Package appears to be broken

Question

Package appears to be broken

michaelsteigman opened this issue 2 years ago · 7 comments

Opening a new issue around the reports at the bottom of #25. The issues reported by all of those users is different than the issue the OP reported.

To summarize, with everything configured on the Okta/IdP side (signing turned on, etc.) and the METADATA_AUTO_CONF_URL set, the login process breaks when Pysaml tries to sign the request using xmlsec without a private key. The com_list in my case looks like

['/usr/local/bin/xmlsec1', '--sign', '--privkey-pem', None, '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest', '--node-id', 'id-DfHiSpJb952UZTS0G']

The last call is below -_runxmlsec in the Pysaml module. The exception generated by this mis-configuration is not an XmlsecError so it's uncaught.

https://github.com/IdentityPython/pysaml2/blob/4fa20a92a9d7fccc2ca34f1f6ad777cc0fd36ef7/src/saml2/sigver.py#L783

The actual error is
TypeError: sequence item 3: expected str instance, NoneType found error

And all I see in the log is

Internal Server Error: /accounts/login/
Internal Server Error: /accounts/login/

I have spent some tracking the code path and context at each step and don't see where the private key could possibly be populated from. That, along with the reports from other users on the same error leads me to believe that the package is broken at the moment. I don't have experience with the package however and would be happy to be proven wrong.

Answer 1 · 2022-11-10T22:15:08.000Z

Hey @michaelsteigman,

This package doesn't support assertion encryption for now, but I'd be happy to see contributions. The support is already available, thanks to pysaml2, but the django-saml2-auth should have a way to pass down the keys and secrets to the pysaml2 library, which it doesn't at the moment. The configuration options are documented here:

Answer 2 · 2022-11-11T02:57:41.000Z

Thanks for the response, @mostafa.

I must be missing something. I did not ask for the assertion to be encrypted. (I'd guess the same for the posters reporting the same issue on #25). If I was, this error would make some sense.

I am just trying to get a basic integration going with Okta via SAML.

What do I need to do to turn off assertion encryption?

Answer 3 · 2022-11-11T13:24:18.000Z

@michaelsteigman You need to turn it off on the Okta app you created.

Answer 4 · 2022-11-11T21:32:11.000Z

@mostafa Unfortunately, that is not the issue. See settings below.

Also tried setting assertions to unsigned but still see the error

TypeError: sequence item 3: expected str instance, NoneType found error

Other suggestions?

My settings in Django are just

SAML2_AUTH = {
    "METADATA_AUTO_CONF_URL": os.environ.get("METADATA_AUTO_CONF_URL"),
    "DEBUG": DEBUG,
    "ATTRIBUTES_MAP": {
        "email": "user.email",
        "username": "user.username",
        "first_name": "user.first_name",
        "last_name": "user.last_name",
        "token": "Token",
    },
    "ASSERTION_URL": "http://localhost:8000",
    "ENTITY_ID": "http://localhost:8000/sso/acs/",
}

Answer 5 · 2022-11-14T09:22:29.000Z

@michaelsteigman Can you confirm this comment?

Answer 6 · 2023-06-02T02:05:07.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Answer 7 · 2023-06-07T02:08:18.000Z

This issue was closed because it has been stalled for 5 days with no activity.