Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test a token fails to parse SAML error response when testing a token #347

Open
pmeulen opened this issue Nov 27, 2024 · 0 comments
Open

Comments

@pmeulen
Copy link
Member

pmeulen commented Nov 27, 2024

Reproduce:

  1. Login to SelfService with a registered WebAuthn or Tiqr token
  2. Use "test a token" to start an authentication for the token
  3. Cancel the authentication at the GSSP (I.e. tiqr or Webauthn)

SelfService shows a text screen with Authentication failure: An authentication exception occurred.: "Failed SAMLResponse parsing".

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_d77910bf1d874435f6a2b85a5eba2202b37e31dd31e1fc92f665d263b4b6"
                Version="2.0"
                IssueInstant="2024-11-27T16:50:18Z"
                Destination="https://sa.acc.surfconext.nl/authentication/consume-assertion"
                InResponseTo="_049c3a74586890564379c4efa7980538e29630f28209fc1e67576a116151"
                >
    <saml:Issuer>https://sa-gw.acc.surfconext.nl/authentication/metadata</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
        </samlp:StatusCode>
        <samlp:StatusMessage>Cannot process response, preconditions not met: "Responder/AuthnFailed User cancelled the request"</samlp:StatusMessage>
    </samlp:Status>
</samlp:Response>

SelfService logs:

selfservice[790]: {"message":"No authenticated user and AuthnRequest pending, attempting to process SamlResponse","context":{"sari":"_049c3a74586890564379c4efa7980538e29630f28209fc1e67576a116151"},"level":250,"level_name":"NOTICE","channel":"app","datetime":"2024-11-27T17:50:18+01:00","extra":{"server":"sa.acc.surfconext.nl","application":"self-service","request_id":"17750d8d7bd1c9a9855e36ecac2f9db5"}}
selfservice[790]: {"message":"SAML Authentication failed at IdP: \"Cannot process response, preconditions not met: \"Responder/AuthnFailed Cannot process response, preconditions not met: \"Responder/AuthnFailed User cancelled the request\"\"\"","context":{"sari":"_049c3a74586890564379c4efa7980538e29630f28209fc1e67576a116151"},"level":250,"level_name":"NOTICE","channel":"app","datetime":"2024-11-27T17:50:18+01:00","extra":{"server":"sa.acc.surfconext.nl","application":"self-service","request_id":"17750d8d7bd1c9a9855e36ecac2f9db5"}}
selfservice[790]: {"message":"Authentication failure: An authentication exception occurred.: \"Failed SAMLResponse parsing\"","context":{},"level":250,"level_name":"NOTICE","channel":"app","datetime":"2024-11-27T17:50:18+01:00","extra":{"server":"sa.acc.surfconext.nl","application":"self-service","request_id":"17750d8d7bd1c9a9855e36ecac2f9db5"}}

Expected result:

  • The user should be redirected back to the token overview and the status (user canceled) is shown in the banner. If something actually was wrong with the response, a proper error page must be shown, not a white screen with some text.
  • The SAML Response seems correct, so parsing it should not fail.
  • The logs sown no error
@pmeulen pmeulen added the bug label Nov 28, 2024
@phavekes phavekes added this to Stepup Nov 29, 2024
@github-project-automation github-project-automation bot moved this to New in Stepup Nov 29, 2024
@phavekes phavekes moved this from New to Backlog in Stepup Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

No branches or pull requests

2 participants