Google App Engine and SAML (Okta)

Question

We're trying to setup a web app (django) in Google App Engine connected via SAML to our idP, Okta. It has to be done as a Custom Flexible App because of a binary requirement, making it basically a container deployment. Running it locally with gunicorn (including SSL configuration) works flawlessly, but deploying it to Google, not that much.

The problem is that the idP to sP redirection fails with

Traceback:

File "/env/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  34.             response = get_response(request)

File "/env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  115.                 response = self.process_exception_by_middleware(e, request)

File "/env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  113.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/env/lib/python3.6/site-packages/django/views/decorators/csrf.py" in wrapped_view
  54.         return view_func(*args, **kwargs)

File "/env/lib/python3.6/site-packages/django_saml2_auth/views.py" in acs
  159.         resp, entity.BINDING_HTTP_POST)

File "/env/lib/python3.6/site-packages/saml2/client_base.py" in parse_authn_request_response
  714.                                         binding, **kwargs)

File "/env/lib/python3.6/site-packages/saml2/entity.py" in _parse_response
  1213.             response.require_signature = require_signature

Exception Type: AttributeError at /sso/acs/
Exception Value: 'NoneType' object has no attribute 'require_signature'

The current theory is that the Nginx proxy in front of the app is somehow messing with the POST request and breaking the SAML assertion but such settings or its documentation are yet to be found.

Some fresh ideas would be greatly appreciated.

score 1 · Answer 1 · answered Jul 26 '19 at 20:37

The problem was simple enough: the reverse proxy configuration changes the HTTP request (HTTPS scheme to HTTP) which makes the Okta plugin (https://github.com/fangli/django-saml2-auth) fail with the obscure error. Adding the ASSERTION_URL entry to the SAML2_AUTH dict in you settings.py Django file does the trick.

score 0 · Answer 2 · answered Apr 07 '20 at 14:38

As suggested above adding the ASSERTION_URL entry to the SAML2_AUTH dict in your settings.py Django file will solve the Exception Value: 'NoneType' object has no attribute 'require_signature' error.

I would like to add some details that helped me solved it. In my case, using a dockerized django running with AWS Fargate integrated with Okta, the config looks like:

'ASSERTION_URL' : f"https://{ENV_VAR('YOUR_APP_URL')}" if "YOUR_APP_URL" in os.environ else 'http://127.0.0.1:8000',

Using the condition to have it running on localhost for testing too. Also, please note the preceding https protocol placed there for clarity of what we're trying to solve.

In lack of this setting, besides the error mentioned above, another one from the logs output is probably more helpful to understand why the 'ASSERTION_URL' config is needed:

"https://your-domain/saml2_auth/acs/ not in ['http://your-domain/saml2_auth/acs/']"

Of course after reading this topic I've read again the documentation at https://github.com/fangli/django-saml2-auth/ where it says:

"By default, django-saml2-auth will validate the SAML response's Service Provider address against the actual HTTP request's host and scheme. If this value is set, it will validate against ASSERTION_URL instead - perfect for when django running behind a reverse proxy."

Google App Engine and SAML (Okta)

2 Answers2