Okta PySAML2 示例应用程序:IP 启动的工作但 SP 启动的失败

Okta PySAML2 Example App: IP-Initiated Works but SP-Initiated Fails

我关注了 Okta 的 Setting up a SAML Application in Okta document, including the adjustments for the FirstName and LastName attributes discussed in ,并关注了 Okta "PySAML2" 页面(第三个 link 的声誉不够)到 运行 使用 Okta 进行身份验证的 Flask 应用程序.

当 运行 连接 Flask 应用程序时(对 'example-okta-com' URL 进行适当的设置更改),IdP 启动的流程有效,因此我可以访问示例应用程序来自 Okta,但如果我尝试在应用程序中单击指向 http://localhost:5000/saml/login/example-okta-com 的 'example-okta-com' link,那么我将被重定向到 oktapreview.com 子域上的错误页面对于包含以下堆栈跟踪的我的测试应用程序:

Error: user_exception

Error parsing XML in SAML request
 com.saasure.application.factory.AppUserException: Error parsing XML in SAML request
    at com.saasure.application.generic.services.impl.OutboundSAMLServiceImpl.isForceAuthn(OutboundSAMLServiceImpl.java:351)
    at com.saasure.application.generic.ui.controller.sso.SAMLForceAuthnController.requiresForceAuthn(SAMLForceAuthnController.java:137)
    at com.saasure.application.generic.ui.controller.sso.DefaultSAMLController.handleSAML20AuthnRequestForSpecificInstance(DefaultSAMLController.java:97)
    at com.saasure.application.generic.ui.controller.sso.DefaultSAMLController.handleSAML20AuthnRequestForSpecificInstance(DefaultSAMLController.java:91)
    at sun.reflect.GeneratedMethodAccessor1246.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:685)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:919)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.saasure.framework.web.filter.ServletExceptionFilter.doFilterInternal(ServletExceptionFilter.java:30)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.saasure.framework.web.filter.GzipFilter.doFilterInternal(GzipFilter.java:26)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.saasure.framework.web.filter.HeadToGetFilter.doFilterInternal(HeadToGetFilter.java:31)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at nl.remcojansen.tomcatlogging.JuliAccessLogValve.invoke(JuliAccessLogValve.java:355)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:889)
    at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:744)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:2274)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.opensaml.xml.parse.XMLParserException: Invalid XML
    at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:218)
    at com.saasure.framework.security.saml.impl.BaseSAMLBuilder.unmarshallXml(BaseSAMLBuilder.java:269)
    at com.saasure.framework.security.saml.impl.BaseSAMLBuilder.unmarshallXml(BaseSAMLBuilder.java:277)
    at com.saasure.framework.security.saml.impl.SAML20IdentityProviderImpl.unmarshallRequest(SAML20IdentityProviderImpl.java:337)
    at com.saasure.framework.security.saml.impl.SAML20IdentityProviderImpl.isForceAuthn(SAML20IdentityProviderImpl.java:320)
    at com.saasure.application.generic.services.impl.OutboundSAMLServiceImpl.isForceAuthn(OutboundSAMLServiceImpl.java:347)
    ... 53 more
Caused by: org.xml.sax.SAXParseException: Content is not allowed in prolog.
    at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
    at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispatch(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
    at org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:671)
    at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:215)
    ... 58 more

我对示例应用程序所做的唯一更改是更改 metadata_url_for 字典,使其具有 'example-okta-com' 键,其值为第 10 步中的元数据 URL Okta 文档。

Okta 中的应用程序需要配置为接受压缩的 SAML AuthN 请求。

抱歉,我应该把它放在文档中。我很快就会这样做。

同时,您需要在您设置的 Okta 应用程序中将 "Request Compression" 设置为 "Compressed"。这是它的样子: