Reply
New Contributor
Posts: 4
Registered: ‎10-03-2017
Accepted Solution

Error while configuring HUE with SAML

Hi

  I am trying to configure HUE with SAML Authentication and receiving following error:

 

 [03/Oct/2017 11:13:36 +0000] response DEBUG conditions: <?xml version='1.0' encoding='UTF-8'?>
<saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2017-10-03T18:08:35.668Z" NotOnOrAfter="2017-10-03T18:18:35.668Z"><saml:AudienceRestriction><saml:Audience>http://xxxxx.us-east-1.elb.amazonaws.com/saml2/metadata/</saml:Audience></saml:AudienceRestriction></saml:Conditions>
[03/Oct/2017 11:13:36 +0000] response DEBUG --- Getting Identity ---
[03/Oct/2017 11:13:36 +0000] response DEBUG Attribute Statement: <?xml version='1.0' encoding='UTF-8'?>
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:string">svasiraju</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:string">abc@yahoo.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
[03/Oct/2017 11:13:36 +0000] response DEBUG Converts name format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
[03/Oct/2017 11:13:36 +0000] response DEBUG --- AVA: {'uid': ['svasiraju'], 'email': ['abc@yahoo.com']}
[03/Oct/2017 11:13:36 +0000] response INFO Subject NameID: <?xml version='1.0' encoding='UTF-8'?>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">abc@yahoo.com</saml:NameID>
[03/Oct/2017 11:13:36 +0000] client_base INFO --- ADDED person info ----
[03/Oct/2017 11:13:36 +0000] backends ERROR Session info or attribute mapping are None
[03/Oct/2017 11:13:36 +0000] views ERROR The user is None

Here is my configuration in HUE:

 

# Xmlsec1 binary path. This program should be executable by the user running Hue.
   xmlsec_binary=/usr/bin/xmlsec1
        assertion_consumer_service_uri="http://xxx.us-east-1.elb.amazonaws.com/saml2/acs/"
  
entity_id="http://xxx.us-east-1.elb.amazonaws.com/saml2/metadata/"
   create_users_on_login=true
    required_attributes=uid
  metadata_file=/opt/hue/desktop/conf/metadata2.xml

     key_file=/opt/hue/desktop/conf/mattermost-x509.pem

  cert_file=/opt/hue/desktop/conf/cert2.pem

     user_attribute_mapping={'uid': ('username', ), 'email': ('email', )},
     logout_requests_signed=true
     username_source=attributes

TIA

 

New Contributor
Posts: 4
Registered: ‎10-03-2017

Re: Error while configuring HUE with SAML

Surprisingly commenting out “user_attribute_mapping={'uid': ('username',)}” in config file (is uses same thing which is default) does the magic. Looks like following code in libsaml/conf.py is creating problem.

def dict_list_map(value):
  if isinstance(value, str):
    d = {}
    for k, v in json.loads(value).iteritems():
      d[k] = (v,)
    return d
  elif isinstance(value, dict):
    return value
  return None

USER_ATTRIBUTE_MAPPING = Config(
  key="user_attribute_mapping",
  default={'uid': ('username', )},
  type=dict_list_map,
  help=_t("A mapping from attributes in the response from the IdP to django user attributes."))

Posts: 455
Topics: 1
Kudos: 106
Solutions: 59
Registered: ‎04-22-2014

Re: Error while configuring HUE with SAML

@sudhakarv,

 

I have used the following with success previously:

user_attribute_mapping='{"uid":"username"}'

 

It does appear that the IDP --> Django mapping is not occurring.  Currently we only use map to "username".

 

New Contributor
Posts: 4
Registered: ‎10-03-2017

Re: Error while configuring HUE with SAML

Thank you for your response. It is working with user_attribute_mapping='{"uid":"username"}'. I was following the given example user_attribute_mapping={'uid': ('username', )} which was failing. 

 

Thank you once again.

Announcements