Univention Bugzilla – Bug 39576
SAML logout causes traceback on DC Backup in UMC
Last modified: 2015-11-17 12:12:33 CET
I got the following traceback will trying to logoff a SAML session on my DC Backup: {"status": 500, "message": "The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File \"/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py\", line 656, in respond response.body = self.handler() File \"/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py\", line 188, in __call__ self.body = self.oldhandler(*args, **kwargs) File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py\", line 34, in __call__ return self.callable(*self.args, **self.kwargs) File \"/usr/sbin/univention-management-console-web-server\", line 86, in _decorated return func(*args, **kwargs) File \"/usr/sbin/univention-management-console-web-server\", line 1024, in slo self.sp.parse_logout_request_response(message, binding) File \"/usr/lib/python2.7/dist-packages/saml2/entity.py\", line 962, in parse_logout_request_response \"single_logout_service\", binding) File \"/usr/lib/python2.7/dist-packages/saml2/entity.py\", line 949, in _parse_response response = response.verify(key_file) File \"/usr/lib/python2.7/dist-packages/saml2/response.py\", line 400, in verify return self._verify() File \"/usr/lib/python2.7/dist-packages/saml2/response.py\", line 376, in _verify assert self.response.version == \"2.0\" AttributeError: 'NoneType' object has no attribute 'version'
BTW, the browser URI changed to the master: https://master441.deadlock44.intranet/univention-management-console/saml/slo/?SAMLRequest=rVLBbpwwEP0VxJ0FG2yDtYsUaVVppTRpu1UPvayMGSdWwaaMqfL5NWxXSqMqp97s53nvzRvPHtU4TPLeP%2FklfIGfC2BIXsbBodxeDukyO%2BkVWpROjYAyaHm%2B%2B3gv6a6Q0%2ByD135IX1HeZyhEmIP1Lk1Ox0N6oaA0q0tCOQfWC0E0bTpgTWVMXXSEEy4Eo8BFlSbfYMbIPKRRKNIRFzg5DMqFCBWEZaTICP9KGkm4JNX3NDnGNNapsLGeQ5hQ5vmoMMBcVWTXg%2BoHr39U1c66MCsHIV%2Bc%2FQVuZWSjcuoJxnjLtHfoB8jXgDkOPk%2BTBx8e3eN8Z6LYW39KNv92v9bLrdO5vfkvGjNE%2F093tOM0wDb552lzo7ntp3yEoHoV1C7C%2B%2Fy16tXiIQ76dEzOn9bD50UN1ti1rf%2BW%2BdZAmnzw86jC%2B7%2B8IrbPzFYqVxe0UTJtL0I3QigCnaaiYoYVuulER1lDqaZVXZqyYaLmmog%2FMa%2FJrjEneQZcV%2BDkenhpL6RQ3SrIG9ZFPjcVYzUjXBkNYEpN%2Br5uBFNleRV7w7%2BBfy1%2F%2Bxs%3D&RelayState=_60c669e2f44f37f6ce6c2806161b4d50b538cf5e13
Strange! I saw this one before and opened a upstream issue: https://github.com/rohe/pysaml2/issues/259 But the problem probably relies in our code, there is a redirection done to the wrong server I am assuming!
simplesamlphp's resumelogout.php does the broken redirection.
The redirection is correct. SAML SLO works this way that it informs every involved service provider that the session is now logged out.
The reason for this was that the SLO interface only accepted <samlp:LogoutResponse> messages. But simplesamlphp sends <samlp:LogoutRequest> messages because multiple SP sessions exists. I commited a workaround which will prevent the exception. The problem left is that a logout will switch the host (e.g. from slave to master). I will later find out how to do the redirection back. univention-management-console-frontend (5.0.49-1): r64989 | Bug #39576: fix handling of <samlp:LogoutRequest> in single logout service
Logouts are now correctly handled with a redirection back to the IDP. QA: Two test scenarios: 1. (make sure all cookies are removed on SP and IDP side) login via SAML + logout directly 2. login via SAML, SSO to the slave/backup/memberserver and logout from that host. After the logout you should see the login page of the UMC where you logged out
I got the following traceback: The server encountered an unexpected condition which prevented it from fulfilling the request. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 656, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 188, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 34, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1214, in logout data = self.sp.global_logout(user.saml.response.name_id) File "/usr/lib/python2.7/dist-packages/saml2/client.py", line 106, in global_logout entity_ids = self.users.issuers_of_info(name_id) File "/usr/lib/python2.7/dist-packages/saml2/population.py", line 42, in issuers_of_info return self.cache.entities(name_id) File "/usr/lib/python2.7/dist-packages/saml2/cache.py", line 142, in entities return self._db[cni].keys() KeyError: '1=https%3A//master441.deadlock44.intranet/univention-management-console/saml/metadata,2=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient,4=_d20734fef743f5fcaeca395507e4d4926bf13f23bd'
I created Bug #39815 for this. I couldn't reproduce. Regularly this doesn't happen. Let's wait if we get this reported.
(In reply to Florian Best from comment #8) > I created Bug #39815 for this. I couldn't reproduce. Regularly this doesn't > happen. Let's wait if we get this reported. Yes.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".