Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting Auth Error after succesful IdP Login #338

Open
asierhandball opened this issue Jun 27, 2022 · 9 comments
Open

Getting Auth Error after succesful IdP Login #338

asierhandball opened this issue Jun 27, 2022 · 9 comments
Labels
invalid question

Comments

@asierhandball
Copy link

Hello! I have followed the steps you propose in the documentation and I am able to login to the IdP developed with simplesamlphp. My problem is when after login the redirection is made to /saml2/acs, at that moment I receive an "Authentication Error. Access Denied".

Reviewing the logs, I see that the following content appears:

Login process started
Trying binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST for IDP ****
Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST not in IDP ****** supported bindings: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']. Trying to switch ...
IDP ********** does not support urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST trying urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Redirecting user to the IdP via urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding.
Saving the session_id "{'_db': {'id-DVLB6248yJzKLvSPf': '/', 'id-BnzBMzfEvcmvAU7gv': '/'}}" in the OutstandingQueries cache
SAMLResponse Error
Traceback (most recent call last):
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/djangosaml2/views.py", line 467, in post
outstanding_queries,
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/client_base.py", line 842, in parse_authn_request_response
xmlstr, AuthnResponse, "assertion_consumer_service", binding, **kwargs
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/entity.py", line 1496, in _parse_response
response = response.loads(xmlstr, False, origxml=xmlstr)
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/response.py", line 528, in loads
self._loads(xmldata, decode, origxml)
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/response.py", line 347, in _loads
**args)
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/sigver.py", line 1758, in correctly_signed_response
class_name(response), origdoc)
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/sigver.py", line 1618, in _check_signature
node_id=item.id,
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/sigver.py", line 1433, in verify_signature
node_id=node_id,
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/sigver.py", line 903, in validate_signature
(_stdout, stderr, _output) = self._run_xmlsec(com_list, [tmp.name])
File "/home/asaluena/censodes/.venv/lib/python3.7/site-packages/saml2/sigver.py", line 923, in _run_xmlsec
pof = Popen(com_list, stderr=PIPE, stdout=PIPE)
File "/usr/lib/python3.7/subprocess.py", line 775, in init
restore_signals, start_new_session)
File "/usr/lib/python3.7/subprocess.py", line 1522, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
PermissionError: [Errno 13] Permission denied: '/home/asaluena/Proyectos/censounizar/.venv/lib/python3.7/site-packages'

I don't know what is wrong and what is my problem. Does anyone know how to help me?
@peppelinux
Copy link
Member

it seems a permission error, check the rights in '/home/asaluena/Proyectos/censounizar/.venv/lib/python3.7/site-packages' and also the path where xmlsec1 wrote its temporary files, it's by default on /tmp

@asierhandball
Copy link
Author

I've checked the permissions and it's ok, these folders have the same permissions as the rest of the project.

@peppelinux
Copy link
Member

sure but PermissionError: [Errno 13] Permission denied is a very eloquent message.
Can you rebuild your env with the same user that runs the server process, what do you use, gunicorn, uwsgi?

@asierhandball
Copy link
Author

The application is running on an apache virtual host, using wsgi, all the files in the project belong to the user www-data who runs the apache processes

@asierhandball asierhandball reopened this Jul 5, 2022
@peppelinux
Copy link
Member

It's a deployment problem not related to the code or its releases

@asierhandball
Copy link
Author

So, how can i fix it? Redeploying the code?

@peppelinux
Copy link
Member

you should check the permissions of the files and the process that uses these

try to use a virtualenv created with the user that executes uwsgi

@asierhandball
Copy link
Author

asierhandball commented Jul 15, 2022
edited

Hi again!

I have redeployed the project using a virtualenv, and brought it online through an apache virtual host with the following configuration:

WSGIScriptAlias / /home/asaluena/Proyectos/censounizar/censo/censo/wsgi.py
WSGIDaemonProcess censico processes=1 threads=15 display-name=%{GROUP} user=censico python-path=/home/asaluena/censodes/censo/ python-home=/home/asaluena/censodes/.venv
WSGIProcessGroup censico
WSGIPassAuthorization On

The user who owns the project files is 'censico' too.

@peppelinux
Copy link
Member

and did you still have the same issue as before?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peppelinux @asierhandball