Been trying to use dm.zope.saml2 (5.0.1) by @dieter to connect to Microsoft metadata to no avail, although I am able to use it to connect to the metadata from other vendors.
Traceback (innermost last):
Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
Module ZPublisher.WSGIPublisher, line 359, in publish_module
Module ZPublisher.WSGIPublisher, line 254, in publish
Module ZPublisher.mapply, line 85, in mapply
Module ZPublisher.WSGIPublisher, line 63, in call_object
Module dm.zope.saml2.entity, line 58, in metadata
Module dm.saml2.metadata, line 193, in get_recent_metadata
Module dm.saml2.metadata, line 188, in get_metadata_sets
Module dm.zope.saml2.authority, line 75, in _get_metadata_sets
Module dm.saml2.metadata, line 171, in _get_metadata_sets
Module dm.saml2.metadata, line 260, in _fetch
Module dm.saml2.metadata, line 104, in get_metadata
dm.saml2.metadata.MetadataFetchError: MetadataFetchError for https://sts.windows.net/....
I also tried other metadata files, and connecting to them also failed as long as their entityID are pointing to Microsoft.
Luke Tai via Plone Community wrote at 2023-10-18 14:02 +0000:
Been trying to use dm.zope.saml2 (5.0.1) by @dieter to connect to Microsoft metadata to no avail, although I am able to use it to connect to the metadata from other vendors.
Traceback (innermost last):
...
Module dm.saml2.metadata, line 104, in get_metadata
dm.saml2.metadata.MetadataFetchError: MetadataFetchError for https://sts.windows.net/....
The exception is raised because PyXB was unable to deserialize
the metadata document. This can happen when the document contains
extensions PyXB does not know about.
Out of the box, PyXB does not know SAML2 extensions.
Look at the log file (usually in a subfolder of the installations var
folder and named event.log).
You should there find a log record with the primary exception
information.
This might hint towards the cause of the PyXB deserialization failure.
Once you know why PyXB fails to deserialize the document,
you have several options:
fetch the metadata document indirectly
and remove problematic content in the intermediate step.
You can e.g. download the document,
edit it with a text editor
and load the edited version via a file: URL.
Once you know what needs to get removed,
you can automate the process, e.g. download via
a view of your own which uses an XSLT transform to remove
the problematic parts.
tell PyXB about the necessary extension.
dm.saml2 does this e.g. for the "SAML2 context classes".
You may take this as starting point to do something similar
for the extension[s] necessary in your case.
Look at the dm.saml2 documentation and its gen.sh script.
Alternatively, you could read the PyXB documentation
to learn how to make PyXB aware of extension schemas.
@dieter Thanks for your quick response. Also saw this in my log, could it be more than an de-serialization issue? dm.zope.saml2 trying to establish a connection with the entityID? Microsoft's entity id cannot be connected like a website AFAIK.
<urlopen error [Errno -2] Name or service not known>
Luke Tai via Plone Community wrote at 2023-10-18 20:33 +0000:
@dieter Thanks for your quick response. Also saw this in my log, could it be more than an de-serialization issue? dm.zope.saml2 trying to establish a connection with the entityID? Microsoft's entity id cannot be connected like a website AFAIK.
<urlopen error [Errno -2] Name or service not known>
This log entry shows that it is not a deserialization issue.
dm.zope.saml2 (more precisely, its entity.EntityByUrl class)
makes the assumption that the metadata
can be accessed via an URL. Apparently, the URL you have specified
is faulty.
If the metadata is not made available via an URL addressable web service,
you might be able to get at it in any other way and store
it in the file system. You can then use a file: URL pointing to this
location.
Alternatively, you can implement your own "SAML2 entity" class
(derived from the provided base class) and there get at the
relevant information in any appropriate way and create a
standard SAML2 metadata object from it.
Look at the source (--> dm.zope.saml2.entity and dm.saml2.metadata)
for guidance.