SAML: Failed to verify Metadata Signature results in Python KeyError results in 405 Metthod not allowed #10141
Description
Describe the bug
Tried to activate Cloudflare Zero Trust SAML via the provided metadata:
https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/generic-saml/
I'm unsure whether signature verification should actually succeed immediately here or whether I would e.g. have to trust a root of theirs.
In the browser, nothing happens when clicking "Finish".
In the browser console, I can see 405 Method Not Allowed as a result. A notification to the user doesn't appear. (Firefox 127.)
In the logs, I can see that the reason is the signature verification failure, resulting in a Python KeyError.
So this is a combined bug where several things are going wrong.
To Reproduce
Presumably, it would be enough to screw with the signature of a known working metadata, then create a SAML provider from it. If the signature verification is also a bug, any metadata should work.
Expected behavior
Potentially: Signature verifies and provider is created.
Definitely: User is notified about the issue. Status code is corrected (e. g. 422 - I thought I had an error in my LB config or WAF first).
Screenshots
No visible error behavior.
Logs
[2024-06-17 17:32:10] ecs-authentik-server/server/5c21844e55d249b88aa5007bb6c0ef0d
| {
| "auth_via": "session",
| "domain_url": "sso.cloud.acme.com",
| "event": "Failed to verify Metadata signature",
| "host": "sso.cloud.acme.com",
| "level": "warning",
| "logger": "authentik.providers.saml.api.providers",
| "pid": 462629,
| "request_id": "fea366d7dd6f4354a321e027c56b1db3",
| "schema_name": "public",
| "timestamp": "2024-06-17T15:32:10.070626"
| }
|
[2024-06-17 17:32:10] ecs-authentik-server/server/5c21844e55d249b88aa5007bb6c0ef0d
| {
| "auth_via": "session",
| "domain_url": "sso.cloud.acme.com",
| "event": "sending event to sentry",
| "exc": "KeyError('messages')",
| "host": "sso.cloud.acme.com",
| "level": "debug",
| "logger": "authentik.lib.sentry",
| "pid": 462629,
| "request_id": "fea366d7dd6f4354a321e027c56b1db3",
| "schema_name": "public",
| "source_logger": null,
| "timestamp": "2024-06-17T15:32:10.072759"
| }
|
[2024-06-17 17:32:10] ecs-authentik-server/server/5c21844e55d249b88aa5007bb6c0ef0d
| {
| "action": "system_exception",
| "auth_via": "session",
| "client_ip": "123.456.119.32",
| "context": {
| "asn": {
| "as_org": "ACME",
| "asn": 16276,
| "network": "123.456.0.0/14"
| },
| "geo": {
| "city": "",
| "continent": "EU",
| "country": "FR",
| "lat": 48.8582,
| "long": 2.3387
| },
| "http_request": {
| "args": {},
| "method": "POST",
| "path": "/api/v3/providers/saml/import_metadata/",
| "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0"
| },
| "message": "Traceback (most recent call last):\n File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 518, in thread_handler\n raise exc_info[1]\n File \"/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/base.py\", line 253, in _get_response_async\n response = await wrapped_callback(\n ^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 468, in __call__\n ret = await asyncio.shield(exec_coro)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py\", line 40, in run\n result = self.fn(*self.args, **self.kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 522, in thread_handler\n return func(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/django/views/decorators/csrf.py\", line 65, in _view_wrapper\n return view_func(request, *args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/viewsets.py\", line 125, in view\n return self.dispatch(request, *args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 509, in dispatch\n response = self.handle_exception(exc)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 469, in handle_exception\n self.raise_uncaught_exception(exc)\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 480, in raise_uncaught_exception\n raise exc\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 506, in dispatch\n response = handler(request, *args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/rbac/decorators.py\", line 39, in wrapper\n return func(self, request, *args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/providers/saml/api/providers.py\", line 271, in import_metadata\n _(\"Failed to import Metadata: {messages}\".format_map({\"message\": str(exc)})),\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nbuiltins.KeyError: 'messages'"
| },
| "domain_url": "sso.cloud.acme.com",
| "event": "Created Event",
| "host": "sso.cloud.acme.com",
| "level": "info",
| "logger": "authentik.events.models",
| "pid": 462629,
| "request_id": "fea366d7dd6f4354a321e027c56b1db3",
| "schema_name": "public",
| "timestamp": "2024-06-17T15:32:10.080960",
| "user": {
| "email": "foo.bar@acme.com",
| "pk": 8,
| "username": "foo.bar"
| }
| }
|
[2024-06-17 17:32:10] ecs-authentik-server/server/5c21844e55d249b88aa5007bb6c0ef0d
| {
| "event": "\nSetting ssl_cert_reqs=CERT_NONE when connecting to redis means that celery will not validate the identity of the redis broker when connecting. This leaves you vulnerable to man in the middle attacks.\n",
| "level": "warning",
| "logger": "celery.backends.redis",
| "timestamp": 1718638330.1102958
| }
|
[2024-06-17 17:32:10] ecs-authentik-server/server/5c21844e55d249b88aa5007bb6c0ef0d
| {
| "auth_via": "session",
| "domain_url": "sso.cloud.acme.com",
| "event": "Task published",
| "host": "sso.cloud.acme.com",
| "level": "info",
| "logger": "authentik.root.celery",
| "pid": 462629,
| "request_id": "fea366d7dd6f4354a321e027c56b1db3",
| "schema_name": "public",
| "task_id": "a0a95fd9b3a24f87ac2860ed9eb283ab",
| "task_name": "authentik.events.tasks.event_notification_handler",
| "timestamp": "2024-06-17T15:32:10.208982"
| }
|
[2024-06-17 17:32:10] ecs-authentik-server/server/5c21844e55d249b88aa5007bb6c0ef0d
| {
| "auth_via": "session",
| "domain_url": "sso.cloud.acme.com",
| "event": "/api/v3/providers/saml/import_metadata/",
| "host": "sso.cloud.acme.com",
| "level": "info",
| "logger": "authentik.asgi",
| "method": "POST",
| "pid": 462629,
| "remote": "123.456.119.32",
| "request_id": "fea366d7dd6f4354a321e027c56b1db3",
| "runtime": 177,
| "schema_name": "public",
| "scheme": "https",
| "status": 405,
| "timestamp": "2024-06-17T15:32:10.211422",
| "user": "foo.bar",
| "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0"
| }
Version and Deployment (please complete the following information):
- authentik version: 2024.4.2
- Deployment: ECS
Additional context
Not really sure whether this worked before and broke only recently, we only have one other SAML provider which I think was created manually.