The indico server crashes when saml is enabled

Our indico server displays an “Internal Server Error” when saml is enabled. It seems related to the xmlsec library.

$ cat /etc/redhat-release

AlmaLinux release 9.4 (Seafoam Ocelot)

$ python -V

Python 3.12.5

$ pip freeze | grep indico

indico==3.3.3
indico-fonts==1.2
indico-plugin-citadel==3.3
indico-plugin-cloud-captchas==3.3
indico-plugin-livesync==3.3
indico-plugin-owncloud==3.3
indico-plugin-payment-manual==3.3
indico-plugin-payment-paypal==3.3
indico-plugin-payment-sixpay==3.3
indico-plugin-piwik==3.3
indico-plugin-previewer-code==3.3
indico-plugin-previewer-jupyter==3.3
indico-plugin-prometheus==3.3
indico-plugin-storage-s3==3.3
indico-plugin-ursh==3.3
indico-plugin-vc-zoom==3.3
indico-plugins==3.3

In Authentication — Indico 3.3.3 documentation indicates that it is necessary to install the xmlsec1-devel package for RPM-based systems.

However, without the package installed it is possible to run pip install python3-saml without error.
$ pip install python3-saml

Requirement already satisfied: python3-saml in ./.venv/lib/python3.12/site-packages (1.16.0)
Requirement already satisfied: lxml!=4.7.0,>=4.6.5 in ./.venv/lib/python3.12/site-packages (from python3-saml) (5.2.1)
Requirement already satisfied: isodate>=0.6.1 in ./.venv/lib/python3.12/site-packages (from python3-saml) (0.6.1)
Requirement already satisfied: xmlsec>=1.3.9 in ./.venv/lib/python3.12/site-packages (from python3-saml) (1.3.14)
Requirement already satisfied: six in ./.venv/lib/python3.12/site-packages (from isodate>=0.6.1->python3-saml) (1.16.0)

Even after install xmlsec1-devel, the error remains
dnf install xmlsec1-devel
(xmlsec1-devel-1.2.29-9.el9.x86_64.rpm)

Error message:

 Traceback (most recent call last):
   File "/opt/indico/web/indico.wsgi", line 9, in <module>
     application = make_app()
                   ^^^^^^^^^^
   File "/opt/indico/.venv/lib/python3.12/site-packages/indico/web/flask/app.py", line 420, in make_app
     multipass.init_app(app)
   File "/opt/indico/.venv/lib/python3.12/site-packages/indico/core/auth.py", line 80, in init_app
     super().init_app(app)
   File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py", line 73, in init_app
     state.auth_providers = ImmutableDict(self._create_providers('AUTH', AuthProvider))
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py", line 461, in _create_providers
     cls = resolve_provider_type(base, settings.pop('type'), registry)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/util.py", line 158, in resolve_provider_type
     cls = entry_point.load()
           ^^^^^^^^^^^^^^^^^^
   File "/opt/indico/.venv/lib/python3.12/site-packages/importlib_metadata/__init__.py", line 184, in load
     module = import_module(match.group('module'))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/opt/indico/.pyenv/versions/3.12.5/lib/python3.12/importlib/__init__.py", line 90, in import_module
     return _bootstrap._gcd_import(name[level:], package, level)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
   File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
   File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
   File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
   File "<frozen importlib._bootstrap_external>", line 995, in exec_module
   File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
   File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/providers/saml.py", line 10, in <module>
     from onelogin.saml2.auth import OneLogin_Saml2_Auth
   File "/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/auth.py", line 12, in <module>
     import xmlsec
 xmlsec.InternalError: (-1, 'lxml & xmlsec libxml2 library version mismatch')
 unable to load app 0 (mountpoint='') (callable not found or import error)

Is there any way to resolve this?
Thanks in advance

lxml & xmlsec libxml2 library version mismatch

I hope it’s not because xmlsec uses an older libxml than what Indico uses… would be nice if they actually included version numbers in that error message.

I don’t know if it helps, but these are the installed versions.

$ pip freeze | grep saml
python3-saml==1.16.0

$ pip freeze | grep xml

defusedxml==0.7.1
lxml==5.2.1
xmlsec==1.3.14

I just tried it both a python:3.12 docker container and in a almalinux:9.4 container (with python3.12 added and in a venv). No problems to import saml there. And no need to add any system libxml packages.

My guess is that you somehow have an old libxml2 lying around somewhere.

What libxml versions are installed in your systems?

rpm -qa | grep libxml

libxml2-2.9.13-6.el9_4.x86_64
libxmlb-0.3.10-1.el9.x86_64
libxml2-devel-2.9.13-6.el9_4.x86_64