Univention Bugzilla – Bug 51932
Only the first saml authentication works
Last modified: 2021-05-25 15:58:04 CEST
Only the first saml authentication works Any subsequent login fails. /var/log/syslog: Aug 31 11:15:41 ucs-8750 simplesamlphp[8285]: 5 STAT [ddeec5e115] passive-saml20-idp-SSO https://ucs-8750.univention.intranet/univention/saml/metadata https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/metadata.php NA Aug 31 11:15:42 ucs-8750 python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.univention.intranet.xml" Aug 31 11:15:42 ucs-8750 python2.7: SAML assertion contains no Issuer Aug 31 11:15:42 ucs-8750 python2.7: pam_ldap: error trying to bind as user "uid=Administrator,cn=users,dc=univention,dc=intranet" (Invalid credentials) Aug 31 11:15:47 ucs-8750 simplesamlphp[8290]: 5 STAT [ddeec5e115] passive-saml20-idp-SSO https://ucs-8750.univention.intranet/univention/saml/metadata https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/metadata.php NA Aug 31 11:15:48 ucs-8750 python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.univention.intranet.xml" Aug 31 11:15:48 ucs-8750 python2.7: SAML assertion contains no Issuer This seems to be a bug in lasso. Commit (in lasso) 8d06806db6869cbc2ac8df13128d401d241c9744 is the first broken commit, thanks to git bisect ;)
The lasso git can be found here: https://repos.entrouvert.org/lasso.git/ https://repos.entrouvert.org/lasso.git/commit/?id=8d06806db6869cbc2ac8df13128d401d241c9744
Can you print the SAML assertion which is send to the UMC? diff --git a/management/univention-management-console/src/univention/management/console/auth.py b/management/univention-management-console/src/univention/management/console/auth.py index 2999ee6006..93eed57735 100644 --- a/management/univention-management-console/src/univention/management/console/auth.py +++ b/management/univention-management-console/src/univention/management/console/auth.py @@ -107,6 +107,7 @@ class AuthHandler(signals.Provider): def __authenticate_thread(self, pam, username, password, new_password, **custom_prompts): AUTH.info('Trying to authenticate user %r' % (username,)) + AUTH.error('## SAML MESSAGE: %r' % (password,)) username = self.__canonicalize_username(username) try: pam.authenticate(username, password, **custom_prompts) → ensure that there is an "Issuer" set; to ensure that this has nothing to do with the Python 3 migration and some string issues.
Created attachment 10467 [details] saml message working login
Created attachment 10468 [details] saml message broken login
Created attachment 10469 [details] Representation of the saml message in python (broken login)
Other than the expected differences (time, session, signature), I don't see any difference between the two messages.
(In reply to Jürn Brodersen from comment #6) > Other than the expected differences (time, session, signature), I don't see > any difference between the two messages. Yes, thank you.
Created attachment 10624 [details] crudesaml patch r19169: Bug #51932: Fix: Empty issuer after reinitialization Upstream does not like the patch. It is not supported to call "lasso_init" after "lasso_shutdown". And I can't reproduce the problem with the current UCS5 UMC anyway. I suggest to remove the patch again. We might want to patch crudesaml though, not to call "lasso_shutdown()", but it seems it's not really needed right now.
Upstream bug: https://dev.entrouvert.org/issues/51248
Created attachment 10625 [details] crudesaml patch
As discussed the lasso patch has been reverted: r19289: Bug #51932: revert patch 20-Fix-Empty-issuer-after-reinitialization.quilt
OK: lasso 2.6.0-2A~5.0.0.202102191532
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".