-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature verfication failed - invalid document format -- QName-awareness of attribute values and lxml #921
Comments
it seems that problem is how pysaml2 creates Response class from xml string this is xml from IdP and it validates well with same command used in saml2
|
and here is Reponse created by saml2.response_from_string(xml)
|
raises XMLSchemaError:
|
it seems problem is that this:
is converted to this:
so |
Correct. This is due to the namespace prefix being embedded within the string value of the We could setup a mechanism to process namespaces with specified prefix names, but what do you do when one instance returns
|
Ideally, the solution here should be independent of the exact prefix names used. The parser should be aware that I don't know enough about the underlying implementation, but I think it should support the above. Hmm, wondering whether it would help if the environment doing the processing (parsing + serialising) loaded the schema definitions (XSD files) for the namespaces it's dealing with (so have the definition of the |
The XSD files are there and loaded; and they include the
The original XML snippet is <AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue> When parsed it returns import xml.etree.ElementTree as et
xmlstr = """<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>"""
el = et.fromstring(xmlstr)
et.tostring(el) <ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue> You can see that
|
Doing the same with import lxml.etree as let
xmlstr = """<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>"""
el = let.fromstring(xmlstr)
let.tostring(el) <AttributeValue xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue> |
So it looks like an issue with the xml library implementation - not being aware that xsi:type values are QNames. I get the same result when I just shorten this to the canonicalize call:
However, I do get the correct result when I explicit list
I still could not find how to configure a parser the same way, and I'd expect |
@c00kiemon5ter Hi, is there any progress on this? It is blocking us from using SATOSA for eIDAS. |
@melanger I do not see a way to configure the builtin XML parser
The only solution would be to switch to lxml which is not trivial. |
I did some work to hack the code and use lxml with pysaml2. Have a look at #940 This of course needs a lot more work; not all tests pass, the code needs to be reorganized, etc. But it is a sketch on how things would look like if we go that direction. |
@c00kiemon5ter, I understand, it's a bit unfortunate but we will pick up the PR and try to finish it |
Give it a try first, to ensure it can work for you. I had a minimal test case there just to get things started. Ideally this can become a configurable choice. |
hi
i am getting error in AuthnReponse validation:
Code Version
pysaml2-7.4.2
Expected Behavior
validation should success
Current Behavior
validation fails, so user cannot login
Possible Solution
as temporary solution aj have set
self.do_not_verify = True
inStatusResponse
classSteps to Reproduce
try to verify this response:
it is microsoft implementation of Identity provider
have anyone some hints about this error?
thanks
The text was updated successfully, but these errors were encountered: