SAML authentication error

Hi, I'm trying to set up a plone instance with SAML2 authentication
in a new Plone 4.3 production instance (with cache, load balancing,
apache front-end, all the enchilada). I've set up other SAML2 instances
in the past, but now I'm getting the showed bellow.

One suspicious thing I see is that the destination seem incorrect (it's https://myserver//VNC/acl_users/saml2sp/post, shoultdn't be https://myserver/acl_users/saml2sp/post
?). Something is trigering an error in dm/zope/saml2/browser/,
since the destination is different from the url (btw, there seems to be
an error in zope.saml since SamlError doesn't exists).

I don't know how to fix it. ANy ideas?

2015-11-27T14:25:04 ERROR Zope.SiteErrorLog 1448630704.740.362998668326
Traceback (innermost last):
  Module ZPublisher.Publish, line 138, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 48, in call_object
  Module dm.zope.saml2.browser.role, line 47, in post
  Module dm.zope.saml2.browser.role, line 74, in _process

traceback_info: <samlp:Response
InResponseTo="_0b16fb56-cb20-4be0-b500-1676953efdde" Version="2.0"
IssueInstant="2015-11-27T13:25:04Z" Destination=""> [...]
NameError: global name 'SamlError' is not defined

I think you are right. The code at dm.zope.saml2-3.1b2-py2.7.egg/dm/zope/saml2/browser/ reads:

# If there are signatures they have been verified by now
#  but we have not yet checked that there are indeed signatures
# verify destination; set, if not available
if saml.Destination and saml.Destination != url:
  raise SamlError("destination mismatch")
saml.Destination = url # necessary for further checks
return getattr(
  self.context, "handle_" + saml._element().name().localName()
  )(saml, **kw)

The required import statement: from exception import SamlError is missing.

Are you sure the metadata.xml is fresh and your IDP and SP endpoints are correct? I always reload and check the metadata.xml twice. :wink:

I also use to debug.

1 Like