy53aW5kb3dzLm5ldC9mNjlhY2MxNC01NjhiLTQzZWEtYTU3OC00YjhhYWZjZjQwNGQvPC9Jc3N1ZXI+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PFNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxSZWZlcmVuY2UgVVJJPSIjXzg1OWIwNDZlLWJkMzctNDI1YS05YmRlLTY1Zjc0YjY5NjAwMCI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PERpZ2VzdFZhbHVlPk5tYU00UFBObHF4Smh1UGxScXNXVVhTWnNZZnRySkc1QmdLMURST29pNWM9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8+PFNpZ25hdHVyZVZhbHVlPmdGa0FuK2xSOFFKS1VJejNQa3VSQUEvRUlpaUtCRWFidklPMHNGUUg0NGV2TzVvQVd0WGc3ek1hT1FHbXJ2b1l2azZkK2VoNS8xYm9vVjJLdmlTMzJtN3Z4ZlkrS09jRHRvRmYvYjFDajc2TGNVZUpNcTZvSytzcVFBNGJOQjFxQUpEQk1xdnZzTDNDY2UvOHRTditJWGVneG9yaGF6ZWZTZUd0aS9FRG9Ya2xCd2Evc1ZiV2VRQ0F2WmltK3FKWXZwQkRnSExTaXI5dU5OZmlmeWJMalhHUjBPTmdFL0tUMDdkTEdFNTBnM2JSZTlGcjBvY01XWnVqWk9NVVlVd00zb3kvbVVkUmpSVDFJU28zUEpZNk0ydnBUd1RiZGlXamNTOXZlQktDTVRtTWtVY2Y2Z2ZHcWRRdHRhOGhPS1lEQUJHd0tIZTU4b05YVXZIdVFKZGpOUT09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE+PFg1MDlDZXJ0aWZpY2F0ZT5NSUlDOERDQ0FkaWdBd0lCQWdJUUxEd2xESjQyakoxRmFHNmcySlBBUlRBTkJna3Foa2lHOXcwQkFRc0ZBREEwTVRJd01BWURWUVFERXlsTmFXTnliM052Wm5RZ1FYcDFjbVVnUm1Wa1pYSmhkR1ZrSUZOVFR5QkRaWEowYVdacFkyRjBaVEFlRncweU1EQXlNVEl3TVRFNE1ERmFGdzB5TXpBeU1USXdNVEU0TURGYU1EUXhNakF3QmdOVkJBTVRLVTFwWTNKdmMyOW1kQ0JCZW5WeVpTQkdaV1JsY21GMFpXUWdVMU5QSUVObGNuUnBabWxqWVhSbE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdG1mNU1Qa3hnZjZnMzNpb1Q0SWR5SitDR1Zya2gzTmpPUnhuOTl3OENEU09vTHhyN0x0Q2JCVlJJczV1TFhoMVJVRHVxVUNObmg3dVZFVmdMQmdydVpyR0FDcXB3RkgwNHdGZnQwS04vMTdRSVVCV2V3eWVXRW8vTkZCa3M4dFpzZm9rRjV3bG1HSXhlQ25FR0FzWHF5L0ZCSVBkTTl2VGRmSXBIVWMwSE5WcUZSbk5DLzAxaElLalR6VlZjNG5XMHdtSzNJVnBtcWRqZU5uZWZGc2EzN29pRE01M3NiZDh3OVpIMFVJbmtuREJqQzk3aHZyWGFnQXZQQ29nNGJtRkp1VWNKZ0VjV3FBdzhSRU94ZE9CQWRJQVRsd1hSWG9NdysrcGZVWGNhdXFGZE9GZ0RNN09Fc0VoNk5KY0MrYllFOWViSElEOHRpTkZORm02elJmY3lRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCQUwrd2hkSXVxSERsRUhuVmEzRnZFaENDamVOWlN0RUNRb1RjZ1NMbGc5cTBXVDdaZzhkaVpwL015bnI1ZFlDbDVsUVlaVW9KWGh2Nk9wWWJvdTREdmlPamdZelRDRkxCSTNJUHlkR0tBVzZMMHVZcjJzdWJxdXhxcUdQWFdkSVI4YStwYzlQVzB6ek1EcHI2L0xmK2gwcEtmc3pydDc0MXl3ZEFHQW9GZDVKc1FWajJZMERERHpDM1FCVEJWMnBWRG9ZZ0ZpQjIrdTBaVHdld0VkdFQrdlIva3NhQ0lEWnBpdnVqdmM4Q0Z5cUgzbVBJcE9ad2tPc3BmdUxmdXdzTFNqZVgxRDZDL0RkTUF6UzZxVVlrM3M4TW9La0Z0V0l6cDN0RGI1QTh6SVVBbHRjMHh6K1FOWFc2ZjNpTGxoVFRzUTVQdm1QUkl4elNBMlpaTG5CMHA8L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjwvS2V5SW5mbz48L1NpZ25hdHVyZT48U3ViamVjdD48TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5kdHV2MEZJaFJIWW1lSFJqazgrRTk4UnhLWVdJSjZYWkVyTUtyREhwQVpNPTwvTmFtZUlEPjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzE5MUI5MzIzMDJGMEFCQkJEOERERkNEQkNBMTNDMkIwIiBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDItMTdUMDE6Mzk6MTMuNDIxWiIgUmVjaXBpZW50PSJodHRwczovL21ldHJpY3MuZGFyYWNvLmNvbS5hdS9tZWxsb24vcG9zdFJlc3BvbnNlIi8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjAtMDItMTdUMDA6MzQ6MTMuNDIxWiIgTm90T25PckFmdGVyPSIyMDIwLTAyLTE3VDAxOjM5OjEzLjQyMVoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT51cm46bWV0cmljcy5kYXJhY28uY29tLmF1PC9BdWRpZW5jZT48L0F1ZGllbmNlUmVzdHJpY3Rpb24+PC9Db25kaXRpb25zPjxBdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy90ZW5hbnRpZCI+PEF0dHJpYnV0ZVZhbHVlPmY2OWFjYzE0LTU2OGItNDNlYS1hNTc4LTRiOGFhZmNmNDA0ZDwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy9vYmplY3RpZGVudGlmaWVyIj48QXR0cmlidXRlVmFsdWU+ZWQzMzZlYTktZmZkOS00Y2M3LWEwOGQtMTkyYmZkOTU0ZjMyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vaWRlbnRpdHkvY2xhaW1zL2Rpc3BsYXluYW1lIj48QXR0cmlidXRlVmFsdWU+SmFtZXMgS2lyc29wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vaWRlbnRpdHkvY2xhaW1zL2lkZW50aXR5cHJvdmlkZXIiPjxBdHRyaWJ1dGVWYWx1ZT5odHRwczovL3N0cy53aW5kb3dzLm5ldC9mNjlhY2MxNC01NjhiLTQzZWEtYTU3OC00YjhhYWZjZjQwNGQvPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vY2xhaW1zL2F1dGhubWV0aG9kc3JlZmVyZW5jZXMiPjxBdHRyaWJ1dGVWYWx1ZT5odHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvYXV0aGVudGljYXRpb25tZXRob2QvcGFzc3dvcmQ8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIj48QXR0cmlidXRlVmFsdWU+SmFtZXM8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSI+PEF0dHJpYnV0ZVZhbHVlPktpcnNvcDwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiPjxBdHRyaWJ1dGVWYWx1ZT5KS2lyc29wQGRhcmFjby5jb20uYXU8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI+PEF0dHJpYnV0ZVZhbHVlPkpLaXJzb3BAZGFyYWNvLmNvbS5hdTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wMi0xN1QwMDozODowMy41MDBaIiBTZXNzaW9uSW5kZXg9Il84NTliMDQ2ZS1iZDM3LTQyNWEtOWJkZS02NWY3NGI2OTYwMDAiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9BdXRobkNvbnRleHRDbGFzc1JlZj48L0F1dGhuQ29udGV4dD48L0F1dGhuU3RhdGVtZW50PjwvQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
RelayState: https://metrics.daraco.com.au/

#15 Updated by Benjamin Dauvergne about 1 month ago

I have no problem processing this assertion with current lasso master, try testing against master and I'll try to release a 2.6.1 release.

In [19]: server = lasso.Server('sp_meta.xml') # I forged SP metadata based on the Destination field of your response

In [20]: help(lasso)

In [21]: server.addProvider(lasso.PROVIDER_ROLE_IDP, 'idp_meta.xml') # your Grafana IDP file

In [22]: login = lasso.Login(server)

In [24]: login.processAuthnResponseMsg(response) # content of the SAMLResponse field of the POST response
# no exception, all is well

#16 Updated by James Kirsop about 1 month ago

Benjamin Dauvergne a écrit :

I have no problem processing this assertion with current lasso master, try testing against master and I'll try to release a 2.6.1 release.

Thanks, I'll try and compile 2.6.1 and see if that will solve my issue.

I'm having issues compiling 2.6.0 (extract below) on CentOS 8, so hopefully .1 will get me across the line. I will report back in the morning Australian time!

$ ./configure --with-python=/usr/bin/python3 && make
...
Making all in saml-2.0
make[4]: Entering directory '/home/jkirsop.admin/lasso-2.6.0/lasso/saml-2.0'
make[4]: Nothing to be done for 'all'.
make[4]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso/saml-2.0'
make[4]: Entering directory '/home/jkirsop.admin/lasso-2.6.0/lasso'
  CCLD     liblasso.la
/usr/bin/ld: cannot find -lltdl
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:644: liblasso.la] Error 1
make[4]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso'
make[3]: *** [Makefile:741: all-recursive] Error 1
make[3]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso'
make[2]: *** [Makefile:563: all] Error 2
make[2]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso'
make[1]: *** [Makefile:575: all-recursive] Error 1
make[1]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0'
make: *** [Makefile:482: all] Error 2

#17 Updated by Benjamin Dauvergne about 1 month ago

I'm not able to able to help, I only know Debian. But I think you could take the lasso 2.6.0 packaging from Centos and just replace source code by 2.6.1.

#18 Updated by James Kirsop about 1 month ago

I've got lasso's master branch to compile, and after I move the libraries into the correct location for centos and restart apache, I still see the same error in my error_log files.

I'm now trying to recompile mod_auth_mellon to get some further diagnostic information, with limited success.

Are there flags I can set to compile lasso to provide more diagnostic info?

#19 Updated by James Kirsop about 1 month ago

Doing some more troubleshooting now I've got Mellon diagnostics working.

On the mellon side, the diagnostics logs suggest that the post request makes it way to the am_handle_post_reply function1, and then into lasso_login_process_authn_response_msg()[2].

Because lasso_login_process_authn_response_msg() doesn't return 0, I'm bounced back the following message at [3]:

[APLOG_ERR auth_mellon_handler.c:2139] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)" 

I'm happy to provide more information if I can get details on what is required.

[1](https://github.com/latchset/mod_auth_mellon/blob/7d371b665a03ed939fff31791a24c35aff644392/auth_mellon_handler.c#L2059)
[2](https://dev.entrouvert.org/projects/lasso/repository/revisions/73625674113f5bc5e6e18adc0ee218fcab17065f/entry/lasso/id-ff/login.c#L2164)
[3](https://github.com/latchset/mod_auth_mellon/blob/7d371b665a03ed939fff31791a24c35aff644392/auth_mellon_handler.c#L2133)

#20 Updated by James Kirsop about 1 month ago

Is there any further information I can provide to assist in getting to the bottom of this issue?

Also available in: Atom PDF