Produits Entr'ouvert » Authentic 2

Chez un client, nous rencontrons un souci de déconnexion en cours de connexion à certains SP SAML2 (avec trois fournisseurs de services SAS différents) :

• avec un navigateur déjà connecté sur Authentic, nous déclenchons une authentification depuis un des SP problématiques
• l'utilisateur est bien redirigé vers l'IDP avec une requête d'authentification SAML qui a priori semble correcte et correspondre aux metadatas connus par l'IDP pour ce SP (cf. fichiers joints)
• dans les logs Authentic, on retrouve ce qui suit (je précise que j'ai modifié le logger.debug('processAuthnRequestMsg not successful') en un logger.exception pour plus de détails) :

Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG processing sso request 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vYXV0aC5waWdtZW50LmFwcC9zc28vc2FtbDIvMG9hNXBjcm8za1BKVWNRRlc0MTciIERlc3RpbmF0aW9uPSJodHRwczovL2Nvbm5leGlvbi1wcmVwcm9kLmVuZXJjb29wLm9yZy9pZHAvc2FtbDIvc3NvIiBGb3JjZUF1dGhuPSJmYWxzZSIgSUQ9ImlkODcwOTQ0OTk4ODc5NTIyODE4MTI3Nzg3MjAiIElzc3VlSW5zdGFudD0iMjAyMi0xMS0yOFQxNDozODo0OC42ODdaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3d3dy5va3RhLmNvbS9zYW1sMi9zZXJ2aWNlLXByb3ZpZGVyL3NwemRzbHRiZW1xb2NqcnB3dHd6PC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQ4NzA5NDQ5OTg4Nzk1MjI4MTgxMjc3ODcyMCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+aGhZVCtvY2hSRlhSSzF5S3dyNEU2YnZTR1NjPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5kcCtMWG51b1BFZGREU2kwRUF0d1VIaUswUXlCUWRzLy9MWStQbGMvZ1ZNV1Zsc3lNOUoxQVJHZXBnZDRVOHFNcnlBVFAxSGZYcEptTkl3K05xeFcrVkR6Y2VzakwzeTcyRVdPR0JHMlNQZ2JmTXpLQUhrN3ErLzFDVGsveHJTdEFHTTBLT2J3STNaYXEwV3NJa2wwUnpTa3FrbjB4NTJzdGM3eWN4Z2RUTjgxWXk0WHFKTlR4dGxMa2dlbEdvQWJ3a0xsUTloL0h0Q3VVVzJyblM1VlE2UDRybXVpSVlxK0lyeHlvMDBYbnEvRUJLYUhUaHBkWXpaMGZTSXpMS2xGaG9MbElEUEc4eXRqVzRPSFBNWWgzS2ZIakVXQVRjbkc0QUMvTVlaZk56Skhhb2U4OTA5OHVkcE9iYnNKVHE2WGQ3T05mMzZnZG1CanF5S0l5VUNPYmc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRG5qQ0NBb2FnQXdJQkFnSUdBWGlSM0I0Qk1BMEdDU3FHU0liM0RRRUJDd1VBTUlHUE1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFREFPQmdOVkJBTU1CM0JwWjIxbGJuUXhIREFhQmdrcWhraUc5dzBCQ1FFV0RXbHUKWm05QWIydDBZUzVqYjIwd0hoY05NakV3TkRBeU1Ea3hNalExV2hjTk16RXdOREF5TURreE16UTFXakNCanpFTE1Ba0dBMVVFQmhNQwpWVk14RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEZqQVVCZ05WQkFjTURWTmhiaUJHY21GdVkybHpZMjh4RFRBTEJnTlZCQW9NCkJFOXJkR0V4RkRBU0JnTlZCQXNNQzFOVFQxQnliM1pwWkdWeU1SQXdEZ1lEVlFRRERBZHdhV2R0Wlc1ME1Sd3dHZ1lKS29aSWh2Y04KQVFrQkZnMXBibVp2UUc5cmRHRXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4Q0txenRlRApFTkxUV0VjT1ZtVWUxWjRFVXQxemhzVFV0UU5ueTRLT2FsZ3U1clZuaXk1cFdudURJL0xZRk11OVdCaWU1UGlBa3NoTmhPK2JZVitLCkNWQjFnNGFPeVN6ekxhSjhIWW1zUnVQUTA5RW5ybVpXN2liTVhZOXFSSzRvVTVtenNVcUFhRnRVcXdFcjZNdEhIaEtDS0I3QVBmTVEKOFVvZ2EyUzdSNjB4T2NsNGpmU2FEVWo3QVR3L3pCTVAxcHhLaG1TQ3RmZ1lZU2hQZHRSdnhJcjRvTldZUTZIREQwdWtMeDF4VTE3RwpwUStwb2VaVno4VVVvaGdlWVI2YU9QKzdEa1JCdHhlR09XZFNpRlVQeUM1L2ZQampBNWVwQW95Z1ZlQU83cTVXRytsL0tWd0JDazh2Ck9hc3YvUk1QMmJxbmQ1c05LMWMyNXV2VEZhODJpUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXhxWjFvYmxBMHQ2bDkKRUVGd2Uzdi9rWGpxTklKRmhGYk1ReEo0VTFsakVsaGYvMzBpN0VzNmJRSGlNdnU0LzN6UThmVTErdDR6bmhvNFYweFlrOFBnMjZmOQppcUhCTTJxNXZoN0FFOEN5N3dxZVRYREh3YmJPRGFmZnNWVmZvSjUwT1UvVFZwSHhwYU1EeW5VNkhkQVJ5VlYwaDlzeXNLbFU2WUlaCkczRzd6eGU1czdjUlY1a2MwMzIyUGp0cUNJQjE2OWI5ZU5odTQwS3ZuV2NWa0Z6V3lUdWlxR3BNM1dvT2lqZG5nTjUxTVZVNHNwbjkKTVh3dnFvZnJPSmEvMEF1czY4ODdqS3EySENvNWFRbFJxVHAyYTVVMDlGQlByMDZxdXpWQW5lZDhUaFBxSFBRYW42R1VhaEtrVlkyNwpBUW5VYjI4OXZBVkdsSVVwT1BFNDlkR1E8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCIvPjwvc2FtbDJwOkF1dGhuUmVxdWVzdD4='
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1455) lasso_node_impl_init_from_xml <AuthnRequest>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1424) Matching node Issuer vs snippet Issuer: SUCCESS namespace URIs match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:2475) Processing node 'Issuer' with type 'LassoSaml2NameID'
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1455) lasso_node_impl_init_from_xml <Issuer>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1865) lasso_node_impl_init_from_xml </Issuer> rc=0
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1424) Matching node Signature vs snippet Signature: SUCCESS namespace URIs match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet Extensions: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet PrivateKeyFile: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet CertificateFile: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet Subject: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1419) Matching node NameIDPolicy vs snippet NameIDPolicy: SUCCESS namespace prefixes match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:2475) Processing node 'NameIDPolicy' with type '(null)'
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:2475) Processing node 'NameIDPolicy' with type 'LassoSamlp2NameIDPolicy'
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1455) lasso_node_impl_init_from_xml <NameIDPolicy>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1865) lasso_node_impl_init_from_xml </NameIDPolicy> rc=0
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1865) lasso_node_impl_init_from_xml </AuthnRequest> rc=0
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 ERROR processAuthnRequestMsg not successful#012Traceback (most recent call last):#012  File "/usr/lib/python3/dist-packages/authentic2/idp/saml/saml2_endpoints.py", line 533, in sso#012    login.processAuthnRequestMsg(force_str(message))#012  File "/usr/lib/python3/dist-packages/lasso.py", line 2284, in processAuthnRequestMsg#012    Error.raise_on_rc(rc)#012  File "/usr/lib/python3/dist-packages/lasso.py", line 62, in raise_on_rc#012    raise exception#012lasso.ServerProviderNotFoundError: <lasso.ServerProviderNotFoundError(-201): The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG {'issuer': 'https://www.okta.com/saml2/service-provider/spzdsltbemqocjrpwtwz', 'forceAuthn': False, 'isPassive': False, 'protocolBinding': None, 'nameIdPolicy': {'allowCreate': False, 'format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'spNameQualifier': None}}
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG loading provider https://www.okta.com/saml2/service-provider/spzdsltbemqocjrpwtwz
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG loaded provider https://www.okta.com/saml2/service-provider/spzdsltbemqocjrpwtwz
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG provider https://www.okta.com/saml2/service-provider/spzdsltbemqocjrpwtwz loaded with success
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1455) lasso_node_impl_init_from_xml <AuthnRequest>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1424) Matching node Issuer vs snippet Issuer: SUCCESS namespace URIs match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:2475) Processing node 'Issuer' with type 'LassoSaml2NameID'
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1455) lasso_node_impl_init_from_xml <Issuer>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1865) lasso_node_impl_init_from_xml </Issuer> rc=0
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1424) Matching node Signature vs snippet Signature: SUCCESS namespace URIs match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet Extensions: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet PrivateKeyFile: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet CertificateFile: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1414) Matching node NameIDPolicy vs snippet Subject: FAILURE names don't match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1419) Matching node NameIDPolicy vs snippet NameIDPolicy: SUCCESS namespace prefixes match
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:2475) Processing node 'NameIDPolicy' with type '(null)'
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:2475) Processing node 'NameIDPolicy' with type 'LassoSamlp2NameIDPolicy'
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1455) lasso_node_impl_init_from_xml <NameIDPolicy>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1865) lasso_node_impl_init_from_xml </NameIDPolicy> rc=0
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG 2022-11-28 15:38:48 (xml.c/:1865) lasso_node_impl_init_from_xml </AuthnRequest> rc=0
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG nameID policy is <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="false"/>
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG nameID format transient
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG default nameID format none
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG nameID format accepted ['none', 'transient', 'email', 'uuid']
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG NameIDFormat is transient
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG nonce is id87094499887952281812778720
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG login required
Nov 28 15:38:48 gavotte-pp authentic2[2542317]: 176.159.32.89 - r:7F0F21895F70 DEBUG redirect to login page with next url /idp/saml2/continue?nonce=id87094499887952281812778720

• Suite à cela, l'utilisateur se retrouve sur le formulaire de connexion et il est déconnecté du point de vue d'Authentic (confirmable en ouvrant Authentic dans un autre onglet).
• Si l'utilisateur se connecte en saisissant ses identifiants, il sera alors bien connecté et redirigé vers le SP qui accepte l'authentification alors sans souci.

L'erreur retournée par Lasso est donc :

lasso.ServerProviderNotFoundError(-201): The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().

Mon problème ici est double :

• je ne comprends pas ce qui ne plaît pas au premier abord dans la requête d'Authentification
• l'utilisateur se retrouve déconnecté et forcé de se connecter à nouveau (même si l'authentification fonctionne ensuite)

Je précise que j'avais rencontré le problème avec la version 4.43-1~eob110+1 et qu'après une mise à jour en 4.49-1~eob110+1, j'ai toujours le problème. Côté lasso, je suis sur la version 2.8.0.1.g7aa6-1~eob110+1 du paquet liblasso3 et c'est la dernière disponible actuellement.