Problem with SAML Authentication
390 views
Skip to first unread message
Alfred Wertner
Feb 9, 2018, 6:09:15 AM2/9/18
to Open edX operations
Hi,
I have installed the native version of openEdx
Release: Ginkgo.1
OS: Ubuntu 16.04
I configured third party authentication following the official documentation:
We want students to login via SAML 2.0 (Shibboleth) using the accounts they already have at their university.
Steps done:
1. enabled third party authentication in lms.env.json
2. configured the service provider in the django admin console
saved the private and public keys
3. configured the identity provider in the django admin console
Backend name: tpa-saml
Identity Provider Type: Standard SAML Provider
Set the User ID Attribute field to: urn.oid:0.9.2342.19200300.100.1.1
Set all the other attribute fields to: IGNORE
When i try to login as a student i did the following:
1. click on sign in
2. click on "use my institution/campus credentials"
3. click on institution in the list
4. the browser redirects to the institutions SSO page
5. enter the credentials and click on login
6. the browser redirects to the openedx welcome page, not logged in.
When i try to sign in again, the following message is shown in the login page:
An error occurred when signing you in to Your Platform Name Here.
auth_entry missing or invalid
Have a look at the lms/edx.log file it seems that the authentication at the identity provider worked fine.
The log shows this SAML response:
Feb 9 09:45:38 kcs-openedx [service_variant=lms][third_party_auth.saml][env:sandbox] INFO [kcs-openedx 2549] [saml.py:87] - SAML login response for IdP sso-tugraz. XML is:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://kcs-openedx.demo.know-center.at/auth/complete/tpa-saml/" ID="_6c9ba8e61c4aeabd63350e534d21c988" InResponseTo="ONELOGIN_c8dd731868517c320fb9099f5f5498249b22b327" IssueInstant="2018-02-09T08:45:38.571Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.tugraz.at/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_8228eebbf770ce8dc74c43c14b7f9d6b" IssueInstant="2018-02-09T08:45:38.571Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.tugraz.at/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_8228eebbf770ce8dc74c43c14b7f9d6b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>nz0zuRG4dLfKfhyMmkS7gGnd9WE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aIsa/SgzX4klTajW4J1a4lzf3mC1TxFSxWJDKN0K1upwLNOl6zdMqM6LTgJwbJPAhhta+ohCvD4C7NxNi8YdYsq+cB+10jJUAiFEq9cfK0L3NFhbqg4Qc3Pz7x8L05UFmqiOlPeCixZ6UsWLxR7oNYCgAgMvKwbdCbb5X2L2UMOBnTng1T7OtDjbqSqYDDRPAS7gX1//JVaMdJ8lXGFPSj2kU5MPeiYGdC4DT62TDJd1yed6L7D/jNqE38rg81JVBdMcE1CQUUb6eUEsgCqWNzc+dNI1YE5YirW/4a5vENCvX44qAcDH3x4UnIPwi1q63m029AEgX75LKaHvyHDWZQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIUG6ra0BvXswfyErcCDmzw3AV+uI0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
A1UEAxMNc3NvLnR1Z3Jhei5hdDAeFw0xMDAzMjkxNzEzMTZaFw0zMDAzMjkxODEzMTZaMBgxFjAU
BgNVBAMTDXNzby50dWdyYXouYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEyQxH
IM1zxbBnXn60Ksg7B7HcPLPcN7bXLrLPOFXtkZxm0YkHY5Rxignm7wHD7C81U09DFS2eT8qRCcVt
Vz+kuwdgS54fC/alg9oLxXk4CgKjhtZZ2ECLdTHfUXOA5uOLlpoN1LY6VpIjSYe3UEX3HxfhXx/f
PeE8VInGCKnml8Too22G30htB/EU44A2yqrR3LUngJIaq//N0QbeMYitNh02o6xB5+bp6k6noM7D
H6S9phe0kCEibaiLaCf7k9LpNnAz9bPtQVth0gdJqoUry/iK1QBTFTEXvvJynFEp0+5Wz/XFmEcF
hsaK8OcHd0R9FfpX5Z2fewA2Q0SLKz+bAgMBAAGjYTBfMD4GA1UdEQQ3MDWCDXNzby50dWdyYXou
YXSGJGh0dHBzOi8vc3NvLnR1Z3Jhei5hdC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQUXd76PcSi
XR6wFna5qQi+S0W/9Y0wDQYJKoZIhvcNAQEFBQADggEBACgkQqxBtYY1OcuoAUP/P+ukJW7XyofK
89qs2dkGClx7s0hR/1zImWgljgfguLJOSfC/CWE1wfNK9bTi4Fu9809PmOoaCxkNmniFRAyaOiBo
Uz5XIpJniW7wBo+YBpBlXZXi5PmU2DOsfZxo7fs4se32dHO1WqgJodqkK2Wa4HDiigh42trZ9i3u
S73uHSSCeIJYQNj84BMJ+ifgj3Zi/TgLS+IX7Ayy2bkDzIzIRnj7ULQ/MgfacGXQXJPHyp+w+Yvy
dQalPAWc43+5DkNacN34K8cE3XjHq1kx/BgYOtQ7M2Xa1oApLzPoHO4D2kaf6FCgGR8Mx7GVAz0a
QVxfB8I=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://sso.tugraz.at/idp/shibboleth" SPNameQualifier="https://lectures.know-center.tugraz.at/shibboleth">_d7ddd7cc5d55dff2f4bc4ac24445359c</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="129.27.219.242" InResponseTo="ONELOGIN_c8dd731868517c320fb9099f5f5498249b22b327" NotOnOrAfter="2018-02-09T08:50:38.571Z" Recipient="http://kcs-openedx.demo.know-center.at/auth/complete/tpa-saml/" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-02-09T08:45:38.571Z" NotOnOrAfter="2018-02-09T08:50:38.571Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://lectures.know-center.tugraz.at/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-02-09T08:45:38.494Z" SessionIndex="_aba22f73a6816727097b70a270b6981a" SessionNotOnOrAfter="2018-02-09T18:45:38.571Z">
<saml2:SubjectLocality Address="129.27.219.242" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="userid" Name="urn.oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ABC</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ABC</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ABC</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ABC</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ABC</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ABC</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
And after the response the error is logged:
Feb 9 09:45:38 kcs-openedx [service_variant=lms][social][env:sandbox] ERROR [kcs-openedx 2549] [middleware.py:41] - auth_entry missing or invalid
Where do i need to set the "auth_entry"?
The error is logged in the parse_query_params method in the edxapp\edx-platform\common\djangoapps\third_party_auth\pipeline.py
Does it has something to do with pipeline settings?
Can you explain me how to add debug statements which are logged into edx.log? I added some in the python file but the changes or not reflected in the logs.
Thanks for your help!
Best,
Alfred
Alfred Wertner
Feb 13, 2018, 11:07:45 AM2/13/18
to Open edX operations
I found in the metadata.xml the following line
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://kcs-openedx.demo.know-center.at/auth/complete/tpa-saml/" index="1"/>
Is the value of Location missing the auth_entry as parameter?
Best,
Alfred
Deepesh Mahule
Jul 25, 2019, 6:22:30 AM7/25/19
to Open edX operations
HI Alfred Good Evening,
I am Deepesh, We are trying to implement SAML 2.0 with Opne edX for one of our client, We are facing challenges while implementing it and unable to find root cause.
It always ends with either "Internal server error" or "Error Details: Authentication failed: SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected)"
Wondering if you can spend some time to help us out.
We are using Open edX Hawthorn
Appreciate your help.
Thanks,
Deepesh Mahule
Reply all
Reply to author
Forward
0 new messages