SAML authentication error

jdinunci · November 27, 2015, 7:03pm

Hi, I'm trying to set up a plone instance with SAML2 authentication
in a new Plone 4.3 production instance (with cache, load balancing,
apache front-end, all the enchilada). I've set up other SAML2 instances
in the past, but now I'm getting the showed bellow.

One suspicious thing I see is that the destination seem incorrect (it's https://myserver//VNC/acl_users/saml2sp/post, shoultdn't be https://myserver/acl_users/saml2sp/post
?). Something is trigering an error in dm/zope/saml2/browser/role.py:74,
since the destination is different from the url (btw, there seems to be
an error in zope.saml since SamlError doesn't exists).

I don't know how to fix it. ANy ideas?

2015-11-27T14:25:04 ERROR Zope.SiteErrorLog 1448630704.740.362998668326 https://portal.zimbra-vnc.de/VNC/acl_users/saml2sp/post
Traceback (innermost last):
  Module ZPublisher.Publish, line 138, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 48, in call_object
  Module dm.zope.saml2.browser.role, line 47, in post
  Module dm.zope.saml2.browser.role, line 74, in _process
   -

traceback_info: <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s20703863e1fffb6e603b8ee60f087301e8dfc3d83"
InResponseTo="_0b16fb56-cb20-4be0-b500-1676953efdde" Version="2.0"
IssueInstant="2015-11-27T13:25:04Z" Destination="https://portal.zimbra-vnc.de//VNC/acl_users/saml2sp/post"> [...]
</saml:Assertion></samlp:Response>
NameError: global name 'SamlError' is not defined

allcaps · November 27, 2015, 11:31pm

I think you are right. The code at dm.zope.saml2-3.1b2-py2.7.egg/dm/zope/saml2/browser/role.py reads:

# If there are signatures they have been verified by now
#  but we have not yet checked that there are indeed signatures
# verify destination; set, if not available
if saml.Destination and saml.Destination != url:
  raise SamlError("destination mismatch")
saml.Destination = url # necessary for further checks
return getattr(
  self.context, "handle_" + saml._element().name().localName()
  )(saml, **kw)

The required import statement: from exception import SamlError is missing.

Are you sure the metadata.xml is fresh and your IDP and SP endpoints are correct? I always reload and check the metadata.xml twice.

I also use https://addons.mozilla.org/nl/firefox/addon/saml-tracer/ to debug.