Support #29663
Lasso Error 440 while receiving SAML response from AzureAD
0%
Description
Hi Entrouvert Team,
I hope you can help.
I have a Problem while configuring SAMl SSO for Apache with Azure AD as IdP.
For Apache mod_auth_mellon is used, which uses lasso as SSO library (lasso version 2.5.1).
The problem is as follows:
The redirect to the IdP works fine. After successful authentication the IdP sends the response to the SP (auth_mellon).
"auth_mellon" reported then:
Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success"
So that deals with LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE error.
The error occures in the mod_auth_mellon function "auth_mellon_handler.c" at lasso function: "lasso_login_process_authn_response_msg(login, saml_response)".
It does not matter if we use RSA-SHA1 or RSA-SHA256 as signing algorithm on IdP side.
I checked the SAML Response with the public (signing) key from Azure AD in an online SAML checker tool (https://8gwifi.org/samlverifysign.jsp)
The Signature is valid. (for SHA1 and SHA256)
Any ideas why lasso thinks the signature is invalid?
regards
Marko
Fichiers
Historique
Mis à jour par Marko Rautenberg il y a plus de 5 ans
additional information
the signatue is valid for the assertion verification not for the response or both.
kindest regards
Marko
Mis à jour par Benjamin Dauvergne il y a plus de 5 ans
Could you try to update to lasso 2.6.0 to see if it fixes your problem first ?
Mis à jour par Marko Rautenberg il y a plus de 5 ans
Hi together,
I updated the lasso version to 2.6.0, but unfortunately that did not helped very much.
The error-message is still the same.
KR
Marko
Mis à jour par Benjamin Dauvergne il y a presque 5 ans
Without a test case to reproduce the problem I'll have to close this issue as non reproductible.
Mis à jour par Benjamin Dauvergne il y a presque 5 ans
- Statut changé de Nouveau à Rejeté
Non reproducible.
Mis à jour par James Kirsop il y a environ 4 ans
Benjamin Dauvergne a écrit :
Could you try to update to lasso 2.6.0 to see if it fixes your problem first ?
I'm also having this issue on CentOS 8, running the 2.6.0 packaged release available via the AppStream repository.
Given this is clearly reproducible, what can we do to provide a test case?
Mis à jour par Benjamin Dauvergne il y a environ 4 ans
Copy of a response and metadata of the IdP, so that I can produce a test case on it.
Mis à jour par James Kirsop il y a environ 4 ans
- Fichier Grafana - Public.xml Grafana - Public.xml ajouté
Benjamin Dauvergne a écrit :
Copy of a response and metadata of the IdP, so that I can produce a test case on it.
I would copy a response, but the mod_auth_mellon package is compiled with debugging disabled, and there's no lasso-devel package for CentOS 8, so I can't recompile to be able to get a response... I've reached out to the package maintainers at RedHat to see if they can assist.
I've got an identical configuration running and working in CentOS 7, but with lasso 2.5.1 instead of 2.6.0. However, there's no 2.5.1 package available for CentOS8.
Attached is the Federation Metadata XML.
Mis à jour par Nicolas Quiniou-Briand il y a environ 4 ans
Hello James,
I'm not a SAML expert but after reading this [1], you should be able to provide a SAML response by watching HTTP request sent by user-agent to your SP using web browser console.
Then you can decode SAML request using tools available here [2]. There is also a Firefox plugin to directly decode request in your web browser [3]
[1] https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#Use
[2] https://www.samltool.com/online_tools.php
[3] https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
Mis à jour par Benjamin Dauvergne il y a environ 4 ans
To precise the last remark it will only work if your mod_mellon is configured for POST binding, with Artifact binding the response is pulled asynchronously by Apache (by a direct SOAP request to the IdP, you cannot see the response going through your browser).
Mis à jour par James Kirsop il y a environ 4 ans
Thanks.
Here's the SAML Response provided via the SAML-Tracer plugin. Hopefully this is what you're after.
<samlp:Response ID="_7014a3b3-d8f6-456c-ad6f-df129ada56d2"
Version="2.0"
IssueInstant="2020-02-17T00:39:13.702Z"
Destination="https://metrics.daraco.com.au/mellon/postResponse"
InResponseTo="_191B932302F0ABBBD8DDFCDBCA13C2B0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/f69acc14-568b-43ea-a578-4b8aafcf404d/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_859b046e-bd37-425a-9bde-65f74b696000"
IssueInstant="2020-02-17T00:39:13.689Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>
<Issuer>https://sts.windows.net/f69acc14-568b-43ea-a578-4b8aafcf404d/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_859b046e-bd37-425a-9bde-65f74b696000">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>NmaM4PPNlqxJhuPlRqsWUXSZsYftrJG5BgK1DROoi5c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gFkAn+lR8QJKUIz3PkuRAA/EIiiKBEabvIO0sFQH44evO5oAWtXg7zMaOQGmrvoYvk6d+eh5/1booV2KviS32m7vxfY+KOcDtoFf/b1Cj76LcUeJMq6oK+sqQA4bNB1qAJDBMqvvsL3Cce/8tSv+IXegxorhazefSeGti/EDoXklBwa/sVbWeQCAvZim+qJYvpBDgHLSir9uNNfifybLjXGR0ONgE/KT07dLGE50g3bRe9Fr0ocMWZujZOMUYUwM3oy/mUdRjRT1ISo3PJY6M2vpTwTbdiWjcS9veBKCMTmMkUcf6gfGqdQtta8hOKYDABGwKHe58oNXUvHuQJdjNQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC8DCCAdigAwIBAgIQLDwlDJ42jJ1FaG6g2JPARTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDAyMTIwMTE4MDFaFw0yMzAyMTIwMTE4MDFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmf5MPkxgf6g33ioT4IdyJ+CGVrkh3NjORxn99w8CDSOoLxr7LtCbBVRIs5uLXh1RUDuqUCNnh7uVEVgLBgruZrGACqpwFH04wFft0KN/17QIUBWewyeWEo/NFBks8tZsfokF5wlmGIxeCnEGAsXqy/FBIPdM9vTdfIpHUc0HNVqFRnNC/01hIKjTzVVc4nW0wmK3IVpmqdjeNnefFsa37oiDM53sbd8w9ZH0UInknDBjC97hvrXagAvPCog4bmFJuUcJgEcWqAw8REOxdOBAdIATlwXRXoMw++pfUXcauqFdOFgDM7OEsEh6NJcC+bYE9ebHID8tiNFNFm6zRfcyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBAL+whdIuqHDlEHnVa3FvEhCCjeNZStECQoTcgSLlg9q0WT7Zg8diZp/Mynr5dYCl5lQYZUoJXhv6OpYbou4DviOjgYzTCFLBI3IPydGKAW6L0uYr2subquxqqGPXWdIR8a+pc9PW0zzMDpr6/Lf+h0pKfszrt741ywdAGAoFd5JsQVj2Y0DDDzC3QBTBV2pVDoYgFiB2+u0ZTwewEdtT+vR/ksaCIDZpivujvc8CFyqH3mPIpOZwkOspfuLfuwsLSjeX1D6C/DdMAzS6qUYk3s8MoKkFtWIzp3tDb5A8zIUAltc0xz+QNXW6f3iLlhTTsQ5PvmPRIxzSA2ZZLnB0p</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">dtuv0FIhRHYmeHRjk8+E98RxKYWIJ6XZErMKrDHpAZM=</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_191B932302F0ABBBD8DDFCDBCA13C2B0"
NotOnOrAfter="2020-02-17T01:39:13.421Z"
Recipient="https://metrics.daraco.com.au/mellon/postResponse"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2020-02-17T00:34:13.421Z"
NotOnOrAfter="2020-02-17T01:39:13.421Z"
>
<AudienceRestriction>
<Audience>urn:metrics.daraco.com.au</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>f69acc14-568b-43ea-a578-4b8aafcf404d</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>ed336ea9-ffd9-4cc7-a08d-192bfd954f32</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>James Kirsop</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/f69acc14-568b-43ea-a578-4b8aafcf404d/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>James</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Kirsop</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>JKirsop@daraco.com.au</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>JKirsop@daraco.com.au</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-02-17T00:38:03.500Z"
SessionIndex="_859b046e-bd37-425a-9bde-65f74b696000"
>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Mis à jour par Benjamin Dauvergne il y a environ 4 ans
James Kirsop a écrit :
Thanks.
Here's the SAML Response provided via the SAML-Tracer plugin. Hopefully this is what you're after.[...]
I would prefere le POST response content, but I'll try to use that.
Mis à jour par James Kirsop il y a environ 4 ans
Benjamin Dauvergne a écrit :
James Kirsop a écrit :
Thanks.
Here's the SAML Response provided via the SAML-Tracer plugin. Hopefully this is what you're after.[...]
I would prefere le POST response content, but I'll try to use that.
Here's the POST response content:
POST SAMLResponse: PHNhbWxwOlJlc3BvbnNlIElEPSJfNzAxNGEzYjMtZDhmNi00NTZjLWFkNmYtZGYxMjlhZGE1NmQyIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0wMi0xN1QwMDozOToxMy43MDJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9tZXRyaWNzLmRhcmFjby5jb20uYXUvbWVsbG9uL3Bvc3RSZXNwb25zZSIgSW5SZXNwb25zZVRvPSJfMTkxQjkzMjMwMkYwQUJCQkQ4RERGQ0RCQ0ExM0MyQjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2Y2OWFjYzE0LTU2OGItNDNlYS1hNTc4LTRiOGFhZmNmNDA0ZC88L0lzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfODU5YjA0NmUtYmQzNy00MjVhLTliZGUtNjVmNzRiNjk2MDAwIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDItMTdUMDA6Mzk6MTMuNjg5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwczovL3N0cy53aW5kb3dzLm5ldC9mNjlhY2MxNC01NjhiLTQzZWEtYTU3OC00YjhhYWZjZjQwNGQvPC9Jc3N1ZXI+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PFNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxSZWZlcmVuY2UgVVJJPSIjXzg1OWIwNDZlLWJkMzctNDI1YS05YmRlLTY1Zjc0YjY5NjAwMCI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PERpZ2VzdFZhbHVlPk5tYU00UFBObHF4Smh1UGxScXNXVVhTWnNZZnRySkc1QmdLMURST29pNWM9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8+PFNpZ25hdHVyZVZhbHVlPmdGa0FuK2xSOFFKS1VJejNQa3VSQUEvRUlpaUtCRWFidklPMHNGUUg0NGV2TzVvQVd0WGc3ek1hT1FHbXJ2b1l2azZkK2VoNS8xYm9vVjJLdmlTMzJtN3Z4ZlkrS09jRHRvRmYvYjFDajc2TGNVZUpNcTZvSytzcVFBNGJOQjFxQUpEQk1xdnZzTDNDY2UvOHRTditJWGVneG9yaGF6ZWZTZUd0aS9FRG9Ya2xCd2Evc1ZiV2VRQ0F2WmltK3FKWXZwQkRnSExTaXI5dU5OZmlmeWJMalhHUjBPTmdFL0tUMDdkTEdFNTBnM2JSZTlGcjBvY01XWnVqWk9NVVlVd00zb3kvbVVkUmpSVDFJU28zUEpZNk0ydnBUd1RiZGlXamNTOXZlQktDTVRtTWtVY2Y2Z2ZHcWRRdHRhOGhPS1lEQUJHd0tIZTU4b05YVXZIdVFKZGpOUT09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE+PFg1MDlDZXJ0aWZpY2F0ZT5NSUlDOERDQ0FkaWdBd0lCQWdJUUxEd2xESjQyakoxRmFHNmcySlBBUlRBTkJna3Foa2lHOXcwQkFRc0ZBREEwTVRJd01BWURWUVFERXlsTmFXTnliM052Wm5RZ1FYcDFjbVVnUm1Wa1pYSmhkR1ZrSUZOVFR5QkRaWEowYVdacFkyRjBaVEFlRncweU1EQXlNVEl3TVRFNE1ERmFGdzB5TXpBeU1USXdNVEU0TURGYU1EUXhNakF3QmdOVkJBTVRLVTFwWTNKdmMyOW1kQ0JCZW5WeVpTQkdaV1JsY21GMFpXUWdVMU5QSUVObGNuUnBabWxqWVhSbE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdG1mNU1Qa3hnZjZnMzNpb1Q0SWR5SitDR1Zya2gzTmpPUnhuOTl3OENEU09vTHhyN0x0Q2JCVlJJczV1TFhoMVJVRHVxVUNObmg3dVZFVmdMQmdydVpyR0FDcXB3RkgwNHdGZnQwS04vMTdRSVVCV2V3eWVXRW8vTkZCa3M4dFpzZm9rRjV3bG1HSXhlQ25FR0FzWHF5L0ZCSVBkTTl2VGRmSXBIVWMwSE5WcUZSbk5DLzAxaElLalR6VlZjNG5XMHdtSzNJVnBtcWRqZU5uZWZGc2EzN29pRE01M3NiZDh3OVpIMFVJbmtuREJqQzk3aHZyWGFnQXZQQ29nNGJtRkp1VWNKZ0VjV3FBdzhSRU94ZE9CQWRJQVRsd1hSWG9NdysrcGZVWGNhdXFGZE9GZ0RNN09Fc0VoNk5KY0MrYllFOWViSElEOHRpTkZORm02elJmY3lRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCQUwrd2hkSXVxSERsRUhuVmEzRnZFaENDamVOWlN0RUNRb1RjZ1NMbGc5cTBXVDdaZzhkaVpwL015bnI1ZFlDbDVsUVlaVW9KWGh2Nk9wWWJvdTREdmlPamdZelRDRkxCSTNJUHlkR0tBVzZMMHVZcjJzdWJxdXhxcUdQWFdkSVI4YStwYzlQVzB6ek1EcHI2L0xmK2gwcEtmc3pydDc0MXl3ZEFHQW9GZDVKc1FWajJZMERERHpDM1FCVEJWMnBWRG9ZZ0ZpQjIrdTBaVHdld0VkdFQrdlIva3NhQ0lEWnBpdnVqdmM4Q0Z5cUgzbVBJcE9ad2tPc3BmdUxmdXdzTFNqZVgxRDZDL0RkTUF6UzZxVVlrM3M4TW9La0Z0V0l6cDN0RGI1QTh6SVVBbHRjMHh6K1FOWFc2ZjNpTGxoVFRzUTVQdm1QUkl4elNBMlpaTG5CMHA8L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjwvS2V5SW5mbz48L1NpZ25hdHVyZT48U3ViamVjdD48TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5kdHV2MEZJaFJIWW1lSFJqazgrRTk4UnhLWVdJSjZYWkVyTUtyREhwQVpNPTwvTmFtZUlEPjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzE5MUI5MzIzMDJGMEFCQkJEOERERkNEQkNBMTNDMkIwIiBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDItMTdUMDE6Mzk6MTMuNDIxWiIgUmVjaXBpZW50PSJodHRwczovL21ldHJpY3MuZGFyYWNvLmNvbS5hdS9tZWxsb24vcG9zdFJlc3BvbnNlIi8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjAtMDItMTdUMDA6MzQ6MTMuNDIxWiIgTm90T25PckFmdGVyPSIyMDIwLTAyLTE3VDAxOjM5OjEzLjQyMVoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT51cm46bWV0cmljcy5kYXJhY28uY29tLmF1PC9BdWRpZW5jZT48L0F1ZGllbmNlUmVzdHJpY3Rpb24+PC9Db25kaXRpb25zPjxBdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy90ZW5hbnRpZCI+PEF0dHJpYnV0ZVZhbHVlPmY2OWFjYzE0LTU2OGItNDNlYS1hNTc4LTRiOGFhZmNmNDA0ZDwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy9vYmplY3RpZGVudGlmaWVyIj48QXR0cmlidXRlVmFsdWU+ZWQzMzZlYTktZmZkOS00Y2M3LWEwOGQtMTkyYmZkOTU0ZjMyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vaWRlbnRpdHkvY2xhaW1zL2Rpc3BsYXluYW1lIj48QXR0cmlidXRlVmFsdWU+SmFtZXMgS2lyc29wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vaWRlbnRpdHkvY2xhaW1zL2lkZW50aXR5cHJvdmlkZXIiPjxBdHRyaWJ1dGVWYWx1ZT5odHRwczovL3N0cy53aW5kb3dzLm5ldC9mNjlhY2MxNC01NjhiLTQzZWEtYTU3OC00YjhhYWZjZjQwNGQvPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vY2xhaW1zL2F1dGhubWV0aG9kc3JlZmVyZW5jZXMiPjxBdHRyaWJ1dGVWYWx1ZT5odHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvYXV0aGVudGljYXRpb25tZXRob2QvcGFzc3dvcmQ8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIj48QXR0cmlidXRlVmFsdWU+SmFtZXM8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSI+PEF0dHJpYnV0ZVZhbHVlPktpcnNvcDwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiPjxBdHRyaWJ1dGVWYWx1ZT5KS2lyc29wQGRhcmFjby5jb20uYXU8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI+PEF0dHJpYnV0ZVZhbHVlPkpLaXJzb3BAZGFyYWNvLmNvbS5hdTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PC9BdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wMi0xN1QwMDozODowMy41MDBaIiBTZXNzaW9uSW5kZXg9Il84NTliMDQ2ZS1iZDM3LTQyNWEtOWJkZS02NWY3NGI2OTYwMDAiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9BdXRobkNvbnRleHRDbGFzc1JlZj48L0F1dGhuQ29udGV4dD48L0F1dGhuU3RhdGVtZW50PjwvQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+ RelayState: https://metrics.daraco.com.au/
Mis à jour par Benjamin Dauvergne il y a environ 4 ans
I have no problem processing this assertion with current lasso master, try testing against master and I'll try to release a 2.6.1 release.
In [19]: server = lasso.Server('sp_meta.xml') # I forged SP metadata based on the Destination field of your response
In [20]: help(lasso)
In [21]: server.addProvider(lasso.PROVIDER_ROLE_IDP, 'idp_meta.xml') # your Grafana IDP file
In [22]: login = lasso.Login(server)
In [24]: login.processAuthnResponseMsg(response) # content of the SAMLResponse field of the POST response
# no exception, all is well
Mis à jour par James Kirsop il y a environ 4 ans
Benjamin Dauvergne a écrit :
I have no problem processing this assertion with current lasso master, try testing against master and I'll try to release a 2.6.1 release.
Thanks, I'll try and compile 2.6.1 and see if that will solve my issue.
I'm having issues compiling 2.6.0 (extract below) on CentOS 8, so hopefully .1 will get me across the line. I will report back in the morning Australian time!
$ ./configure --with-python=/usr/bin/python3 && make ... Making all in saml-2.0 make[4]: Entering directory '/home/jkirsop.admin/lasso-2.6.0/lasso/saml-2.0' make[4]: Nothing to be done for 'all'. make[4]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso/saml-2.0' make[4]: Entering directory '/home/jkirsop.admin/lasso-2.6.0/lasso' CCLD liblasso.la /usr/bin/ld: cannot find -lltdl collect2: error: ld returned 1 exit status make[4]: *** [Makefile:644: liblasso.la] Error 1 make[4]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso' make[3]: *** [Makefile:741: all-recursive] Error 1 make[3]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso' make[2]: *** [Makefile:563: all] Error 2 make[2]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0/lasso' make[1]: *** [Makefile:575: all-recursive] Error 1 make[1]: Leaving directory '/home/jkirsop.admin/lasso-2.6.0' make: *** [Makefile:482: all] Error 2
Mis à jour par Benjamin Dauvergne il y a environ 4 ans
I'm not able to able to help, I only know Debian. But I think you could take the lasso 2.6.0 packaging from Centos and just replace source code by 2.6.1.
Mis à jour par James Kirsop il y a environ 4 ans
I've got lasso's master branch to compile, and after I move the libraries into the correct location for centos and restart apache, I still see the same error in my error_log files.
I'm now trying to recompile mod_auth_mellon to get some further diagnostic information, with limited success.
Are there flags I can set to compile lasso to provide more diagnostic info?
Mis à jour par James Kirsop il y a environ 4 ans
Doing some more troubleshooting now I've got Mellon diagnostics working.
On the mellon side, the diagnostics logs suggest that the post request makes it way to the am_handle_post_reply function1, and then into lasso_login_process_authn_response_msg()[2].
Because lasso_login_process_authn_response_msg() doesn't return 0, I'm bounced back the following message at [3]:
[APLOG_ERR auth_mellon_handler.c:2139] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"
I'm happy to provide more information if I can get details on what is required.
[1](https://github.com/latchset/mod_auth_mellon/blob/7d371b665a03ed939fff31791a24c35aff644392/auth_mellon_handler.c#L2059)
[2](https://dev.entrouvert.org/projects/lasso/repository/revisions/73625674113f5bc5e6e18adc0ee218fcab17065f/entry/lasso/id-ff/login.c#L2164)
[3](https://github.com/latchset/mod_auth_mellon/blob/7d371b665a03ed939fff31791a24c35aff644392/auth_mellon_handler.c#L2133)
Mis à jour par James Kirsop il y a environ 4 ans
Is there any further information I can provide to assist in getting to the bottom of this issue?
Mis à jour par Bostjan Skufca Jese il y a environ 3 ans
@James, I was facing the same issue earlier today. After a few blind guesses I managed to overcome it by changing the canonicalization method on the IdP side, from the "... with comments" to either "Explicit" or "Implicit" (without comments).
On the XML level, these two values are now working for me:
- <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
- <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Non-working ones were these two:
- <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
- <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
I hope this helps.
b.
Mis à jour par Benjamin Dauvergne il y a environ 3 ans
It's strange because all the C14N methods are enabled in Lasso, but we do not have test to check that it works. On lasso side we only use http://www.w3.org/2001/10/xml-exc-c14n#.
Mis à jour par Bostjan Skufca Jese il y a environ 3 ans
(I forgot to mention versions - in my particular case, I am using mod_auth_mellon version 0.16.0-1 and liblasso version 2.6.0-7ubuntu1.1, as provided by Ubuntu 20.04.)
Mis à jour par Benjamin Dauvergne il y a environ 3 ans
It was reported in the past (see #4863) that http://www.w3.org/2001/10/xml-exc-c14n#WithComments worked when I added it (support for it was added in 2.6.0).
PS: and anyway the Response rerported by James used http://www.w3.org/2001/10/xml-exc-c14n# so the problem are not related.
Mis à jour par Bostjan Skufca Jese il y a presque 3 ans
(Thanks for spotting the difference, Benjamin, and sorry for the spam.)