Shibboleth login error
1,392 views
Skip to first unread message
Yugandhar Veeramachaneni
Mar 27, 2016, 12:47:36 PM3/27/16
to Open edX operations
Hello all,
I tried integrating Shibboleth with my test instance. Once I supply my username and password, SSO is redirecting me to my test instance. However, post redirection to my instance, it's giving me this error - "Authentication failed: SAML login failed: ['invalid_response'] (There is no AttributeStatement on the Response)".
I followed the guide to enabling third party auth. Can you please point me to what I might be missing? I'll be happy to supply you with any additional information that you will require.
Thank you.
Braden MacDonald
Mar 27, 2016, 7:00:35 PM3/27/16
to opene...@googlegroups.com
Hi,
First, have you tried using TestShib? I would recommend starting with TestShib as an IdP since it is known to work. Once TestShib is working, then you can try another provider.
The error you're seeing is fairly common and can be a bit tricky to diagnose.
One reason it occurs is that your IdP may not like the Authn context parameter that edx-platform uses by default. You can try going to the edx SAML configuration, find the "other config str" section, and add
"SECURITY_CONFIG": { "requestedAuthnContext": false }
If that doesn't work, you may need to find a way to capture the SAML XML response being sent by the IdP in order to debug this.
Hope this helps,
--
Braden
--
You received this message because you are subscribed to the Google Groups "Open edX operations" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openedx-ops...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openedx-ops/316faedf-f964-4c89-856b-7366d57cf245%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Yugandhar Veeramachaneni
Apr 14, 2016, 11:04:02 AM4/14/16
to Open edX operations
Hello Braden,
I have tried it with TestShib and it worked.
When I try to do it with my university (a member of InCommon, if that would help), I'm getting the error - "Authentication failed: SAML login failed: ['invalid_response'] (There is no AttributeStatement on the Response)".
Here is a log of SAML request and SAML Response.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_94429aa544828cd7662d91aa2f5ce9d0d851b393"
Version="2.0"
ProviderName="Indiana University"
IssueInstant="2016-04-14T15:00:32Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://shibb-dev.gbps.link/auth/complete/tpa-saml/"
>
<saml:Issuer>http://shibb.gbps.link</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML Response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://shibb-dev.gbps.link/auth/complete/tpa-saml/"
ID="_7aee71f425edeb4bcf107cd35409978e"
InResponseTo="ONELOGIN_94429aa544828cd7662d91aa2f5ce9d0d851b393"
IssueInstant="2016-04-14T15:00:33.530Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>urn:mace:incommon:iu.edu</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_62aeedb0edf1dc9da73b228eebce0e80"
IssueInstant="2016-04-14T15:00:33.530Z"
Version="2.0"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:iu.edu</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_62aeedb0edf1dc9da73b228eebce0e80">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>/PB0VglLFjJTNGZVoWTqvsnRT8Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>R+KBF2W6JbFJThMWUfOid+06UarhMzXf929HFJGOBwfpSLtlYtznDukc4jWMFYgpjkfq9sBf9i4ch6qXJ9kqzhXXdASDfjyhnC+QyY0zSBSelATE1Zu8upA/sp1uMaKcNg74ygT6wFAzoQaCyrbMMuv54RQPGS80ho0y9KWet/jDsLEhTHu0y0Kytqxcvus+Asq5zbkfhnPOSM8KAMOmyCjAfOOWvG6BxijvwX8vQKoecIs5fcHBaaoXEK04X3b7YgF7r6PzTHRDxXyA2FAZ/oNKRKiqRwIjEAjYisvDNrfOku40FV8Hc19kdHANeI73CvzHjnj8g7EaifeefeNiTw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEnjCCA4agAwIBAgIJALK5W6TnLzRkMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzEQ
MA4GA1UECBMHSW5kaWFuYTEUMBIGA1UEBxMLQmxvb21pbmd0b24xGzAZBgNVBAoTEkluZGlhbmEg
VW5pdmVyc2l0eTEnMCUGA1UECxMeVW5pdmVyc2l0eSBJbmZvcm1hdGlvbiBTeXN0ZW1zMRMwEQYD
VQQDEwppZHAuaXUuZWR1MB4XDTEyMDMwMjIxMDcyOFoXDTIyMDIyODIxMDcyOFowgZAxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdJbmRpYW5hMRQwEgYDVQQHEwtCbG9vbWluZ3RvbjEbMBkGA1UEChMS
SW5kaWFuYSBVbml2ZXJzaXR5MScwJQYDVQQLEx5Vbml2ZXJzaXR5IEluZm9ybWF0aW9uIFN5c3Rl
bXMxEzARBgNVBAMTCmlkcC5pdS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX
kJME1MEXwJMofzOWFq9Ax60yBxoDSbsuGUwsG8X4eXSXCGWuNjxTsUR3if71wnVuWA5j3O12MJat
PN40UlJUVpGI+yyTf+39Xq0ILjnCEpXvbx8BeteNC5rpDDZMQpbisST/wToHqxSbEwl05pIvmE9E
YitcO9c8VeEGd8jSSPnqMlxEqEBzG0aVFofoFk2eZvxPqNVeDD4fuy74oWYHG9JAEIVO60R7xqjC
hOcLfi0UnkuIyXK9j7objwuScFdzawUFwj8bqr0wYcQ89BMMAwPXqgqfckm216LnEy0xDQjWG7wW
w24mMFp3//V7V9uTQe/x47Lp3Zo4+OGjn0clAgMBAAGjgfgwgfUwHQYDVR0OBBYEFEPHwCKjNTNK
AJ3eUPP+clZUi45QMIHFBgNVHSMEgb0wgbqAFEPHwCKjNTNKAJ3eUPP+clZUi45QoYGWpIGTMIGQ
MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHSW5kaWFuYTEUMBIGA1UEBxMLQmxvb21pbmd0b24xGzAZ
BgNVBAoTEkluZGlhbmEgVW5pdmVyc2l0eTEnMCUGA1UECxMeVW5pdmVyc2l0eSBJbmZvcm1hdGlv
biBTeXN0ZW1zMRMwEQYDVQQDEwppZHAuaXUuZWR1ggkAsrlbpOcvNGQwDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOCAQEAFzO4fQSwWsuH7KT4NoXJ2StDarj5wkOX9uPWrrQtC9HqNBzxUu/F
b/gHe5Ethp3fuLrUCLsJP8yth/c5ifUgsIvYbvevMbxJvwa1DKoFxyy1Y7Z2WiQMPr5Dw65FDhiS
2k0srCw0Qv9G2oTq7i9EzrhdsCDtm9ywkVui4cklfF9p7VWBrd4zmIOhtltgrn5bQKkvd/C6IuDE
RcGUVm3H4bMVX0R310+623kBaTLsajy5DWB1nPufiuuDMvC4u5V5MFLuih4WNcHQDvlLKDYmTwwz
MuMUT66RYRu3TZsDL2LuGuOyTnT5YZXTUl4ADM7Oqe2rOQeUdCTNomTlqhpZlA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="urn:mace:incommon:iu.edu"
SPNameQualifier="http://shibb.gbps.link"
>_47a7206802d6650e80fc4d45b3684fff</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="167.88.123.224"
InResponseTo="ONELOGIN_94429aa544828cd7662d91aa2f5ce9d0d851b393"
NotOnOrAfter="2016-04-14T15:05:33.530Z"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-04-14T15:00:33.530Z"
NotOnOrAfter="2016-04-14T15:05:33.530Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://shibb.gbps.link</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2016-04-14T14:37:01.327Z"
SessionIndex="_7991c7c8545ae54035880aaf0681a85d"
>
<saml2:SubjectLocality Address="167.88.123.224" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks for your help!
Yugandhar
Braden MacDonald
Apr 19, 2016, 12:15:17 AM4/19/16
to opene...@googlegroups.com
Hmm, I can see from the response that, as it says, the response is missing an AttributeStatement.
The response should contain a <saml2:AttributeStatement> tag, as a sibling of the <saml2:AuthnStatement> tag. However, it does not seem to be present.
Did you change the requestedAuthnContext setting as I mentioned in my last email? That change has resolved this issue for some SAML providers in the past. If you've already tried it, I think you should check the log files for your Shibboleth provider - this seems to be a problem with your provider not being configured to send SAML attributes for this type of login request.
To view this discussion on the web visit https://groups.google.com/d/msgid/openedx-ops/7ecd7ca9-f6d2-42f7-b70e-ac2b0b53f71a%40googlegroups.com.
Yugandhar Veeramachaneni
Apr 19, 2016, 7:02:22 AM4/19/16
to opene...@googlegroups.com
Hi Braden,
Thank you for the response. I did make the change to requestedAuthnContext as suggested. It didn't fix this. I initiated a support ticket with the provider. I'll update here after I find a fix for this.
Best,
Yugandhar Veeramachaneni
--
You received this message because you are subscribed to a topic in the Google Groups "Open edX operations" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openedx-ops/d-rmACND180/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openedx-ops...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openedx-ops/CAEyJbEbJxc65DEjmKJHEdNU8R7NQaA_6-SY4dz35LJO30TtXng%40mail.gmail.com.
Yugandhar Veeramachaneni
Apr 28, 2016, 1:47:50 PM4/28/16
to Open edX operations
Hello Braden,
I got the IdP team to fix the response on their end. Now post authentication, I get a 500 Internal Server Error on the Open edX site.
This is the log I see -
[service_variant=lms][django.request][env:sandbox] ERROR [ip-172-31-52-15 27871] [base.py:213] - Internal Server Error: /auth/complete/tpa-saml/
Traceback (most recent call last):
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 109, in get_response
response = callback(request, *callback_args, **callback_kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/views/decorators/cache.py", line 89, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 77, in wrapped_view
return view_func(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/apps/django_app/utils.py", line 51, in wrapper
return func(request, backend, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/apps/django_app/views.py", line 28, in complete
redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/actions.py", line 43, in do_complete
user = backend.complete(user=user, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/base.py", line 41, in complete
return self.auth_complete(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/saml.py", line 310, in auth_complete
return self.strategy.authenticate(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/strategies/django_strategy.py", line 96, in authenticate
return authenticate(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 45, in authenticate
user = backend.authenticate(**credentials)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/base.py", line 82, in authenticate
return self.pipeline(pipeline, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/base.py", line 85, in pipeline
out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/base.py", line 112, in run_pipeline
result = func(*args, **out) or {}
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/pipeline/social_auth.py", line 10, in social_uid
return {'uid': backend.get_user_id(details, response)}
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/saml.py", line 282, in get_user_id
uid = idp.get_user_permanent_id(response['attributes'])
File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social/backends/saml.py", line 46, in get_user_permanent_id
self.conf.get('attr_user_permanent_id', OID_USERID)
KeyError: 'urn:oid:0.9.2342.19200300.100.1.1'
Any idea how to fix this?
Thanks,
Yugandhar
Braden MacDonald
Apr 28, 2016, 1:54:07 PM4/28/16
to opene...@googlegroups.com
Yep, that error means that edX is looking for the 'uid' attribute, but the Shibboleth server is not providing that attribute. You will either need to change the Shibboleth IdP configuration to provide that attribute, or go to the edX Shibboleth provider configuration at /admin/third_party_auth/samlproviderconfig/ and find the "User ID Attribute" field, and enter the OID URN of some other attribute that edX can use to uniquely identify the user. edX requires that your Shibboleth provider assert some kind of unique identifier for each user.
--
You received this message because you are subscribed to the Google Groups "Open edX operations" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openedx-ops...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openedx-ops/947441da-3040-4382-a776-a4830bcf79c4%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages