exception on missing optional metadata ValidUntil #96
Comments
|
Hi @RamonvdW , it is indeed always considered present now (I never encountered one where it was not present). I've had a look at the metadata specification for this (https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) and that one states that the entitydescriptor must contain either a validUntil or a cacheDuration, which yours does not have. I'll have a look to deal with this, so either properties could be provided. |
|
Thanks for looking into this. As you indicated either field needs to be present, I will check with the 'the other side' what can be done to activate these fields. |
|
@mhindery validUntil could be absent in a real scenario |
|
Getting "Could not extra ValidUntil timestamp from metadata: 'validUntil'" when trying to integrate with Zammad (metadata is here: https://support.zammad.com/auth/saml/metadata). The metadata is (probably) generated by ruby-saml, which doesn't add any of the required attributes, see https://github.com/onelogin/ruby-saml/blob/63f43a7f9b830dfd690457a78a78fac48359944f/lib/onelogin/ruby-saml/metadata.rb#L28. While it seems to violate the specification, it seems quite widespread. PS: Same thing happens with https://samltest.id/saml/sp |
|
IdentityPython/pysaml2@324656e#diff-66edb09e937a4de1d15f8066572c425aR236 that's for MDQ use cases but I think that should be applied widely in the field of freshness of metadata. Btw I often suggest to use a MDQ as a stop-application :) |
|
Unfortunately I'm also running into this issue, while trying to integrate with Questionmark. It looks like they are using some homebuilt php script. Would you be open to a pull request which makes this field not required, for the sake of all the people who work with non standards compliant service providers? |
|
I've found a workaround for our use case; just add a validUntil in the far future and don't fill in the metadata url. |
ping |
|
I've created an issue for ruby-saml, so that it might be eventually addressed there: SAML-Toolkits/ruby-saml#563 (it's probably not the only one SP generating such metadata, but it is certainly quite widespread). |
This is a bug in SP, but it sems quite widespread, so allow way to handle this using configuration. See OTA-Insight#96
|
How about adding configuration option to provide fallback for expiration? See #114 |
This is a bug in SP, but it sems quite widespread, so allow way to handle this using configuration. See OTA-Insight#96
This is a bug in SP, but it sems quite widespread, so allow way to handle this using configuration. See #96
|
FWIW, Splunk does not include validUntil on its Metadata. |
When adding my SP via the Admin interface and clicking the save button I get the exception shown below. Metadata at the bottom of this message.
Django side is the IdP.
SP is running simplesamlphp 1.18.3
validUntil is optional, yet code seems to assume it is present.
Context:
django 2.2.12
djangosaml2idp 0.7.2
pysaml2 5.0.0
(if more context is needed, just ask)
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 606, in wrapper
return self.admin_site.admin_view(view)(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/utils/decorators.py", line 142, in _wrapped_view
response = view_func(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/sites.py", line 223, in inner
return view(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1645, in add_view
return self.changeform_view(request, None, form_url, extra_context)
File "/usr/local/lib/python3.6/site-packages/django/utils/decorators.py", line 45, in _wrapper
return bound_method(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/utils/decorators.py", line 142, in _wrapped_view
response = view_func(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1529, in changeform_view
return self._changeform_view(request, object_id, form_url, extra_context)
File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1572, in _changeform_view
self.save_model(request, new_object, form, not add)
File "/usr/local/lib/python3.6/site-packages/django/contrib/admin/options.py", line 1088, in save_model
obj.save()
File "/usr/local/lib/python3.6/site-packages/djangosaml2idp/models.py", line 155, in save
self.metadata_expiration_dt = extract_validuntil_from_metadata(self.local_metadata).replace(tzinfo=None)
File "/usr/local/lib/python3.6/site-packages/djangosaml2idp/utils.py", line 69, in extract_validuntil_from_metadata
raise ValidationError(f'Could not extra ValidUntil timestamp from metadata: {e}')
django.core.exceptions.ValidationError: ["Could not extra ValidUntil timestamp from metadata: 'validUntil'"]
SP metadata:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/metadata.php/default-sp">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-logout.php/default-sp"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-logout.php/default-sp"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml1-acs.php/default-sp" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://wiki.handboogsport.st-visir.nl/saml/module.php/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
md:GivenNameRamon</md:GivenName>
md:EmailAddresskeptprivate@gmail.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The text was updated successfully, but these errors were encountered: