saml2 plugin needs to handle IdP server failure in a more friendly way

Bug #1820285 reported by Colleen Murphy on 2019-03-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Low
Unassigned

Bug Description

A common mistake I make when using the saml2 auth plugin is using an auth_url that doesn't match with the urn:oasis:names:tc:SAML:2.0:bindings:PAOS binding provided in the SP metadata to the IdP. For instance, if the metadata used the hostname but I tried to use the IP address, the request fails on the IdP because it can't find a matching binding. This can cause a 500 error, or the server might respond with a 500 error for some other reason.

When keystoneauth encounters this, it gives a strange message about being unable to parse the XML:

Starting new HTTPS connection (1): samltest.id:443
https://samltest.id:443 "POST /idp/profile/SAML2/SOAP/ECP HTTP/1.1" 500 1126
SAML2: Error parsing XML returned from Identity Provider: Opening and ending tag mismatch: link line 8 and head, line 9, column 12 (line 9)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 394, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 197, in prepare_to_run_command
    return super(OpenStackShell, self).prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/dist-packages/osc_lib/shell.py", line 492, in prepare_to_run_command
    self.client_manager.auth_ref
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/clientmanager.py", line 99, in auth_ref
    return super(ClientManager, self).auth_ref
  File "/usr/local/lib/python2.7/dist-packages/osc_lib/clientmanager.py", line 202, in auth_ref
    self._auth_ref = self.auth.get_auth_ref(self.session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/v3/federation.py", line 65, in get_auth_ref
    auth_ref = self.get_unscoped_auth_ref(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/extras/_saml2/v3/saml2.py", line 241, in get_unscoped_auth_ref
    raise exceptions.AuthorizationFailure(str(e))
AuthorizationFailure: SAML2: Error parsing XML returned from Identity Provider: Opening and ending tag mismatch: link line 8 and head, line 9, column 12 (line 9)

We should fix this to catch the exception and return a normal message about the error state of the server, not an obscure message about XML parsing.

Colleen Murphy (krinkle) on 2019-03-15
tags: added: federation
tags: added: low-hanging-fruit
Changed in keystoneauth:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers