Google App Engine and SAML (Okta)

by ModMed SysAdmin   Last Updated July 12, 2019 00:00 AM

We're trying to setup a web app (django) in Google App Engine connected via SAML to our idP, Okta. It has to be done as a Custom Flexible App because of a binary requirement, making it basically a container deployment. Running it locally with gunicorn (including SSL configuration) works flawlessly, but deploying it to Google, not that much.

The problem is that the idP to sP redirection fails with

AttributeError at /saml_path/ 'NoneType' object has no attribute 'require_signature'

With part of the exception info being

/env/lib/python3.6/site-packages/django_saml2_auth/ in acs resp = r.POST.get('SAMLResponse', None) next_url = r.session.get('login_next_url', settings.SAML2_AUTH.get('DEFAULT_NEXT_URL', get_reverse('admin:index'))) if not resp: return HttpResponseRedirect(get_reverse([denied, 'denied', 'django_saml2_auth:denied'])) authn_response = saml_client.parse_authn_request_response( resp, entity.BINDING_HTTP_POST) … if authn_response is None: return HttpResponseRedirect(get_reverse([denied, 'denied', 'django_saml2_auth:denied'])) user_identity = authn_response.get_identity() if user_identity is None: return HttpResponseRedirect(get_reverse([denied, 'denied', 'django_saml2_auth:denied'])) /env/lib/python3.6/site-packages/saml2/ in parse_authn_request_response self.config.allow_unknown_attributes, 'conv_info': conv_info } try: resp = self._parse_response(xmlstr, AuthnResponse, "assertion_consumer_service", binding, **kwargs) … except StatusError as err: logger.error("SAML status error: %s", err) raise except UnravelError: return None except Exception as err: /env/lib/python3.6/site-packages/saml2/ in _parse_response raise else: response.require_signature = require_signature response = response.verify(keys) else: assertions_are_signed = True finally: response.require_signature = require_signature … # If so configured enforce that either the response is signed # or the assertions within it are signed. if response.require_signature_or_response_signature: if not response_is_signed and not assertions_are_signed: msg = "Neither the response nor the assertions are signed"

The current theory is that the Nginx proxy in front of the app is somehow messing with the POST request and breaking the SAML assertion but such settings or its documentation are yet to be found.

Some fresh ideas would be greatly appreciated.

Related Questions

Updated April 15, 2017 11:00 AM

Updated October 14, 2018 15:00 PM

Updated February 06, 2019 15:00 PM