Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

saml2.mdstore.SourceNotFound[BUG] #88

Open
jktittalom opened this issue May 12, 2023 · 0 comments
Open

saml2.mdstore.SourceNotFound[BUG] #88

jktittalom opened this issue May 12, 2023 · 0 comments

Comments

@jktittalom
Copy link

Describe the bug
I am trying to use the "SAML2 Authentication" extension in my CKAN 2.9.7 version. It is giving me some error, while this url work perfectly

File "/usr/lib/ckan/venv/lib/python3.8/site-packages/saml2/mdstore.py", line 873, in load

raise SourceNotFound(self.url)

saml2.mdstore.SourceNotFound: https://dev-33rd3qjmd1757pd7.us.auth0.com/samlp/NMnoJCAIzfeARNrECDxYLRPbkguPnDI3
I am using Auth0 (https://auth0.com/) for sso. "SAML2 Web APP" part of their free service application addon.
ckanext-saml2auth version affected
v1.1.0

Expected behaviour
It should open SSO (Auth0) login page.

Logs
If applicable, add logs to help explain your problem.

Please find my configuration in production.ini file:

[app:main]

use = egg:ckan

Required param for SAML 2 extension SSO login

Specifies the metadata location type

Options: local or remote

ckanext.saml2auth.idp_metadata.location = remote

Path to a local file accessible on the server the service runs on

Ignore this config if the idp metadata location is set to: remote

####ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/idp.xml

ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/dev-33rd3qjmd1757pd7_us_auth0_com-metadata.xml

A remote URL serving aggregate metadata

Ignore this config if the idp metadata location is set to: local

ckanext.saml2auth.idp_metadata.remote_url = https://kalmar2.org/simplesaml[...]

ckanext.saml2auth.idp_metadata.remote_url = https://dev-33rd3qjmd1757pd7.us.auth0.com/samlp/NMnoJCAIzfeARNrECDxYLRPbkguPnDI3

Path to a local file accessible on the server the service runs on

Ignore this config if the idp metadata location is set

to local and metadata is public

ckanext.saml2auth.idp_metadata.remote_cert = /opt/metadata/dev-33rd3qjmd1757pd7.crt

Corresponding SAML user field for firstname

ckanext.saml2auth.user_firstname = firstname

Corresponding SAML user field for lastname

ckanext.saml2auth.user_lastname = lastname

Corresponding SAML user field for fullname

(Optional: Can be used as an alternative to firstname + lastname)

ckanext.saml2auth.user_fullname = fullname

Corresponding SAML user field for email

ckanext.saml2auth.user_email = email

###----- In bottom/last of the file ------

Optional Param for SAML2

URL route of the endpoint where the SAML assertion is sent, also known as Assertion Consumer Service (ACS).

Default: /acs

ckanext.saml2auth.acs_endpoint = /sso/post

####ckanext.saml2auth.acs_endpoint = https://explore.tad3.org

####### Configuration setting that enables CKAN's internal register/login functionality as well

Default: False

ckanext.saml2auth.enable_ckan_internal_login = True

List of email addresses from users that should be created as sysadmins (system administrators)

Note that this means that CKAN sysadmins will only be managed based on this config option and will override existing user permissions in the CKAN database

If not set then it is ignored and CKAN sysadmins are managed through normal means

Default:

ckanext.saml2auth.sysadmins_list = mail@domain.com mail2@domain.com jktittalom@gmail.com

Indicates that attributes that are not recognized (they are not configured in attribute-mapping),

will not be discarded.

Default: True

ckanext.saml2auth.allow_unknown_attributes = False

A list of string values that will be used to set the element of the metadata of an entity.

Default: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

ckanext.saml2auth.sp.name_id_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient

A string value that will be used to set the Format attribute of the element of the metadata of an entity.

Default:

ckanext.saml2auth.sp.name_id_policy_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Entity ID (also know as Issuer)

Define the entity ID. Default is urn:mace:umu.se:saml:ckan:sp

ckanext.saml2auth.entity_id = urn:gov:gsa:SAML:2.0.profiles:sp:sso:gsa:catalog-dev

Signed responses and assertions

ckanext.saml2auth.want_response_signed = True

ckanext.saml2auth.want_assertions_signed = False

ckanext.saml2auth.want_assertions_or_response_signed = False

Cert & key files

####ckanext.saml2auth.key_file_path = /path/to/mykey.pem

####ckanext.saml2auth.cert_file_path = /path/to/mycert.pem

Attribute map directory

####ckanext.saml2auth.attribute_map_dir = /path/to/dir/attributemaps

Authentication context request before redirect to login

e.g. to ask for a PIV card with login.gov provider (https://developers.login.gov/oidc/#aal-values) use:

####ckanext.saml2auth.requested_authn_context = http://idmanagement.gov/ns/assurance/aal/3?hspd12=true

ckanext.saml2auth.requested_authn_context = https://dev-33rd3qjmd1757pd7.us.auth0.com/samlp/NMnoJCAIzfeARNrECDxYLRPbkguPnDI3

it would have something like value: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

You can use multiple context separated by spaces

####ckanext.saml2auth.requested_authn_context = req1 req2

Define the comparison value for RequestedAuthnContext

Comparison could be one of this: exact, minimum, maximum or better

ckanext.saml2auth.requested_authn_context_comparison = exact

Indicates if this entity will sign the Logout Requests originated from it

ckanext.saml2auth.logout_requests_signed = False

Saml logout request preferred binding settings variable

Default: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

ckanext.saml2auth.logout_expected_binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Default fallback endpoint to redirect to if no RelayState provided in the SAML Response

Default: user.me (ie /dashboard)

e.g. to redirect to the home page

####ckanext.saml2auth.default_fallback_endpoint = home.index

ckanext.saml2auth.default_fallback_endpoint = /dataset

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant