SSO Error: Login failed: No valid data received

Hello everyone,

I have followed the installation guide to configure shibboleth SP. When I try to login to my Indico instance with SSO, I get this error after providing the credentials of the IDP:

Login failed: No valid data received

my indico.conf file:

# SSO
AUTH_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'SSO',
        'attrs_prefix': ' ',
        'callback_uri': '/login/shib-sso/shibboleth',
        # 'logout_uri': 'https://login.yourcompany.tld/logout'
    }
}
IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'SSO',
        'identifier_field': 'mail',
        'mapping': {
	    'login': 'eppn',
            'personId': 'persistent-id',
            'email': 'mail'
        },
        'trusted_email': True
    }
}

Here is my shibboleth2.xml:

Note: I have changed the URL of the IDP on purpose.
NB: Removed some lines for brevity

  <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://mysite.example.so/shibboleth"
                         REMOTE_USER="mail eppn persistent-id targeted-id"
        
            <SSO 
                 discoveryProtocol="SAMLDS" discoveryURL="https://idp.example.com/ds/WAYF">
              SAML2 SAML1
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout> 
        
        <!-- Example of remotely supplied batch of signed metadata. -->
	
	<MetadataProvider type="XML" 
            url="http://idp.example.com/metadata/idp.xml" 
	    backingFilePath="idp.xml" reloadInterval="7200"> 
	        <MetadataFilter type="Signature" certificate="/etc/shibboleth/idp.pem"/> 
	</MetadataProvider>        

        <!-- Simple file-based resolver for using a single keypair. -->
	<CredentialResolver type="File" use="signing"
            key="sp-key.pem" certificate="sp-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="sp-key.pem" certificate="sp-cert.pem"/>
        

</SPConfig>

In the attribute-map.xml, I have not changed anything.

I have searched in the forums and could not find any post that solves my issue.

Your help is highly appreciated.

In the attribute-map.xml, I have not changed anything

That may be the problem: You probably get some attributes, but there’s a good chance that those aren’t matching the names expected by Indico.

For testing purposes all you really need is to get a unique identifier. Since you are setting identifier_field to mail and have no attr_prefix, this means that your attribute-map.xml should be mapping the email address to a field named mail.

Thank you @ThiefMaster for the prompt reply,

The user base of the IDP I am trying to connect is OpenLDAP and in the attribute-map.xml file, the LDAP section is not commented out that is why I did not change anything in that file:

Here is the LDAP section I was thinking will do the job for me:

<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
<Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
<Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
<Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
<Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
<Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
<Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
<Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
<Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
<Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
<Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
<Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
<Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
<Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
<Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
<Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
<Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
<Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
<Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>

<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
**<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>**
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<Attribute name="urn:oid:2.5.4.12" id="title"/>
<Attribute name="urn:oid:2.5.4.43" id="initials"/>
<Attribute name="urn:oid:2.5.4.13" id="description"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
<Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
<Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
<Attribute name="urn:oid:2.5.4.9" id="street"/>
<Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
<Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
<Attribute name="urn:oid:2.5.4.8" id="st"/>
<Attribute name="urn:oid:2.5.4.7" id="l"/>
<Attribute name="urn:oid:2.5.4.10" id="o"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
<Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/> 

I am really new to IDP and SP:

is this line mapping the email address to the field mail?

Attribute name=“urn:oid:0.9.2342.19200300.100.1.3” id=“mail”/

If it is not mapping, can you please give me a hint on how I can do that in the attribute-map.xml file.

I do really appreciate your help.

The id attribute there specifies the name that gets passed to the application, so it will be called mail.

You could edit /opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/providers/shibboleth.py and change the following line to dump all the data received during login in the error message:

raise AuthenticationFailed("No valid data received", provider=self)

replace with:

raise AuthenticationFailed("No valid data received; {}".format(', '.join(sorted(mapping))), provider=self)

then reload uwsgi and try logging in again… and have a look at the data keys you get in the error message.

Oh, actually I see the likely reason for your problem: Get rid of that space there. The prefix needs to be empty if there is no prefix.

Now, I am getting a new error:

Login failed: Identifier missing in shibboleth response

You are mapping mail to email, so you need to use email in the identifier_field as well.

PS: Can the email of a user ever change? If yes, that’s not suitable for the identifier_field. Pick something there that never changes for any given user.

How can I check the data keys I get in the error message by looking at the logs. Here is the Indico log:

2021-01-20 20:24:28,580  INFO     22f44bb74aea436c  -       indico.rh                 GET /login/ [IP=154.73.27.2] [PID=17445]
2021-01-20 20:25:24,922  INFO     ad7b9ef33ba24c16  -       indico.rh                 GET /login/ [IP=154.73.27.2] [PID=17563]
2021-01-20 20:25:27,398  INFO     3a79a1b6697d43ab  -       indico.rh                 GET /login/shib-sso/ [IP=154.73.27.2] [PID=17566]
2021-01-20 20:25:29,501  INFO     0b7305d514ff4724  -       indico.rh                 GET /login/shib-sso/shibboleth [IP=154.73.27.2] [PID=17563]
2021-01-20 20:25:29,503  ERROR    0b7305d514ff4724  -       indico.auth               Authentication via shib-sso failed: Identifier missing in shibboleth response (None)
2021-01-20 20:25:32,171  INFO     e6468d0366294b5c  -       indico.rh                 GET /login/ [IP=154.73.27.2] [PID=17565]
2021-01-20 20:28:45,048  INFO     20a34af881de4b25  -       indico.rh                 GET /login/shib-sso/ [IP=154.73.27.2] [PID=17805]
2021-01-20 20:28:47,336  INFO     365bf8ff46fa43e5  -       indico.rh                 GET /login/shib-sso/shibboleth [IP=154.73.27.2] [PID=17805]
2021-01-20 20:28:47,338  ERROR    365bf8ff46fa43e5  -       indico.auth               Authentication via shib-sso failed: Identifier missing in shibboleth response (None)
2021-01-20 20:28:50,319  INFO     470f8183a49949ca  -       indico.rh                 GET /login/ [IP=154.73.27.2] [PID=17805]

I meant in the error message during login. But this suggestion is already obsolete since you fixed the problem with the attribute prefix so it no longer shows up.

I did all your recommendation but I have no luck here. What else do you think I am missing?
I am very grateful for your help.

I am still getting the same error: Login failed: Identifier missing in shibboleth response

raise IdentityRetrievalFailed('Identifier missing in shibboleth response', provider=self)

replace that with this in order to see what data is available:

raise IdentityRetrievalFailed('Identifier missing in shibboleth response; {}'.format(auth_info.data), provider=self)

@ThiefMaster Now, I think data available is persistent-id:

This is the data keys I get in the error message:

Login failed: Identifier missing in shibboleth response; {'auth_type': u'shibboleth', 'wsgi.version': (1, 0), 'http_user_agent': u'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36', 'shib-authncontext-class': u'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', 'persistent-id': u'https://idp.example.com/idp/shibboleth!https://mysite.example.so/shibboleth!9ZBCDrySYgmB35dgLdsaOJvjN+M=', 'script_filename': u'proxy:uwsgi://127.0.0.1:8008/login/shib-sso/shibboleth', 'request_scheme': u'https', 'script_name': u'', 'http_sec_fetch_mode': u'navigate', 'server_protocol': u'HTTP/1.1', 'http_sec_fetch_site': u'same-origin', 'http_accept': u'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'remote_user': u'https://idp.example.com/idp/shibboleth!https://mysite.example.so/shibboleth!9ZBCDrySYgmB35dgLdsaOJvjN+M=', 'http_sec_fetch_dest': u'document', 'http_referer': u'https://mysite.example.so/login/', 'remote_addr': u'154.73.27.2', 'context_document_root': u'/var/empty/apache', 'http_accept_language': u'en-US,en;q=0.9', 'server_admin': u'[no address given]', 'wsgi.url_scheme': u'https', 'request_method': u'GET', 'server_port': u'443', 'http_upgrade_insecure_requests': u'1', 'uwsgi.node': u'events', 'server_addr': u'154.73.25.87', 'uwsgi_scheme': u'https', 'https': u'on', 'http_cookie': u'_ga=GA1.3.760536155.1611068492; indico_session=2bede05c-5d38-4d33-8d75-b60dc0fba679; _shibsession_64656661756c7468747470733a2f2f6576656e74732e736f6d616c6972656e2e6f72672e736f2f73686962626f6c657468=_3df9d99724ed7045b77293c1b6050e7e', 'werkzeug.request': <IndicoRequest 'https://mysite.example.so/login/shib-sso/shibboleth' [GET]>, 'server_name': u'mysite.example.so', 'server_software': u'Apache/2.4.18 (Ubuntu)', 'query_string': u'', 'shib-identity-provider': u'https://idp.example.com/idp/shibboleth', 'wsgi.input': <uwsgi._Input object at 0x7f7309b3e108>, 'shib-authentication-method': u'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', 'http_host': u'mysite.example.so', 'path_info': u'/login/shib-sso/shibboleth', 'wsgi.multithread': False, 'path': u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'request_uri': u'/login/shib-sso/shibboleth', 'http_connection': u'keep-alive', 'shib-application-id': u'default', 'shib-authentication-instant': u'2021-01-20T17:10:45.178Z', 'gateway_interface': u'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0x7f7309bcb930>, 'wsgi.multiprocess': True, 'context_prefix': u'', 'http_accept_encoding': u'gzip, deflate, br', 'uwsgi.version': u'2.0.12-debian', 'server_signature': u'', 'http_sec_fetch_user': u'?1', 'ssl_tls_sni': u'mysite.example.so', 'remote_port': u'59498', 'shib-session-id': u'_3df9d99724ed7045b77293c1b6050e7e', 'wsgi.file_wrapper': <built-in function uwsgi_sendfile>, 'document_root': u'/var/empty/apache', 'shib-session-index': u'_59da847e8b962a43c094465fbe776d46'}

I have changed the identifier_field to persistent-id and now I can login with the SSO though it is forcing me to create a new profile with Indico and confirm it. I am guessing that is the normal behaviour.

It seems that everything is working now. Thank you so much for your patience. I do appreciate your help. You’re a gem.

Did it prefill the email address? If yes, it will also try to link based on the email address - if it matches you can add the shibboleth login method to the account, otherwise it will ask you to create a new one.

Honestly, I am not sure but the fact that it is asking me to create a new profile. I think it did not prefill the email address.

How can I configure that? If one can simply log in to Indico with shibboleth credentials without further steps to create a profile would have been easier.

Then the mapping for the email address isn’t correct. Actually in the debug info we added to the error message there isn’t an email address at all…

You are absolutely right @ThiefMaster . Thank you so much again for helping me out.