CODEWITHSUNDEEP
djangodjango-saml2-auth
Rakesh Kumar
Rakesh Kumar

Reputation: 91

djangosaml2idp logout throwing ServiceError exception: 'str' object has no attribute 'destination'

I am trying to implement SAML in Django and I have two servers example.com and idp.example.com. On the IDP server, I am using djangosaml2idp. I have been able to implement the login functionality successfully, but the logout is failing on the IDP server.

Checking logs on idp.example.com reveals the following issue:

ServiceError: 'str' object has no attribute 'destination'
{'status': 400}
Traceback (most recent call last):
  File "/home/user/env/lib/python3.9/site-packages/djangosaml2idp/views.py", line 394, in get
    hinfo = idp_server.apply_binding(binding, resp.__str__(), resp.destination, relay_state, response=True)
AttributeError: 'str' object has no attribute 'destination'

The logout response is as follows:

<?xml version="1.0"?>
<ns0:LogoutResponse xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-ut92BEZeWf4Bymt5n" InResponseTo="id-Jw2GziOSEBcu0T0xF" Version="2.0" IssueInstant="2023-05-01T06:17:12Z" Destination="https://example.com/saml2/ls/post/"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/idp/metadata/</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-ut92BEZeWf4Bymt5n"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>9FfKP4MG0dA+5qyvrQlImjVjTSo=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>nJcmrDFNtsp/ngbHxxltj7A+KFfuDj4iM7myN9ZO0QmfkX1iwIu+i6+0JZ3j58m8
XJuMk3da2+DMiV9hnTTIyz/aMNWZmPvsxL7gUoSSyqtC6QDUcQcqubRjuA5pwJNW
b/kG5WxpAwWp5IF/suLCrbP00F+to633bGij/WHvz5EnO93YBcjNcLGJIw3lD+Uw
v6uKsT/dh/qV08b84VnBXZYJN7qOz9/YZ4cA4DeApgEn1Yl7PC/sSSoiwXt7mr3Y
xVqsJjbxVNBHES+AQUd6/paO6cc6qgoQIsmHOnz9//tyPMgU3xOZ1P5nYvcOjX0K
5baIISRe0IGcQfoib7FJWg==</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDGzCCAgOgAwIBAgIUd0aRekN/sTmINbOXE7IragHy5UwwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAwwSaWRwLnJlZ2V4cGxvcmUuY29tMB4XDTIzMDQyMDEwNTkxN1oXDTMzMDQxNzEwNTkxN1owHTEbMBkGA1UEAwwSaWRwLnJlZ2V4cGxvcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvzdfnFfUhoTmuRpqBLabIBiWUjRZZ2OwxfJlRki1eyOjmi/lySbCY3/PSQG+KZ47mpxiz2+gTkdj6hTilRGvvCpXsJuHvNWE4w2yS6n8Weps40Rpb9uEihfljhCL2h/ImRakXohPd8x/0FXbozZZLLwudyhEpBFcRjnHoFgxmnVFQyox2+M6tpBOOg6sRTVpcX6eVpfxKPXg+Anp5xWQtyXI0+gGRqB6bTh/BZVLIgCNj/KpoU4f7AjcFVALe6GfakXPlAjPvN1W0GJhIwfDLGtYgNA5cAW5GebBIlDOvZjRFet9+sJ6XiqR5RZnZQHe/NEpS5TrQXLhM3y60x6lrQIDAQABo1MwUTAdBgNVHQ4EFgQUXhIrqxid+CLwzXs6xkjNtAob3mQwHwYDVR0jBBgwFoAUXhIrqxid+CLwzXs6xkjNtAob3mQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfrCNy+9OHbGGWKDM6KIzsw+q+rUlq55mKENR/E57UiJn+RauNx2rneXKSVcDuNVD+Gk5nXc3wqzbmuCKxvjF5Sdb/E4uwhI1ohw0tieAqQu5k1juMuCeGVeAMClFtoc681b3nUsKS5LyUJBtO8rxLEMC6MT70JB3xxqVgzCe1Q5VhwUfPiyEAXsH4WfjolPCKogZF1dE/dRA2o3Iw4J/yb+RiMf6cukELogibQfHom0No7YzH0xsSsnFAPaukySJdpuW6DUwRVDTSPaYPDFDadqY2FrlzWPvSy6p2KkcclPWmsj/kjAfXmI4MrXJ7t5WUzQUFw2mfab/rKBSn8i4uA==</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status></ns0:LogoutResponse>

Logout Request is:

<ns0:LogoutRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-zbR5HVY133M5pBlKh" Version="2.0" IssueInstant="2023-08-30T10:52:22Z" Destination="https://idp.example.com/idp/slo/post/" Reason=""><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.com/saml2/metadata/</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#id-zbR5HVY133M5pBlKh"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue>ofpQOkMZCD11c6gU/tiM1PLVS4qZeYpD22vFKlMWkUA=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>kZJgB1ukq56NFI47qUIYsV1zfP+yJcGGa3609kvL9pWor+li2x4mkk2H5EKRwF+E
9AfI4OtYFCNwOWWATNeG9C7waQbJQnhxgJaucBukizL0UGTQtNlKbAy+U5u484a5
NGOM3j4TTisUk0+h2HUJmcUa35mpKPbZeds+PAJvSLKbt+um3jYkO8tj4jr6wDMq
CszmV3a+aKIKg80WACdXr3pNcTrGF/PDYkR4p0IvgBOulY3FmNbuUuIais/9ATZx
Wdbb3MJW29ZxuahBwRm6o4BB1NfsLbgkDlP8Fr2TM498bGYzcuKsBPjebXzqVgq+
qFGLJCUATKxWnJ+ZfPSJ2g==</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIIDEzCCAfugAwIBAgIUTIpS3aqjeeTcqjFO+jzZWgX+wlIwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOcmVnZXhwbG9yZS5jb20wHhcNMjMwNDIwMDUyNTIzWhcNMzMwNDE3MDUyNTIzWjAZMRcwFQYDVQQDDA5yZWdleHBsb3JlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUdoZu1vncPkqu0ZYleKxZDlvICyV5PlriIwUUO6hO2yx52c/LBRGzZcSYjgNCe9meS1yZTKRpUtGSgFWBAAu9ynJ8FiEstAtP3I5CNiwokcmnioXBpqSon75pA2+AIRVAlTch9V3hEsx2+2uXuNEkyWPFA/STHL5JBynXnia3g7TaNpVc3lyrbTdjiA0C0BTAC7UgYJxcHkr5y8FRGw1hcI0+DtAmq0uNDOYn557dKFIYQjzZz/7rzM84XtiZoqa9eNQDTJYftfFuKIXmzcXdrREDCbv1p4feblvDel6XevsgpJZhcO8Q1yiq0To+AijHY9nrJxr8g8s4chqkUBqcCAwEAAaNTMFEwHQYDVR0OBBYEFHHzmnOiGf9Txy5nbeKPrW/YJWBBMB8GA1UdIwQYMBaAFHHzmnOiGf9Txy5nbeKPrW/YJWBBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAH2kJVCGo8cf+KhwmUTrZGqs5i1Wv7OdDS5qcpbVHSbMUUZfSoSTBQShoU/BgSYYW7bIBtSn9ElfvQJ6PwgRRSbw1RU8rqscaCa7eqSsQygLoz7diwMieBdcLjKVLKoBwfh1GZgzUIEmSzGV8GjLpdhw4qTLKNOttIA0sfNNYxZjSO1wJYa5fW6ZynHaX2hU34SFmEeMmuNl4UdQ4xFkZXKo+Ev2jp28zr85DVZK7oULCSniqIPgCTIhggTjk0s8zo4SOGzb2W0+BJOmUn0AL86a++VEsH+p0pmaEHDgH2ujG0Rg0tpqgtEjL6CmixgbwKgUuyVcJR3K6g+aeb5RoGM=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:NameID SPNameQualifier="https://example.com/saml2/metadata/" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</ns1:NameID><ns0:SessionIndex>id-XgRiGXMCTBEbnEIWN</ns0:SessionIndex></ns0:LogoutRequest>

I tried checking both logout request and response on https://samltool.io/ and found that the logout request signature is invalid. Below is the response displayed on saml tool:

XMLJS0013: Cryptographic error: Invalid digest for uri '#id-zbR5HVY133M5pBlKh'. Calculated digest is ClG8RdIiatfXvaWlfclZRbsqo+cxcjBcoymF5g/j0R0= but the xml to validate supplies digest ofpQOkMZCD11c6gU/tiM1PLVS4qZeYpD22vFKlMWkUA=

Upvotes: 1

Views: 89

Answers (0)

Related Questions