Got different errors on different OS, please help

[wally-yu]

Dear team,

Seems this package rely heavily on specific operation system, right?
I first attempted to debug on my Mac and always blocked by a return of something like "invalid return" from ACS by correctly configuring your sample app.
I deployed the same code to different OS, here are what I found:

• Mac OS v10.12: got something like "invalid return"
• Ubuntu 14.04: got something like "invalid return"
• RHEL 4.4.7: got "Segmentation fault" - hmmm... this is our production environment

the only OS I ran without any problem is Ubuntu v16.04, same code.
i spent weeks looking into these issues, now I don't have clue how to move on.
could you please suggest what I should try? Thanks in advance.

Thanks,
Wally

[pitbulk]

The main issue is installing the python-saml dependency: dm.xmlsec.binding
You can find the Issue #30 where people shares experiences installing it.

Can you provide more info about how you obtain the "invalid return" on the ACS view? what demo example are you using? is your "prepare request" method right?

[wally-yu]

Hi @pitbulk ,

Thanks for your quick reply.
The "Segmentation fault" issue was solved as per your suggestion :)

"invalid return" is actually "A valid SubjectConfirmation was not found on this Response" error.
I'm now seeing this error on Mac, RHEL and Ubuntu14.04. Same code is working fine on Ubuntu16.04~

I'm wondering is this error related to my self-signed SSL certificate hosted on Nginx?

[pitbulk]

It must be related with the way request from python framework is processed and provided to the python toolkit.

You may review the reason for the SubjectConfirmation invalidation, and review the SAMLResponse, the SAML settings and the "prepare request" method.

[anodliv]

Wally and myself is in the same team, i just tried to debug it on my Mac Pro, here's the snapshot that the exception thrown, any clue what might be wrong?

i've also tried to use the online saml response validation tool to validate the raw saml response (base64 encoded), the the result is good.

[wally-yu]

Hi @pitbulk ,

Yep, I have the same error as @anodliv from my Mac Pro, too. (Noted I'm using cloned sample django-app)
As you can see, I manually check the response, say "The SAML Response is Valid".

Here is my "settings.json":

My current environments:

• python v2.7.10 (virtual env)
• django v1.7
• python-saml v2.2.2
• OS: Mac v10.12

Any clue what might be wrong?

[anodliv]

enable the debug option, so there's additional info printed now, see below:

xmldsig.c:871(xmlSecDSigCtxProcessKeyInfoNode) errno=45
xmldsig.c:565(xmlSecDSigCtxProcessSignatureNode) subject=xmlSecDSigCtxProcessKeyInfoNode
xmldsig.c:366(xmlSecDSigCtxVerify) subject=xmlSecDSigCtxSignatureProcessNode
Signature validation failed. SAML Response rejected

so looks like the errno 45 is XMLSEC_ERRORS_R_KEY_NOT_FOUND, so looks like the signing key was somehow treated as not valid?

this is the code that looks like the place, https://github.com/lsh123/xmlsec/blob/a9c2be7a2e3347d2d5f85d324a128d2c00a618af/src/xmldsig.c

[wally-yu]

Hi @pitbulk and team,
We were totally blocked integrating SAML~ Any comments or ideas? :)
Thanks in advance.

[pitbulk]

Can you try to run the tests of python-saml? Download repo, add virtualenv, activate it and execute:

python setup.py test

If you have issues, then maybe you still have issues with the dm.xmlsec.binding installation.

Maybe use instead python3-saml can be a solution