I'm completely new to django-saml2-auth (and SAML2 with Django in general) and am trying to get it working with Microsoft ADFS.
When I hit my Django app it successfully redirects me to the federated login page, but after providing valid credentials, the app then goes into a loop where it's just flipping back and forth between my ENTITY_ID URL (which is https://myapp/saml2_auth/acs/) and a URL on the ADFS server with continually changing SAMLRequest values as a URL parameter.
The only clue I have to go on at this point is when I check my browser history, eventually one of the page titles for all this activity in the history is "SigVer Error" but after some cursory googling I'm not sure what that might mean. I saw some references to disabling signed responses at the pysaml2 level but didn't want to go too far with that without first trying to figure out if that's even the issue given the behavior I'm seeing.
Any ideas? I can share my settings if that'd be helpful but the only optional setting I'm adding is the ENTITY_ID value since that's required by ADFS.
Debugging is also a bit of a challenge since at this point even with the Django debug level set to DEBUG it isn't revealing much, so if there's debugging tips with django-saml2-auth people can share that would be much appreciated.
Since I'm new to getting Django working with SAML2 at all I'm also not married to django-saml2-auth if there's easier/better ways to do this. Thanks for any advice anyone can provide!
In case people come across this in the future, turned out to be my bad with my django-stronghold configuration.
Related
I am creating a application using loopback.i am facing a problem to manage session.When apps login, session is created. when i reload the page session is not present on client side but it is on server side. Please tell me how to manage session on client side. And how to send response from server to client. Sorry for english but I am trouble.
Please tell me about it.
Thanks in advance.
You can inject $sessionStorage in angular and use it to preserve the session information that you get back from loopback.
But I believe that loopback already has the ability to store the access token in the browser's localStorage, so it is preserved across page reloads and browser (hybrid mobile app) restarts. So I'm not sure why it gets lost for you ... or maybe that's not what you mean by "page session"? Feel free to clarify.
You can see an example of logging in and then saving the user info to browser here: https://github.com/ShoppinPal/warehouse/blob/f03abc632ac01682e938e58db868290fb6e33083/client/app/scripts/controllers/login.js#L35-L42
If you ever find yourself in a similar situation again, try searching for code on github.com as there is some chance that you might find what you're looking for in an open-source project.
For example, you can get decent hints if you searched for user model sessionStorage path:/client/app where user model sessionStorage are keywords to look for and path:/client/app represents (more or less) the standardized directory structure for loopback (path:/client/js is another common path to try) ... it is generally worth limiting your search with it ... this helps narrow down thousands of search results into double digits. I do admit however that it doesn't always work because if you didn't know to look for the sessionStorage keyword then the search would have been quite fruitless ;)
I have a website that is being used by various corporate employees. Just today I have a user saying that everytime they login (even with correct username and password), they get an error saying they have to login to view the page. Basically, they type the right username/password and get forwarded to the home page, but that controller has a login required decorator which rejects them and they get sent back to the login screen. The user tried in IE10 and Google Chrome web browsers.
I have not been able to replicate this issue anywhere and unfortunately, i'm in no position to really ask this user for more information for debugging purposes :(. Has anybody seen this before??
I tried googling this, and i'm seeing issues with Django for IE but nothing with Chrome. Is there anything else that could be happening?
I'm using nginx+uwsgi on the server if that makes any difference.
Without more information this is pretty much impossible to solve.
Because no one else is having the problem and you can't reproduce it, I'm inclined to believe it's user error.
Have them clear their cache/cookies (The fact that it's multi-browser is troubling though), see if that helps.
Best guess so far without more information: The user has cookies disabled. I think Django auth relies on cookies.
I should first note that I am a newbie in python/django applications but I am trying hard to learn :)
I am working/experimenting on a django project that supports login through openid providers. So I was able to login through my google account with no problems.
Recently, I decided to change the url of my site but at the same time I kept the current database because I dont want to lose my data,users etc. After that point, I am not able to login to the application. This is the following scenario that happens all the time:
Try to login to my site
Site doesn't remember me and I am redirected to google server
I fill my credentials in google server
I am redirected to my site that complains that the user already exists
So, I don't know how to manage with this problem. Is there any workaround or a hack that I can do to my database that will solve this problem? When I browse to my database I find several tables that may be related:
django_authopenid_association, django_authopenid_nonce, django_authopenid_userassociation,django_authopenid_userpasswordqueu
One of the tables in my database (django_authopenid_association) contains the following data. Do you believe that If I reset anything there is going to help?
If you have any good advices/tips are more than welcome.
Thanx
I found a solution/temp hack that worked for me. Of course, this doesn't imply that my solution is the optimal nor that I recommend this to anyone else.
What I did is to create a second account to my application using the same gmail account but having different user name. Then, I edit the new entry in the django_authopenid_association table, copy paste the openid_url value and use it for my old user (database entry 1 in the screenshot of my question).
After that, since I was able to login with my old user, I delete from the database the new user and everything seems to work smoothly until now.
We have a strange problem when implementing sessions with ColdFusion in IE6.
After login and after a refresh on the page all the session variables are lost.
Its some kind of config in the Administrator? Could you give me some troubleshooting tips to this issue?
Thanks in advance!
I've seen this before, but it's been a long time. I remember creating a test page to dump out the cookies for the site and they'd change on every refresh. I don't remember if we ever found a solution. I want to say that the issue cleared up after another update from Microsoft, but it was so long ago I honestly don't remember.
What's happening is you're getting new values for the CFID and/or CFTOKEN cookies that CF creates and uses to keep track of the browser's state. (The web is by its nature stateless, but that's not very helpful when you need to do transactions.)
Here are some of the possible issues I've seen other people mention:
Inconsistently using www.domain.com and domain.com. The site may work either way, but unless you're using domain cookies the cookies will care
Privacy settings in IE being too restrictive
Special characters in the domain name (underscore is mentioned specifically)
Lack of P3P policy on the web server (back to the privacy settings)
As for solutions, have you tried using J2EE session variables? Some people have had success with those in solving this.
I think it is because your IE6 is not accepting cookies?
I'm working on a django site, which I want the authentication part to work exactly like how Stack Overflow works. A new user comes to the site, they click on "create new account", choose their OpenID provider, get validated, then an account is created for them with "openiduser4356" or something as the username. The user can then go into preferences and change the username to whatever they want. I don't want any kind of local account sign-ups at all.
I pretty much spent all day getting django-authopenid working and it seems the only way this plugin works is by adding OpenID identities to already existing accounts. Heck, you can't even run your site when you have django-authopenid installed unless you have django-registration installed as well...
Before I spend another day wrestling with this thing to try getting it to do what I want, I'd rather just know off the bat if this kind of thing is even possible/a good idea. I noticed that there are a few other OpenID plugins for django out there. Are any of them any better at doing what I'm trying to do?
django-openid does not depend on django-registration.
You might also take a look at a fork of django-openid, django-openid-consumer. It works with the most recent python-openid libraries.
If you don't mind using rpxnow.com, check out http://github.com/howthebodyworks/django-rpx/tree/master