Comments (14)
I am having the same issue with django/social-auth
Authentication failed: SAML login failed: ['invalid_response'] (The response was received at http://localhost:8000/social/complete/saml/ instead of http://localhost:8011/social/complete/saml/)
django is running in a docker container on port 8000 but 8011 is exposed.
UPDATE
Okay, if the actual port is different than the port in the browser then the problem occurs.
This may be when django is running in a docker container or behind an NGINX.
To fix this set USE_X_FORWARDED_PORT=True
in Django settings and configure HTTP_X_FORWARDED_PORT
in NGINX.
See
def get_port(self):
"""Return the port number for the request as a string."""
if settings.USE_X_FORWARDED_PORT and 'HTTP_X_FORWARDED_PORT' in self.META:
port = self.META['HTTP_X_FORWARDED_PORT']
else:
port = self.META['SERVER_PORT']
return str(port)
okay
from python3-saml.
I probably spent about 6 hours debbuging this, but the issue came down to the request data (generated from python social auth SAML backend) using my local host port of '8000' instead of the https port '443'. It is odd, because the metadata generation (part of this onelogin library) generates the correct reply url. But appearently it uses a different function to construct the reply back url when making a request.
def _create_saml_auth(self, idp):
"""Get an instance of OneLogin_Saml2_Auth"""
config = self.generate_saml_config(idp)
# This is where we ovride the server port setting to the https default port.
if settings.USING_NGROK and settings.ON_DEVELOPMENT:
server_port = '443'
else:
server_port = self.strategy.request_port()
request_info = {
'https': 'on' if self.strategy.request_is_secure() else 'off',
'http_host': self.strategy.request_host(),
'script_name': self.strategy.request_path(),
'server_port': server_port,
'get_data': self.strategy.request_get(),
'post_data': self.strategy.request_post(),
}
return OneLogin_Saml2_Auth(request_info, config)
from python3-saml.
Review how you build the request and be sure that endpoint that ACS endpoint that you registered at the IdP matches the URL of the view that process the SAMLResponse (acs endpoint) that uses the request object to calculate it.
from python3-saml.
I am experiencing this issue as well.
For reference I am using ngrok.exe as a tunnel, which is tunnelling local host port 8000 to an ngrok public url. I am also calling this library through Django python social auth libraries saml backend.
I have narrowed this issue down to where saml2 validated the response from the SAML IDP. It appears to be coming from onelogin/saml2/response.py
specifically the function to obtain the "current" url:
saml2.auth.process_response
calls response.is_valid(self.__request_data, request_id):
.
response.is_valid
tries to get the 'current' url, which is the url where the script is running. It returns HTTP instead of HTTPS, and also adds a port while there shouldn't actually be one.
onelogin.saml2.util.get_self_url_no_query
is where this happens.
from python3-saml.
Guys, do you have solution for this?
I have the same problem I put Single Sign On URL
: {url}/api/socialisme/auth/saml/finalize/
But I got this error:
{url}:80/api/socialisme/auth/saml/finalize/ instead of
{url}/api/socialisme/auth/saml/finalize/`
Also when I included the port
in Single Sign On Url
i got error:
This site can’t provide a secure connection test.balkan.skypicker.com sent an invalid response.
Solution?
Thanks
from python3-saml.
I'm having a similar issue, but in my case its https://
being added twice. The error I get is the following The response was received at https://https://<myurl>/saml/acs instead of https://<myurl>/saml/acs
from python3-saml.
Hey Guys,
Im also facing same issue as stated earlier by coler-j. Im using my company login as idp.
Its working fine with localhost http://127.0.0.1:5000
But when i replace with my company entity id(https://xxx.yyy.net/metadata) and acs url(https://xxx.yyy.net/saml/acs/), its not working.
After successful login, post url is hitting assertion endpoint for saml response validation. I got samlresponse and relaystate in saml response.
But after that, im getting invalid user error. Am i missing with any attributes.
Please help me guys to fix this.
from python3-saml.
Even I'm facing the same issue.
When I do
errors = []
auth.process_response()
errors = auth.get_errors()
if not errors:
...rest of the code
I get the invalid response from auth.get_errors()
I'm using Django 3.0+ Nginx + Gunicorn.
Is there any fix for this?
Thanks
UPDATE:
Since I was using Nginx and Gunicorn, Gunicorn was running locally so the request object's http_host was getting value localhost.
So I hardcoded the http_host key's value to our URL. (example: xyz.com) and this worked.
result = {
'https': 'on' if request.is_secure() else 'off',
#'http_host': request.META['HTTP_HOST'],
'http_host': 'xyz.com',
'script_name': request.META['PATH_INFO'],
'server_port': request.META['SERVER_PORT'],
'get_data': request.GET.copy(),
# Uncomment if using ADFS as IdP,
# https://github.com/onelogin/python-saml/pull/144
'lowercase_urlencoding': True,
'post_data': request.POST.copy()
}
from python3-saml.
I am still facing this issue
Seems my request info is correct,
redirect_uri = settings.REALME_AUTH_REDIRECT_URI
parsed_url = urlparse(redirect_uri)
server_port = parsed_url.port
if server_port is None:
server_port = '443' if parsed_url.scheme == 'https' else '80'
return {
'http_host': parsed_url.hostname,
'script_name': request.META['PATH_INFO'],
'server_port': server_port,
'get_data': request.GET.copy(),
'post_data': request.POST.copy(),
'https': 'on' if parsed_url.scheme == 'https' else 'off',
}
any solution around this?
from python3-saml.
I am having the same issue with django/social-auth
Authentication failed: SAML login failed: ['invalid_response'] (The response was received at http://localhost:8000/social/complete/saml/ instead of http://localhost:8011/social/complete/saml/)
django is running in a docker container on port 8000 but 8011 is exposed.UPDATE
Okay, if the actual port is different than the port in the browser then the problem occurs.
This may be when django is running in a docker container or behind an NGINX.
To fix this setUSE_X_FORWARDED_PORT=True
in Django settings and configureHTTP_X_FORWARDED_PORT
in NGINX.
Seedef get_port(self): """Return the port number for the request as a string.""" if settings.USE_X_FORWARDED_PORT and 'HTTP_X_FORWARDED_PORT' in self.META: port = self.META['HTTP_X_FORWARDED_PORT'] else: port = self.META['SERVER_PORT'] return str(port)
okay
I am having the same issue with django in a kubernetes cluster. I have raised an issue here as your suggestion for using USE_X_FORWARDED_PORT = True
did not work for me.
UPDATE
It works after adding X-Forwarded-Port = 443 as a custom header within the [Google load balancer] (https://cloud.google.com/load-balancing/docs/custom-headers) and setting SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
in settings.py
from python3-saml.
Using the settings below worked for me:
USE_X_FORWARDED_HOST = True
USE_X_FORWARDED_PORT = True
More info: https://docs.djangoproject.com/en/3.2/ref/settings/#use-x-forwarded-host
from python3-saml.
I got it fixed by modifying the code in the onelogin/saml2/utils.py file. Comment out Lines 292-299:
''' if ':' in current_host:
current_host_data = current_host.split(':')
possible_port = current_host_data[-1]
try:
int(possible_port)
current_host = current_host_data[0]
except ValueError:
current_host = ':'.join(current_host_data)
'''
I don't know why they have code to specifically remove port information when matching the ACS path to the configured ACS value, but it was breaking a valid configuration.
EDIT: At the time of this writing, they've updated the repo to no longer remove the port info, but the updated code is not released in a tagged version yet. If you're using v1.11.0, the fixed above still applies.
from python3-saml.
Dear Team,
I have got same error ['invalid_response'] in freshly installed zulip server in ubuntu 20.x. I am trying to achieve SSO with gsuite.
Server is behind load-balancer and nginx proxy
ZULIP_VERSION = "5.1"
Can someone please help me with exact changes with file location? I have already tried adding custom headers without success.
Server log for reference:
2022-04-04 18:42:44.864 INFO [zulip.auth.saml] AuthFailed: Authentication failed: SAML login failed: ['invalid_response'] (The response was received at https://chat.example.com:80/complete/saml/ instead of https://chat.example.com/complete/saml/)
from python3-saml.
I am facing this error -
AuthFailed("SAML login failed: ['invalid_response'] (The status code of the Response was not Success, was Requester -> Invalid request, ACS Url in request http://application:8000/v1/social/complete/saml/ doesn't match configured ACS Url https://example.com/v1/social/complete/saml/.)")
I am using docker which is running the django on application:8000, nginx which is proxy passing all the request made on port 80 to this docker, I also have a load balancer which is connected to the domain and connected to the autoscaling group.
from python3-saml.
Related Issues (20)
- Tests fail on master due to expired timestamps HOT 3
- Can't install python3-saml on macos HOT 2
- Error when running from docker container HOT 1
- Cannot install python3-saml due to xmlsec in Docker HOT 1
- SAML Response not found, Only supported HTTP_POST Binding HOT 1
- this is uninstalable on linux and windows HOT 1
- Segmentation fault with lxml 5.0.0 on Linux HOT 3
- Getting Segfault issue when login using SAML HOT 21
- Allow unsigned SAMLResponse HOT 1
- Cannot work with non-namespaced metadata xml HOT 1
- settings parser throws "idp cert not found" exception HOT 7
- Urgent - demo_django | page redirecting back to django login page HOT 1
- Callback stuck on auth.process_response HOT 6
- Serialization of OneLogin_Saml2_Settings
- NameIDFormat - PascalCase? HOT 1
- OneLogin_Saml2_IdPMetadataParser.get_metadata not compatible with self-signed certificates
- Regardiing exposing the options of<md:EncryptionMethod in metadata
- Using WAYF/Discovery with shibboleth
- Error with Passenger HOT 1
- `auth.get_last_response_xml()` has user data and `auth.logout()` is logging-out , but `auth.process_response()` is None and `auth.is_authenticated()` is False
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python3-saml.