saml2.mdstore.SourceNotFound[BUG] #88
Comments
|
I had such error because the URL I was providing was a saml authentication endpoint and not the address where metadata is retrieved from. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I am trying to use the "SAML2 Authentication" extension in my CKAN 2.9.7 version. It is giving me some error, while this url work perfectly
File "/usr/lib/ckan/venv/lib/python3.8/site-packages/saml2/mdstore.py", line 873, in load
raise SourceNotFound(self.url)
saml2.mdstore.SourceNotFound: https://dev-33rd3qjmd1757pd7.us.auth0.com/samlp/NMnoJCAIzfeARNrECDxYLRPbkguPnDI3
I am using Auth0 (https://auth0.com/) for sso. "SAML2 Web APP" part of their free service application addon.
ckanext-saml2auth version affected
v1.1.0
Expected behaviour
It should open SSO (Auth0) login page.
Logs
If applicable, add logs to help explain your problem.
Please find my configuration in production.ini file:
[app:main]
use = egg:ckan
Required param for SAML 2 extension SSO login
Specifies the metadata location type
Options: local or remote
ckanext.saml2auth.idp_metadata.location = remote
Path to a local file accessible on the server the service runs on
Ignore this config if the idp metadata location is set to: remote
####ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/idp.xml
ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/dev-33rd3qjmd1757pd7_us_auth0_com-metadata.xml
A remote URL serving aggregate metadata
Ignore this config if the idp metadata location is set to: local
ckanext.saml2auth.idp_metadata.remote_url = https://kalmar2.org/simplesaml[...]
ckanext.saml2auth.idp_metadata.remote_url = https://dev-33rd3qjmd1757pd7.us.auth0.com/samlp/NMnoJCAIzfeARNrECDxYLRPbkguPnDI3
Path to a local file accessible on the server the service runs on
Ignore this config if the idp metadata location is set
to local and metadata is public
ckanext.saml2auth.idp_metadata.remote_cert = /opt/metadata/dev-33rd3qjmd1757pd7.crt
Corresponding SAML user field for firstname
ckanext.saml2auth.user_firstname = firstname
Corresponding SAML user field for lastname
ckanext.saml2auth.user_lastname = lastname
Corresponding SAML user field for fullname
(Optional: Can be used as an alternative to firstname + lastname)
ckanext.saml2auth.user_fullname = fullname
Corresponding SAML user field for email
ckanext.saml2auth.user_email = email
###----- In bottom/last of the file ------
Optional Param for SAML2
URL route of the endpoint where the SAML assertion is sent, also known as Assertion Consumer Service (ACS).
Default: /acs
ckanext.saml2auth.acs_endpoint = /sso/post
####ckanext.saml2auth.acs_endpoint = https://explore.tad3.org
####### Configuration setting that enables CKAN's internal register/login functionality as well
Default: False
ckanext.saml2auth.enable_ckan_internal_login = True
List of email addresses from users that should be created as sysadmins (system administrators)
Note that this means that CKAN sysadmins will only be managed based on this config option and will override existing user permissions in the CKAN database
If not set then it is ignored and CKAN sysadmins are managed through normal means
Default:
ckanext.saml2auth.sysadmins_list = [email protected] [email protected] [email protected]
Indicates that attributes that are not recognized (they are not configured in attribute-mapping),
will not be discarded.
Default: True
ckanext.saml2auth.allow_unknown_attributes = False
A list of string values that will be used to set the element of the metadata of an entity.
Default: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
ckanext.saml2auth.sp.name_id_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient
A string value that will be used to set the Format attribute of the element of the metadata of an entity.
Default:
ckanext.saml2auth.sp.name_id_policy_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Entity ID (also know as Issuer)
Define the entity ID. Default is urn:mace:umu.se:saml:ckan:sp
ckanext.saml2auth.entity_id = urn:gov:gsa:SAML:2.0.profiles:sp:sso:gsa:catalog-dev
Signed responses and assertions
ckanext.saml2auth.want_response_signed = True
ckanext.saml2auth.want_assertions_signed = False
ckanext.saml2auth.want_assertions_or_response_signed = False
Cert & key files
####ckanext.saml2auth.key_file_path = /path/to/mykey.pem
####ckanext.saml2auth.cert_file_path = /path/to/mycert.pem
Attribute map directory
####ckanext.saml2auth.attribute_map_dir = /path/to/dir/attributemaps
Authentication context request before redirect to login
e.g. to ask for a PIV card with login.gov provider (https://developers.login.gov/oidc/#aal-values) use:
####ckanext.saml2auth.requested_authn_context = http://idmanagement.gov/ns/assurance/aal/3?hspd12=true
ckanext.saml2auth.requested_authn_context = https://dev-33rd3qjmd1757pd7.us.auth0.com/samlp/NMnoJCAIzfeARNrECDxYLRPbkguPnDI3
it would have something like value: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
You can use multiple context separated by spaces
####ckanext.saml2auth.requested_authn_context = req1 req2
Define the comparison value for RequestedAuthnContext
Comparison could be one of this: exact, minimum, maximum or better
ckanext.saml2auth.requested_authn_context_comparison = exact
Indicates if this entity will sign the Logout Requests originated from it
ckanext.saml2auth.logout_requests_signed = False
Saml logout request preferred binding settings variable
Default: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
ckanext.saml2auth.logout_expected_binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Default fallback endpoint to redirect to if no RelayState provided in the SAML Response
Default: user.me (ie /dashboard)
e.g. to redirect to the home page
####ckanext.saml2auth.default_fallback_endpoint = home.index
ckanext.saml2auth.default_fallback_endpoint = /dataset
The text was updated successfully, but these errors were encountered: