Previously working saml integration fails with `KeyError: 'requested_attribute'` with pysaml2>=7.3.0

Question

Previously working saml integration fails with `KeyError: 'requested_attribute'` with pysaml2>=7.3.0

lgarvey opened this issue a year ago · 1 comments

lgarvey commented a year ago

Upgrading to pysaml2>=7.30 breaks an existing AWS saml integration.

Code Version

7.3.0

Expected Behavior

We'd expect a successful authentication

Current Behavior

A key error is raised in the mdstore.attribute_requirement() function

Possible Solution

Reintroduce the try/except KeyError block that was removed in this commit.

a9fe345#diff-09a88bc829016486f76a00a634c17dbb59c113762723c7edb0c4c0e5103e6511L690

Steps to Reproduce

The djangosaml2idp module calls pysaml2 idp.create_authn_request() with the following args:

return idp_server.create_authn_response(**args)

(Pdb) args
user = <SimpleLazyObject: <User: redacted@redacted.com>>
authn = {'class_ref': 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'method': '', 'level': 0, 'authn_auth': ''}
resp_args = {'in_response_to': '_76a480de8f7546a482ede3d4f6acdbbe82d92c70', 'name_id_policy': <saml2.samlp.NameIDPolicy object at 0x10b39d750>, 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'destination': 'http://127.0.0.1:35001'}
service_provider = <SamlApplication: aws vpn (urn:amazon:webservices:clientvpn)>

A key error then occurs:

.../python3.10/site-packages/saml2/mdstore.py(697)attribute_requirement()
-> _res = attribute_requirement(sp_desc, index)
(Pdb) n
KeyError: 'requested_attribute'

Previously this block of code was wrapped in a try / except KeyError: which was removed in this commit:

a9fe345#diff-09a88bc829016486f76a00a634c17dbb59c113762723c7edb0c4c0e5103e6511L690

I can provide metadata/authn request and the contents of the sp_desc arg if needed. I'd also be happy to raise a PR to reintroduce the try/except logic.

Answer 1 · 2023-11-07T12:40:29.000Z

This should be fixed by 076563b

Thank you for the report.