11-19-2018 01:16 AM
Hi, does anybody have a similar experience with python errors when using HUE with SAML?
My error after switching to saml authentication is :
[root@ip-10-85-150-28 env]# pwd /opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env ./bin/pip list pysaml2 (4.4.0)
-> HUE ERROR log: [07/Nov/2018 00:19:47 -0800] access INFO 10.85.239.102 -anon- - "POST / HTTP/1.1" -- login redirection [07/Nov/2018 00:19:47 -0800] access INFO 10.85.239.102 -anon- - "POST / HTTP/1.1" returned in 0ms [07/Nov/2018 00:19:47 -0800] client INFO destination to provider: https://10.85.150.28:8888 [07/Nov/2018 00:19:47 -0800] entity INFO REQUEST: <?xml version='1.0' encoding='UTF-8'?> <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.85.150.28:8888/saml2/acs/" Destination="https://10.85.150.28:8888" ID="id-nLFNl6R57kIYXjA0m" IssueInstant="2018-11-07T08:19:47Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://10.85.150.28:8888/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest> [07/Nov/2018 00:19:47 -0800] client INFO AuthNReq: <?xml version='1.0' encoding='UTF-8'?> <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.85.150.28:8888/saml2/acs/" Destination="https://10.85.150.28:8888" ID="id-nLFNl6R57kIYXjA0m" IssueInstant="2018-11-07T08:19:47Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://10.85.150.28:8888/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest> [07/Nov/2018 00:19:47 -0800] entity INFO HTTP REDIRECT [07/Nov/2018 00:19:47 -0800] middleware INFO Processing exception: 'NoneType' object has no attribute 'get_signer': Traceback (most recent call last): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/core/handlers/base.py", line 112, in get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/db/transaction.py", line 371, in inner return func(*args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/views.py", line 175, in login binding=binding, sign=False, sigalg=sigalg) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/client.py", line 76, in prepare_for_authenticate **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/client.py", line 129, in prepare_for_negotiated_authenticate relay_state, **args) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/entity.py", line 231, in apply_binding signer = self.sec.sec_backend.get_signer(kwargs['sigalg']) AttributeError: 'NoneType' object has no attribute 'get_signer'
I tried to upgrade pysaml but it broked the whole setup.
Followed the recommendation from the docs and installed additional packages (running on Centos 7.5)
install git gcc python-devel swig openssl sudo vi /usr/java/jdk1.8.0_191-amd64/jre/lib/security/java.security /jdk.certpath.disabledAlgorithms=MD2, MD5, RC4, DH, SHA1 jdkCA & usage TLSServer,..../ wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm rpm -ivh epel-release-7-6.noarch.rpm yum install xmlsec1 xmlsec1-openssl
Thanks
11-19-2018 09:32 AM
Can you clarify what steps you took and what your hue configuration looks like when you receive the exception.
What documentation steps did you follow that mentioned you should upgrade your pysaml2 package?
What brand of IDP are you using?
At quick glance, it appears that your SAML response is using HTTP_REDIRECT binding and there is some problem parsing it perhaps. We see the request uses HTTP_POST for ProtocolBinding. Let's see if we can view the SAML response in the Hue log by enabling DEBUG. This may give us some clues.
11-20-2018 02:48 AM
Hi @bgooley,
I have installed the HUE service via CM, then in advance I prepared the following:
- installed xmlsec1 and xmlsec1-openssl packages on Centos 7.5
- exported the certificate for SAML signing (Azure AD SSO) in base64 format
- created the idp.xml file - /tmp/idp.xml
- stored the cerrtificate in base64 format as pem file /tmp/idp.pem
Set on the IDP the URL for login (https://<hue-fqdn>:8888)
Set on advanced properties the following:
[[auth]]
backend=libsaml.backend.SAML2Backend
[libsaml]
xmlsec_binary=/usr/bin/xmlsec1
metadata_file=/tmp/idp.xml
cert_file=/tmp/idp.pem
Restarted the HUE service.
Then I try to initiate the login process and get this:
[20/Nov/2018 02:36:31 -0800] middleware INFO Redirecting to login page: / [20/Nov/2018 02:36:31 -0800] access INFO 10.85.239.134 -anon- - "POST / HTTP/1.1" -- login redirection [20/Nov/2018 02:36:31 -0800] access INFO 10.85.239.134 -anon- - "POST / HTTP/1.1" returned in 0ms [20/Nov/2018 02:36:32 -0800] client INFO destination to provider: https://login.microsoftonline.com/<AZURE_CLIENT_ID>/saml2 [20/Nov/2018 02:36:32 -0800] entity INFO REQUEST: <?xml version='1.0' encoding='UTF-8'?> <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://<HUE_HOST>:8888/saml2/acs/" Destination="https://login.microsoftonline.com/<AZURE_CLIENT_ID>/saml2" ID="xxxxxxxxxxxxxxxx" IssueInstant="2018-11-20T10:36:32Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://<HUE_HOST>:8888/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest> [20/Nov/2018 02:36:32 -0800] client INFO AuthNReq: <?xml version='1.0' encoding='UTF-8'?> <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://<HUE_HOST>:8888/saml2/acs/" Destination="https://login.microsoftonline.com/<AZURE_CLIENT_ID>/saml2" ID="xxxxxxxxxxxxxxxx" IssueInstant="2018-11-20T10:36:32Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://<HUE_HOST>:8888/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest> [20/Nov/2018 02:36:32 -0800] entity INFO HTTP REDIRECT [20/Nov/2018 02:36:32 -0800] middleware INFO Processing exception: 'NoneType' object has no attribute 'get_signer': Traceback (most recent call last): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/core/handlers/base.py", line 112, in get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/db/transaction.py", line 371, in inner return func(*args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/views.py", line 175, in login binding=binding, sign=False, sigalg=sigalg) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/client.py", line 76, in prepare_for_authenticate **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/client.py", line 129, in prepare_for_negotiated_authenticate relay_state, **args) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/entity.py", line 231, in apply_binding signer = self.sec.sec_backend.get_signer(kwargs['sigalg']) AttributeError: 'NoneType' object has no attribute 'get_signer'
Let me please now how to set HUE logs into DEBUG level, I have not found any settings in CM for this, nor any advanced snippet.
Thanks
11-20-2018 03:47 AM
I have set to a debug level, but no more information was in the log.
But then I changed the Reply URL (Assertion Consumer Service URL) to
https://<HUE_HOST>:8888/saml2/acs
and the log indicates a missing key
[20/Nov/2018 03:38:14 -0800] response DEBUG response: <?xml version='1.0' encoding='UTF-8'?> <samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="<HUE_HOST>:8888/saml2/acs/" ..... [20/Nov/2018 03:38:14 -0800] entity DEBUG XMLSTR: <samlp:Response ID="_826d97f2-9226-4d27-b550-f4e53829ac75" Version="2.0" IssueInstant="2018-11-20T11:38:13.783Z" Destination="<HUE_HOST>:8888/saml2/acs/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">.... [20/Nov/2018 03:38:14 -0800] response INFO status: <?xml version='1.0' encoding='UTF-8'?> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status> [20/Nov/2018 03:38:14 -0800] response DEBUG ***Unencrypted assertion*** [20/Nov/2018 03:38:14 -0800] response DEBUG signed [20/Nov/2018 03:38:14 -0800] sigver DEBUG ==== Certs from metadata ==== None: [] ==== [20/Nov/2018 03:38:14 -0800] response ERROR correctly_signed_response: None [20/Nov/2018 03:38:14 -0800] client_base ERROR XML parse error: None [20/Nov/2018 03:38:14 -0800] views ERROR SAML Identity Provider is not configured correctly: certificate key is missing! Traceback (most recent call last): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/views.py", line 254, in assertion_consumer_service response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/client_base.py", line 597, in parse_authn_request_response binding, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/entity.py", line 1172, in _parse_response response = response.verify(keys) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/response.py", line 1017, in verify if self.parse_assertion(keys): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/response.py", line 929, in parse_assertion if not self._assertion(assertion, False): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/response.py", line 787, in _assertion self.xmlstr) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/sigver.py", line 1674, in check_signature id_attr=id_attr, must=must, issuer=issuer) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/sigver.py", line 1614, in _check_signature raise MissingKey("%s" % issuer) MissingKey: None [20/Nov/2018 03:38:14 -0800] middleware INFO Processing exception: : Traceback (most recent call last): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/core/handlers/base.py", line 112, in get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/db/transaction.py", line 371, in inner return func(*args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/views/decorators/http.py", line 41, in inner return func(request, *args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/views/decorators/csrf.py", line 57, in wrapped_view return view_func(*args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/views.py", line 272, in assertion_consumer_service return fail_acs_response(request) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/utils.py", line 85, in fail_acs_response return failure_function(request, *args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/acs_failures.py", line 22, in exception_failure raise exc_class PermissionDenied
But for Azure AD there is no option to download a key.
11-20-2018 08:51 AM
It appears that you manually truncated the XML response so we cannot see the key information that helps us understand why the failures is occurring.
Based on the code path, the SAML response is returned and there is an attempt to parse it so that the response can be validated and the needed information extracted.
Along those steps, there is a check to see if the assertion is signed. If it is signed (which Azure SSO should be based on the documentation) then a check is done to verify the signature.
That is failing as it appears either your IDP metadata or the response does not include a valid signature. I suggest looking at the IDP metadata and the response assertion to help understand what might be causing the problem
11-20-2018 08:58 AM
11-20-2018 09:34 AM
@bgooley I think using the IDP metadata file from AAD helped a bit, it still fails, but I see there more information about the sign in person - I just redacted the keys, certificates, name of the user, AD login name, etc.
[20/Nov/2018 09:24:35 -0800] response DEBUG response: <?xml version='1.0' encoding='UTF-8'?> <samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://hue.redacted.fqd:8888/saml2/acs/" ID="_578d4cb5-1494-4087-9835-3755369d1c7d" IssueInstant="2018-11-20T17:24:34.576Z" Version="2.0"><saml:Issuer>https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><saml:Assertion ID="_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4" IssueInstant="2018-11-20T17:24:34.576Z" Version="2.0"><saml:Issuer>https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</saml:Issuer><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>sWH/9QDUVYTke2KTf8jB9xPYy+z9vGkUf1kpq2NUxik=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XXXXXRDInP1nr78HQlVbgemS5sZrebvd7BH/ERb1aFhIV1Z9ZucIUjf1evoQY9LNM/V8UBzKc7lp748TGSuAZlGwlAbrvfwUDYHONUbZ3h2j3DVMb2LBjeDTyo3e8qU/4rtyvv3QapChKuECTyizF6OHJClgYKrCyzOkPb9jHsGDFNHnQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate><REDACTED>wMc7dfqQmlUnRbxRmBiPmyXJD6BAGphj9R/LdWC3OsNfehDnpPSsJ8+jHO3MeSMR2qTkBpeFp4naYv2lLfRgUV/0Tt4ncVPyCwTf6yoTmAHsbvzDf2jSFr6YtsnVU4VY1RswIvt9jUXjd4wcOyK/Mjs8Lfcub1oWL8jeujuSq0DJPxJiCWGWs4HSPtAoKIYnPTg9ysYHyWu/91DCTP7cnfQw37Lu+7X7nm6XO1xWmpSVhGqc2tT8PL</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">REDACTED-MY-USER-NAME</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-11-20T17:29:34.576Z" Recipient="https://hue.redacted.fqd:8888/saml2/acs/" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-11-20T17:19:34.576Z" NotOnOrAfter="2018-11-20T18:19:34.576Z"><saml:AudienceRestriction><saml:Audience>hue-dev</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2018-11-07T07:43:32.657Z" SessionIndex="_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">f0ba4e-redacted-client-id-4kha</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">abd66e79-6e17-43fc-9a51-9eed558cd902</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedFirstName RedactedLastName</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedFirstName</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedLastName</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">REDACTED-MY-USER-NAME</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">REDACTED-MY-USER-NAME</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response> [20/Nov/2018 09:24:35 -0800] entity DEBUG XMLSTR: <samlp:Response ID="_578d4cb5-1494-4087-9835-3755369d1c7d" Version="2.0" IssueInstant="2018-11-20T17:24:34.576Z" Destination="https://hue.redacted.fqd:8888/saml2/acs/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4" IssueInstant="2018-11-20T17:24:34.576Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>sWH/9QDUVYTke2KTf8jB9xPYy+z9vGkUf1kpq2NUxik=</DigestValue></Reference></SignedInfo><SignatureValue>XXXXXRDInP1nr78HQlVbgemS5sZrebvd7BH/ERb1aFhIV1Z9ZucIUjf1evoQY9LNM/V8UBzKc7lp748TGSuAZlGwlAbrvfwUDYHONUbZ3h2j3DVMb2LBjeDTyo3e8qU/4rtyvv3QapChKuECTyizF6OHJClgYKrCyzOkPb9jHsGDFNHnQ==</SignatureValue><KeyInfo><X509Data><X509Certificate><REDACTED>wMc7dfqQmlUnRbxRmBiPmyXJD6BAGphj9R/LdWC3OsNfehDnpPSsJ8+jHO3MeSMR2qTkBpeFp4naYv2lLfRgUV/0Tt4ncVPyCwTf6yoTmAHsbvzDf2jSFr6YtsnVU4VY1RswIvt9jUXjd4wcOyK/Mjs8Lfcub1oWL8jeujuSq0DJPxJiCWGWs4HSPtAoKIYnPTg9ysYHyWu/91DCTP7cnfQw37Lu+7X7nm6XO1xWmpSVhGqc2tT8PL</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">REDACTED-MY-USER-NAME</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2018-11-20T17:29:34.576Z" Recipient="https://hue.redacted.fqd:8888/saml2/acs/"/></SubjectConfirmation></Subject><Conditions NotBefore="2018-11-20T17:19:34.576Z" NotOnOrAfter="2018-11-20T18:19:34.576Z"><AudienceRestriction><Audience>hue-dev</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>f0ba4e-redacted-client-id-4kha</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>abd66e79-6e17-43fc-9a51-9eed558cd902</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>RedactedFirstName RedactedLastName</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>RedactedFirstName</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>RedactedLastName</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>REDACTED-MY-USER-NAME</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>REDACTED-MY-USER-NAME</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2018-11-07T07:43:32.657Z" SessionIndex="_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> [20/Nov/2018 09:24:35 -0800] response INFO status: <?xml version='1.0' encoding='UTF-8'?> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status> [20/Nov/2018 09:24:35 -0800] response DEBUG ***Unencrypted assertion*** [20/Nov/2018 09:24:35 -0800] response DEBUG signed [20/Nov/2018 09:24:35 -0800] sigver DEBUG ==== Certs from metadata ==== None: [(<open file '<fdopen>', mode 'w+b' at 0x7f6f5805a0c0>, '/tmp/tmpJ4XqjT.pem')] ==== [20/Nov/2018 09:24:35 -0800] sigver DEBUG xmlsec command: /usr/bin/xmlsec1 --verify --pubkey-cert-pem /tmp/tmpJ4XqjT.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --store-signatures --node-id _c1e08c03-ccf6-4f32-9a96-5e00cc4233e4 --output /tmp/tmpdOFzb_.xml /tmp/tmprHzcov.xml [20/Nov/2018 09:24:35 -0800] response DEBUG assertion context: AuthnReq [20/Nov/2018 09:24:35 -0800] response DEBUG assertion keys: ['authn_statement', 'attribute_statement', 'subject', 'issue_instant', 'version', 'signature', 'conditions', 'id', 'issuer'] [20/Nov/2018 09:24:35 -0800] response DEBUG outstanding_queries: {} [20/Nov/2018 09:24:35 -0800] response DEBUG conditions: <?xml version='1.0' encoding='UTF-8'?> <saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2018-11-20T17:19:34.576Z" NotOnOrAfter="2018-11-20T18:19:34.576Z"><saml:AudienceRestriction><saml:Audience>hue-dev</saml:Audience></saml:AudienceRestriction></saml:Conditions> [20/Nov/2018 09:24:35 -0800] response DEBUG --- Getting Identity --- [20/Nov/2018 09:24:35 -0800] response INFO Subject NameID: <?xml version='1.0' encoding='UTF-8'?> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">REDACTED-MY-USER-NAME</saml:NameID> [20/Nov/2018 09:24:35 -0800] response DEBUG Attribute Statement: <?xml version='1.0' encoding='UTF-8'?> <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">f0ba4e-redacted-client-id-4kha</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">abd66e79-6e17-43fc-9a51-9eed558cd902</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedFirstName RedactedLastName</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedFirstName</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedLastName</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">REDACTED-MY-USER-NAME</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">REDACTED-MY-USER-NAME</saml:AttributeValue></saml:Attribute></saml:AttributeStatement> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.microsoft.com/identity/claims/tenantid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">f0ba4e-redacted-client-id-4kha</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.microsoft.com/identity/claims/objectidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">abd66e79-6e17-43fc-9a51-9eed558cd902</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.microsoft.com/identity/claims/displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedFirstName RedactedLastName</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.microsoft.com/identity/claims/identityprovider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">https://sts.windows.net/f0ba4e-redacted-client-id-4kha/</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.microsoft.com/claims/authnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedFirstName</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">RedactedLastName</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">REDACTED-MY-USER-NAME</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] attribute_converter INFO Unknown attribute name: <?xml version='1.0' encoding='UTF-8'?> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">REDACTED-MY-USER-NAME</saml:AttributeValue></saml:Attribute> [20/Nov/2018 09:24:35 -0800] response ERROR Missing Attribute Statement [20/Nov/2018 09:24:35 -0800] response DEBUG --- AVA: {} [20/Nov/2018 09:24:35 -0800] client_base INFO --- ADDED person info ---- [20/Nov/2018 09:24:35 -0800] backends ERROR The attributes dictionary is empty [20/Nov/2018 09:24:35 -0800] backends ERROR Could not find saml_user value [20/Nov/2018 09:24:35 -0800] views WARNING Could not authenticate user received in SAML Assertion. Session info: {'authn_info': [('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', [], '2018-11-07T07:43:32.657Z')], 'name_id': <saml2.saml.NameID object at 0x7f6f1a93c690>, 'not_on_or_after': 1542737974, 'session_index': '_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4', 'came_from': None, 'ava': {}, 'issuer': 'https://sts.windows.net/f0ba4e-redacted-client-id-4kha/'} [20/Nov/2018 09:24:35 -0800] middleware INFO Processing exception: : Traceback (most recent call last): File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/core/handlers/base.py", line 112, in get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/db/transaction.py", line 371, in inner return func(*args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/views/decorators/http.py", line 41, in inner return func(request, *args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/views/decorators/csrf.py", line 57, in wrapped_view return view_func(*args, **kwargs) File "/opt/cloudera/parcels/CDH-5.15.1-1.cdh5.15.1.p0.4/lib/hue/build/env/lib/python2.7/site-packages/djangosaml2-0.16.4-py2.7.egg/djangosaml2/views.py", line 296, in assertion_consumer_service raise PermissionDenied PermissionDenied [20/Nov/2018 09:24:35 -0800] access WARNING 10.85.239.134 -anon- - "POST /saml2/acs/ HTTP/1.1" -- 403 access forbidden
11-20-2018 10:01 AM
That sounds a bit sketchy. IDPs need to provide their metadata in order for the Service Provider to be configured properly. Having to create your own metata is error-prone and too much to ask.
This page seems to imply that there is a link that you can use to download the metadata for your entity:
https://developers.exlibrisgroup.com/blog/SAML-with-Azure
I think you should see it in your Azure Portal Single Sign on for your app. I think it might be called SAML XML Metadata.
11-20-2018 10:03 AM
11-20-2018 10:31 AM
Sorry about that; I started writing a response and got pulled away so I didn't see that you had already moved on!
Great job as now we are at a point where Hue can parse the response and is happy with it. The problem is now that it cannot map a user from the response data to a Hue user.
We see:
[20/Nov/2018 09:24:35 -0800] response ERROR Missing Attribute Statement
[20/Nov/2018 09:24:35 -0800] response DEBUG --- AVA: {}
[20/Nov/2018 09:24:35 -0800] client_base INFO --- ADDED person info ----
[20/Nov/2018 09:24:35 -0800] backends ERROR The attributes dictionary is empty
[20/Nov/2018 09:24:35 -0800] backends ERROR Could not find saml_user value
[20/Nov/2018 09:24:35 -0800] views WARNING Could not authenticate user received in SAML Assertion. Session info: {'authn_info': [('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', [], '2018-11-07T07:43:32.657Z')], 'name_id': <saml2.saml.NameID object at 0x7f6f1a93c690>, 'not_on_or_after': 1542737974, 'session_index': '_c1e08c03-ccf6-4f32-9a96-5e00cc4233e4', 'came_from': None, 'ava': {}, 'issuer': 'https://sts.windows.net/f0ba4e-redacted-client-id-4kha/'}
By default, Hue will use the following configuration for [libsaml]:
username_source=attributes
user_attribute_mapping={'uid': ('username', )}
The problem is that you do not have any SAML attribute "uid" in your SAML response so nothing is found to map to the Hue "username".
Another problem is that if you were trying to use attributes (not SAML response nameid) for the Hue username, then the user_attribute_mapping is not correct by default.
The following is the format I use with success:
user_attribute_mapping='{"uid":"username"}'
Since you do not use "uid" in your response, what attribute do you want to use or do you want to use nameId? If you use NameId, that will map to an email address format in Hue which may not be compatible with other hadoop configuration. The best thing to do is decide what attribute will have a "logon" user name in Azure SSO and make sure that is included in the response.
for testing, though, you can just test to see if this works with NameId by adding this to your [libsaml] section in your Hue safety valve:
username_source=nameid
name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Restart Hue after that. I am going based on this in your response xml:
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">REDACTED-MY-USER-NAME</saml:NameID>