SAML metadata request returns error in docker

[vojeroen]

Description

After configuring SAML in the docker image, when accessing https://server:port/_matrix/saml2/metadata.xml the following error is thrown:

web.Server Traceback (most recent call last):
builtins.SystemError: func=xmlSecCryptoDLLibraryCreate:file=dl.c:line=130:obj=unknown:subj=lt_dlopenext:error=7:io function failed:name="libxmlsec1-openssl"; errno=2 func=xmlSecCryptoDLGetLibraryFunctions:file=dl.c:line=436:obj=unknown:subj=xmlSecCryptoDLLibraryCreate:error=1:xmlsec library function failed:crypto=openssl func=xmlSecCryptoDLLoadLibrary:file=dl.c:line=393:obj=unknown:subj=xmlSecCryptoDLGetLibraryFunctions:error=1:xmlsec library function failed: Error: unable to load xmlsec-openssl library. Make sure that you have this it installed, check shared libraries path (LD_LIBRARY_PATH) envornment variable or use "--crypto" option to specify different crypto engine. Error: initialization failed func=xmlSecCryptoShutdown:file=app.c:line=65:obj=unknown:subj=unknown:error=9:feature is not implemented:details=cryptoShutdown Error: xmlSecCryptoShutdown failed Error: xmlsec crypto shutdown failed.

There is no metadata file generated. The expected behaviour is to receive this metadata file.

The log contains the following:

2019-07-11 18:30:11,075 - synapse.access.http.8008 - 233 - INFO - GET-5- 10.217.0.103 - 8008 - Received request: GET /_matrix/saml2/metadata.xml
2019-07-11 18:30:11,093 - twisted - 253 - CRITICAL - - 
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/twisted/web/server.py", line 199, in process
    self.render(resrc)
  File "/usr/local/lib/python3.7/site-packages/synapse/http/site.py", line 132, in render
    Request.render(self, resrc)
  File "/usr/local/lib/python3.7/site-packages/twisted/web/server.py", line 259, in render
    body = resrc.render(self)
  File "/usr/local/lib/python3.7/site-packages/twisted/web/resource.py", line 250, in render
    return m(request)
  File "/usr/local/lib/python3.7/site-packages/synapse/rest/saml2/metadata_resource.py", line 33, in render_GET
    configfile=None, config=self.sp_config
  File "/usr/local/lib/python3.7/site-packages/saml2/metadata.py", line 93, in create_metadata_string
    eds.append(entity_descriptor(config))
  File "/usr/local/lib/python3.7/site-packages/saml2/metadata.py", line 737, in entity_descriptor
    for item in algorithm_support_in_metadata(confd.xmlsec_binary):
  File "/usr/local/lib/python3.7/site-packages/saml2/algsupport.py", line 63, in algorithm_support_in_metadata
    support = get_algorithm_support(xmlsec)
  File "/usr/local/lib/python3.7/site-packages/saml2/algsupport.py", line 56, in get_algorithm_support
    raise SystemError(p_err)
SystemError: func=xmlSecCryptoDLLibraryCreate:file=dl.c:line=130:obj=unknown:subj=lt_dlopenext:error=7:io function failed:name="libxmlsec1-openssl"; errno=2
func=xmlSecCryptoDLGetLibraryFunctions:file=dl.c:line=436:obj=unknown:subj=xmlSecCryptoDLLibraryCreate:error=1:xmlsec library function failed:crypto=openssl
func=xmlSecCryptoDLLoadLibrary:file=dl.c:line=393:obj=unknown:subj=xmlSecCryptoDLGetLibraryFunctions:error=1:xmlsec library function failed: 
Error: unable to load xmlsec-openssl library. Make sure that you have
this it installed, check shared libraries path (LD_LIBRARY_PATH)
envornment variable or use "--crypto" option to specify different
crypto engine.
Error: initialization failed
func=xmlSecCryptoShutdown:file=app.c:line=65:obj=unknown:subj=unknown:error=9:feature is not implemented:details=cryptoShutdown
Error: xmlSecCryptoShutdown failed
Error: xmlsec crypto shutdown failed. 

I'm not familiar with Alpine Linux, but at first sight it seems that the package libxmlsec1-openssl is not available for Alpine. There is a package for xmlsec1-nss but according to the docs it seems that pysaml2 doesn't let you set the crypto engine in the configuration.

Steps to reproduce

• start docker image, configured with SAML as explained in https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/
• go to https://server:port/_matrix/saml2/metadata.xml

Version information

Kubernetes with image matrixdotorg/synapse:v1.1.0

[richvdh]

I spent a while poking at this; it appears to be a problem with xmlsec in alpine linux (on which our docker images are based): https://bugs.alpinelinux.org/issues/9110, specifically.

It also appears to be fixed in alpine linux 3.10, so #5619 should fix it for the next release.

[richvdh]

For the record, I'm not sure that everything in https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/ is correct. For example:

• enabled:true and idp_redirect_url are ignored in saml2_config, so there is no point in specifying them
• I would recommend putting the SP configuration inline in homeserver.yaml under the sp_config key rather than using a separate file
• Most of the stuff in sp_conf.py is the default, so there is no need to specify it.

[vojeroen]

Thanks for the additional precisions, I'll have a look when the next release is out.