keystoneauth

saml2 plugin needs to handle IdP server failure in a more friendly way

Bug #1820285 reported by Colleen Murphy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Triaged
Low
Unassigned

Bug Description

A common mistake I make when using the saml2 auth plugin is using an auth_url that doesn't match with the urn:oasis:names:tc:SAML:2.0:bindings:PAOS binding provided in the SP metadata to the IdP. For instance, if the metadata used the hostname but I tried to use the IP address, the request fails on the IdP because it can't find a matching binding. This can cause a 500 error, or the server might respond with a 500 error for some other reason.

When keystoneauth encounters this, it gives a strange message about being unable to parse the XML:

Starting new HTTPS connection (1): samltest.id:443
https://samltest.id:443 "POST /idp/profile/SAML2/SOAP/ECP HTTP/1.1" 500 1126
SAML2: Error parsing XML returned from Identity Provider: Opening and ending tag mismatch: link line 8 and head, line 9, column 12 (line 9)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 394, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 197, in prepare_to_run_command
    return super(OpenStackShell, self).prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/dist-packages/osc_lib/shell.py", line 492, in prepare_to_run_command
    self.client_manager.auth_ref
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/clientmanager.py", line 99, in auth_ref
    return super(ClientManager, self).auth_ref
  File "/usr/local/lib/python2.7/dist-packages/osc_lib/clientmanager.py", line 202, in auth_ref
    self._auth_ref = self.auth.get_auth_ref(self.session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/v3/federation.py", line 65, in get_auth_ref
    auth_ref = self.get_unscoped_auth_ref(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/extras/_saml2/v3/saml2.py", line 241, in get_unscoped_auth_ref
    raise exceptions.AuthorizationFailure(str(e))
AuthorizationFailure: SAML2: Error parsing XML returned from Identity Provider: Opening and ending tag mismatch: link line 8 and head, line 9, column 12 (line 9)

We should fix this to catch the exception and return a normal message about the error state of the server, not an obscure message about XML parsing.

Colleen Murphy (krinkle)
tags: added: federation
tags: added: low-hanging-fruit
Changed in keystoneauth:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
veera venkata durga prasad (veera83372) wrote :

I would like to fix it, I am new to Openstack but I have worked on python earlier. So can pick this one?

Revision history for this message
Colleen Murphy (krinkle) wrote :

Veera, yes if this is something that is interesting to you please go ahead and assign it to yourself.

Also see the OpenStack contributor guide for getting help with the development tooling:

https://docs.openstack.org/contributors/code-and-documentation/index.html

And the keystone project contributor guide:

https://docs.openstack.org/keystone/latest/contributor/

You may be able to address this bug without fully reproducing it in a live environment, but if you do want to try to do that you can check our federation guide:

https://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html

Revision history for this message
veera venkata durga prasad (veera83372) wrote :

Thanks, Colleen. Will fix this soon

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.