Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAMLException: Error decoding HTTP-Redirect SAML message and When looking for an assertion we did not found it #7

Open
tuxcrafter opened this issue Oct 3, 2022 · 0 comments
Open

SAMLException: Error decoding HTTP-Redirect SAML message and When looking for an assertion we did not found it #7

tuxcrafter opened this issue Oct 3, 2022 · 0 comments

Comments

@tuxcrafter
Copy link

tuxcrafter commented Oct 3, 2022
edited
Loading

Hello everybody,

Can someone help me debug this SAML setup, I got a working sign-on, but I can not get the logout to work, neither initiated by the client or from the IDP. I am using versions of the zm-sso-1.0.0-1.jar and ipsilon-3.0.4-3.fc36.noarch. I have other clients rocket.chat, nextcloud working with both sign-on and sign-out.

[Mon Oct 03 08:28:11.868392 2022] [wsgi:error] [pid 28717:tid 28827] [remote 192.168.40.14:39124] [03/Oct/2022:08:28:11]  DEBUG(ipsilon/providers/saml2idp.py:406 IdpProvider.idp_initiated_logout()): IdP-initiated SAML2 logout
[Mon Oct 03 08:28:11.990792 2022] [wsgi:error] [pid 28717:tid 28827] [remote 192.168.40.14:39124] [03/Oct/2022:08:28:11]  DEBUG(ipsilon/providers/saml2idp.py:456 IdpProvider.idp_initiated_logout()): Sending initial logout request to https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true

2022-10-03 08:28:12,015 INFO  [qtp1665620686-8722:https:https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true] [] extensions - SSO callback with: SAML2Client
2022-10-03 08:28:12,029 ERROR [qtp1665620686-8722:https:https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true] [] extensions - org.pac4j.saml.exceptions.SAMLException: Error decoding HTTP-Redirect SAML message


2022-10-03 08:29:41,111 INFO  [qtp1665620686-8746:https:https://mail.example.org/service/extension/sso/logout] [] extensions - Destroy front channel sso session
2022-10-03 08:29:41,115 INFO  [qtp1665620686-8746:https:https://mail.example.org/service/extension/sso/logout] [] extensions - SSO logout is performed

[Mon Oct 03 08:29:41.166252 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  DEBUG(providers/saml2/logout.py:35 Logout._handle_logout_request()): saml2: Logout request
[Mon Oct 03 08:29:41.169006 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  DEBUG(providers/saml2/logout.py:61 Logout._handle_logout_request()): saml2: SLO from https://mail.example.org/service/extension/saml/metadata with ('_7E20499B436F643441D8F044C64573DE',) sessions
[Mon Oct 03 08:29:41.180022 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  ERROR: SLO validation failed: <lasso.ProfileMissingAssertionError(-427): When looking for an assertion we did not found it.>

[zimbra@mail root]$ cat /opt/zimbra/conf/zm.sso.properties | grep -v "#"
sso.defaultClient = SAML2Client
sso.callbackUrl = https://mail.example.org/service/extension/sso/callback
saml.callbackUrl = https://mail.example.org/service/extension/saml/callback
sso.saveInSession = true
sso.multiProfile = true
sso.renewSession = true
sso.localLogout = true
sso.destroySession = true
sso.centralLogout = true
sso.postLogoutURL = https://mail.example.org/
saml.keystorePath = /opt/zimbra/conf/saml/keystore.jks
saml.keystorePassword = <secret>
saml.privateKeyPassword = <secret>
saml.keystoreAlias = samlkey
saml.identityProviderMetadataPath = https://saml.example.org/idp/saml2/metadata
saml.serviceProviderEntityId = https://mail.example.org/service/extension/saml/metadata
saml.spLogoutRequestBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
saml.spLogoutResponseBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
saml.authnRequestSigned = true
saml.logoutRequestSigned = true
saml.logoutRequestSigned = true
saml.allSignatureValidationDisabled = true
saml.wantsAssertionsSigned = false

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_d60ed73e163045cd924b5a893651fc3f7c0f3b4" entityID="https://mail.example.org/service/extension/saml/metadata" validUntil="2042-10-03T01:12:03.052Z">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIESUCWSjANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIyMTAwMjE4Mzc1NloXDTMyMDkyOTE4 Mzc1NlowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93 bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHiQjUBBJWkGNrE2NjGHjOuOfFtDa0T tPR3H6OUta4KXyzTyyBskPlFO7RVJtSU+X0hq40Yzr8eRbzgT1k+O+Qnn3SOXTG/361Wkp5YyqfP rfOx/XJyzKbCNcYomWLbj1ZW49vYFcMhd59oNzF37gqAyCene48zPW+5iKPl3q+gLNV8GPJJNZel LV60Ilw2YS28y4AJSSdPRqjO5yOUnn4V821a1VbsXo8bFvgBp64k3xnBAh+gA926u3HqkIcT67sI m05km/Wu8RzRoCWIaMYah34YVEyk837RcG8csp+9XEb6QT6aX21C7cVg1Ebd2vti8G1x9w0e+fAE mcxMBssCAwEAAaMhMB8wHQYDVR0OBBYEFHbJMfYpBKi9/1JiF++8hSfg5gABMA0GCSqGSIb3DQEB CwUAA4IBAQBLF2ZTXeSZR1vDLLjLbJJxPR/NtTE3uBNTJeAxY4/U3tyYrbROBZTwepI5Fq8alpqd iqo1iwDxivwKHzS+l8YrMW7QBHmC1xjpMNhTeqeGPgbEqDVR0bgCDjUpilGeFc3zgWRzVDO6TCCE /zFAKmR3chXVRW4pF9+DDCiyYI41QNCzZG4S/ziAmH+ISllDYqLM3mtHKH2g3GUKFdeQ01rDXqGe KaOXQbiouwIr7V9pi7Ba64A0OP/+5doa8jcR/V8jV+fnDF/ZCxvIq837mkqkt1DRd5DTH88BPMZy 5QK2T12Ft5iF1/KiAT0D7xXTd2CMPuB9AhXmJ+uAD70l9T9+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIESUCWSjANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIyMTAwMjE4Mzc1NloXDTMyMDkyOTE4 Mzc1NlowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93 bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHiQjUBBJWkGNrE2NjGHjOuOfFtDa0T tPR3H6OUta4KXyzTyyBskPlFO7RVJtSU+X0hq40Yzr8eRbzgT1k+O+Qnn3SOXTG/361Wkp5YyqfP rfOx/XJyzKbCNcYomWLbj1ZW49vYFcMhd59oNzF37gqAyCene48zPW+5iKPl3q+gLNV8GPJJNZel LV60Ilw2YS28y4AJSSdPRqjO5yOUnn4V821a1VbsXo8bFvgBp64k3xnBAh+gA926u3HqkIcT67sI m05km/Wu8RzRoCWIaMYah34YVEyk837RcG8csp+9XEb6QT6aX21C7cVg1Ebd2vti8G1x9w0e+fAE mcxMBssCAwEAAaMhMB8wHQYDVR0OBBYEFHbJMfYpBKi9/1JiF++8hSfg5gABMA0GCSqGSIb3DQEB CwUAA4IBAQBLF2ZTXeSZR1vDLLjLbJJxPR/NtTE3uBNTJeAxY4/U3tyYrbROBZTwepI5Fq8alpqd iqo1iwDxivwKHzS+l8YrMW7QBHmC1xjpMNhTeqeGPgbEqDVR0bgCDjUpilGeFc3zgWRzVDO6TCCE /zFAKmR3chXVRW4pF9+DDCiyYI41QNCzZG4S/ziAmH+ISllDYqLM3mtHKH2g3GUKFdeQ01rDXqGe KaOXQbiouwIr7V9pi7Ba64A0OP/+5doa8jcR/V8jV+fnDF/ZCxvIq837mkqkt1DRd5DTH88BPMZy 5QK2T12Ft5iF1/KiAT0D7xXTd2CMPuB9AhXmJ+uAD70l9T9+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="2027-09-25T10:52:14.946448Z" entityID="https://saml.example.org/idp/saml2/metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUEE0tOBVESVIzpYStV3wVwoWcyNwwDQYJKoZIhvcNAQEL BQAwIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1hbWFjYXNoLmxvY2FsMB4XDTIyMDky NjEwNTIxNFoXDTI3MDkyNTEwNTIxNFowIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1h bWFjYXNoLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC9s 9ch5D2UgPR5ka62i8Maq6QDy6GK9/ZjG68jZOPpl9bnpmIDD4EgFUyBvtshnaPQc BqSBlDE2N3OKXDF9+5MCKXU1wnz0YBn02H49PG8J1TOS8lYmGuNmf88bfxX02ahg xwA4ZtHhRwbLhsIV3aRRUXvocHOg5PZbymb/JYqnQbKByXKHUnmjbzI8h3WcgmHE 848x8GwQCW1MLNA2eUITV7rUE+aN9P+UucBS9FnbjvoCCyAfzHTTuGiTh29KjRo+ 1YdYGrfYoMIQ9wAI6laW9xWqptDpumFGrzdi493sIXX6flEN2qY5+7nM6ffPZrXT PMqFMbqI3uetJJq8lQIDAQABo1MwUTAdBgNVHQ4EFgQU4ygBodjpXIYmUXZcQ0Cj vsiZJtkwHwYDVR0jBBgwFoAU4ygBodjpXIYmUXZcQ0CjvsiZJtkwDwYDVR0TAQH/ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAD2lTKmmnVMBjaljgUTRO44sAS35E IUH1Bgp1HkL9YxSjrBOsQVttZw+ZcAzLUsSoFkokLcn74bYUvNYcMXGRffqmxF9M Z4MwaAWqOeJqDKp6CqCGpGBKxf9Usw7Lgr5WUtK6aZdlhUs29/OhqstAfTOr8olS 9C+ApTCQy7jvjQDb0mE+Lw/8MAsIR1CEwu/rvhl3QDBdYj8R8zFAf6R12ZANyDJX +XxZjWHGwpFYEaiv0V4wvVv9cM1XlNVN+v716N6tF+fgW52r9n9p010hnDITV59n 8fLf4l+r0JMIOmGnAsUhWwr8j06HhNEGwmm+Ye8sMBPnMOyX6QXAnbqBSA== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUEE0tOBVESVIzpYStV3wVwoWcyNwwDQYJKoZIhvcNAQEL BQAwIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1hbWFjYXNoLmxvY2FsMB4XDTIyMDky NjEwNTIxNFoXDTI3MDkyNTEwNTIxNFowIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1h bWFjYXNoLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC9s 9ch5D2UgPR5ka62i8Maq6QDy6GK9/ZjG68jZOPpl9bnpmIDD4EgFUyBvtshnaPQc BqSBlDE2N3OKXDF9+5MCKXU1wnz0YBn02H49PG8J1TOS8lYmGuNmf88bfxX02ahg xwA4ZtHhRwbLhsIV3aRRUXvocHOg5PZbymb/JYqnQbKByXKHUnmjbzI8h3WcgmHE 848x8GwQCW1MLNA2eUITV7rUE+aN9P+UucBS9FnbjvoCCyAfzHTTuGiTh29KjRo+ 1YdYGrfYoMIQ9wAI6laW9xWqptDpumFGrzdi493sIXX6flEN2qY5+7nM6ffPZrXT PMqFMbqI3uetJJq8lQIDAQABo1MwUTAdBgNVHQ4EFgQU4ygBodjpXIYmUXZcQ0Cj vsiZJtkwHwYDVR0jBBgwFoAU4ygBodjpXIYmUXZcQ0CjvsiZJtkwDwYDVR0TAQH/ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAD2lTKmmnVMBjaljgUTRO44sAS35E IUH1Bgp1HkL9YxSjrBOsQVttZw+ZcAzLUsSoFkokLcn74bYUvNYcMXGRffqmxF9M Z4MwaAWqOeJqDKp6CqCGpGBKxf9Usw7Lgr5WUtK6aZdlhUs29/OhqstAfTOr8olS 9C+ApTCQy7jvjQDb0mE+Lw/8MAsIR1CEwu/rvhl3QDBdYj8R8zFAf6R12ZANyDJX +XxZjWHGwpFYEaiv0V4wvVv9cM1XlNVN+v716N6tF+fgW52r9n9p010hnDITV59n 8fLf4l+r0JMIOmGnAsUhWwr8j06HhNEGwmm+Ye8sMBPnMOyX6QXAnbqBSA== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://saml.example.org/idp/saml2/SSO/POST"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.org/idp/saml2/SSO/Redirect"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://saml.example.org/idp/saml2/SSO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.org/idp/saml2/SLO/Redirect"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tuxcrafter