Authentication failed: SAML login failed: ['invalid_response']

[MrJeric0]

The response URL is adding a port number to the URL.

(The response was received at https://www.site.com:80/complete/saml/ instead of https://www.site.com/complete/saml/)

I am connecting to a ADFS Server. Is this a SP issue? or a IDP setting issue?

[pitbulk]

Review how you build the request and be sure that endpoint that ACS endpoint that you registered at the IdP matches the URL of the view that process the SAMLResponse (acs endpoint) that uses the request object to calculate it.

[coler-j]

I am experiencing this issue as well.
For reference I am using ngrok.exe as a tunnel, which is tunnelling local host port 8000 to an ngrok public url. I am also calling this library through Django python social auth libraries saml backend.

I have narrowed this issue down to where saml2 validated the response from the SAML IDP. It appears to be coming from onelogin/saml2/response.py specifically the function to obtain the "current" url:

saml2.auth.process_response calls response.is_valid(self.__request_data, request_id):.

response.is_valid tries to get the 'current' url, which is the url where the script is running. It returns HTTP instead of HTTPS, and also adds a port while there shouldn't actually be one.

onelogin.saml2.util.get_self_url_no_query is where this happens.

[coler-j]

I probably spent about 6 hours debbuging this, but the issue came down to the request data (generated from python social auth SAML backend) using my local host port of '8000' instead of the https port '443'. It is odd, because the metadata generation (part of this onelogin library) generates the correct reply url. But appearently it uses a different function to construct the reply back url when making a request.

def _create_saml_auth(self, idp):
    """Get an instance of OneLogin_Saml2_Auth"""
    config = self.generate_saml_config(idp)

    # This is where we ovride the server port setting to the https default port.
    if settings.USING_NGROK and settings.ON_DEVELOPMENT:
        server_port = '443'
    else:
        server_port = self.strategy.request_port()

    request_info = {
        'https': 'on' if self.strategy.request_is_secure() else 'off',
        'http_host': self.strategy.request_host(),
        'script_name': self.strategy.request_path(),
        'server_port': server_port,
        'get_data': self.strategy.request_get(),
        'post_data': self.strategy.request_post(),
    }
    return OneLogin_Saml2_Auth(request_info, config)

[milutinke-kortechs]

Guys, do you have solution for this?
I have the same problem I put Single Sign On URL: {url}/api/socialisme/auth/saml/finalize/
But I got this error:
{url}:80/api/socialisme/auth/saml/finalize/ instead of {url}/api/socialisme/auth/saml/finalize/`

Also when I included the port in Single Sign On Url i got error:
This site can’t provide a secure connection test.balkan.skypicker.com sent an invalid response.

Solution?

Thanks

[alexander-jacob]

I am having the same issue with django/social-auth

Authentication failed: SAML login failed: ['invalid_response'] (The response was received at http://localhost:8000/social/complete/saml/ instead of http://localhost:8011/social/complete/saml/)
django is running in a docker container on port 8000 but 8011 is exposed.

UPDATE

Okay, if the actual port is different than the port in the browser then the problem occurs.
This may be when django is running in a docker container or behind an NGINX.
To fix this set USE_X_FORWARDED_PORT=True in Django settings and configure HTTP_X_FORWARDED_PORT in NGINX.
See

    def get_port(self):
        """Return the port number for the request as a string."""
        if settings.USE_X_FORWARDED_PORT and 'HTTP_X_FORWARDED_PORT' in self.META:
            port = self.META['HTTP_X_FORWARDED_PORT']
        else:
            port = self.META['SERVER_PORT']
        return str(port)

okay

[omardlhz]

I'm having a similar issue, but in my case its https:// being added twice. The error I get is the following The response was received at https://https://<myurl>/saml/acs instead of https://<myurl>/saml/acs

[vinothkumar1097]

Hey Guys,

Im also facing same issue as stated earlier by coler-j. Im using my company login as idp.
Its working fine with localhost http://127.0.0.1:5000

But when i replace with my company entity id(https://xxx.yyy.net/metadata) and acs url(https://xxx.yyy.net/saml/acs/), its not working.
After successful login, post url is hitting assertion endpoint for saml response validation. I got samlresponse and relaystate in saml response.

But after that, im getting invalid user error. Am i missing with any attributes.
Please help me guys to fix this.

[aashayamballi]

Even I'm facing the same issue.

When I do

errors = []

auth.process_response()

errors = auth.get_errors()
if not errors:
    ...rest of the code

I get the invalid response from auth.get_errors()

I'm using Django 3.0+ Nginx + Gunicorn.

Is there any fix for this?

Thanks

UPDATE:

Since I was using Nginx and Gunicorn, Gunicorn was running locally so the request object's http_host was getting value localhost.

So I hardcoded the http_host key's value to our URL. (example: xyz.com) and this worked.

result = {
        'https': 'on' if request.is_secure() else 'off',
        #'http_host': request.META['HTTP_HOST'],
        'http_host': 'xyz.com',
        'script_name': request.META['PATH_INFO'],
        'server_port': request.META['SERVER_PORT'],
        'get_data': request.GET.copy(),
        # Uncomment if using ADFS as IdP,
        # https://github.com/onelogin/python-saml/pull/144
        'lowercase_urlencoding': True,
        'post_data': request.POST.copy()
    }

[onkartibe]

I am still facing this issue
Seems my request info is correct,

redirect_uri = settings.REALME_AUTH_REDIRECT_URI
    parsed_url = urlparse(redirect_uri)

    server_port = parsed_url.port
    if server_port is None:
        server_port = '443' if parsed_url.scheme == 'https' else '80'

    return {
        'http_host': parsed_url.hostname,
        'script_name': request.META['PATH_INFO'],
        'server_port': server_port,
        'get_data': request.GET.copy(),
        'post_data': request.POST.copy(),
        'https': 'on' if parsed_url.scheme == 'https' else 'off',
    }

any solution around this?

[daveisagit]

I am having the same issue with django/social-auth

Authentication failed: SAML login failed: ['invalid_response'] (The response was received at http://localhost:8000/social/complete/saml/ instead of http://localhost:8011/social/complete/saml/)
django is running in a docker container on port 8000 but 8011 is exposed.

UPDATE

Okay, if the actual port is different than the port in the browser then the problem occurs.
This may be when django is running in a docker container or behind an NGINX.
To fix this set USE_X_FORWARDED_PORT=True in Django settings and configure HTTP_X_FORWARDED_PORT in NGINX.
See

    def get_port(self):
        """Return the port number for the request as a string."""
        if settings.USE_X_FORWARDED_PORT and 'HTTP_X_FORWARDED_PORT' in self.META:
            port = self.META['HTTP_X_FORWARDED_PORT']
        else:
            port = self.META['SERVER_PORT']
        return str(port)

okay

I am having the same issue with django in a kubernetes cluster. I have raised an issue here as your suggestion for using USE_X_FORWARDED_PORT = True did not work for me.

UPDATE

It works after adding X-Forwarded-Port = 443 as a custom header within the [Google load balancer] (https://cloud.google.com/load-balancing/docs/custom-headers) and setting SOCIAL_AUTH_REDIRECT_IS_HTTPS = True in settings.py

[rubenanapu]

Using the settings below worked for me:

USE_X_FORWARDED_HOST = True
USE_X_FORWARDED_PORT = True

More info: https://docs.djangoproject.com/en/3.2/ref/settings/#use-x-forwarded-host

[sheppe]

I got it fixed by modifying the code in the onelogin/saml2/utils.py file. Comment out Lines 292-299:

''' if ':' in current_host:
    current_host_data = current_host.split(':')
    possible_port = current_host_data[-1]
    try:
        int(possible_port)
        current_host = current_host_data[0]
    except ValueError:
        current_host = ':'.join(current_host_data)
'''

I don't know why they have code to specifically remove port information when matching the ACS path to the configured ACS value, but it was breaking a valid configuration.

EDIT: At the time of this writing, they've updated the repo to no longer remove the port info, but the updated code is not released in a tagged version yet. If you're using v1.11.0, the fixed above still applies.

[diatoz]

Dear Team,
I have got same error ['invalid_response'] in freshly installed zulip server in ubuntu 20.x. I am trying to achieve SSO with gsuite.
Server is behind load-balancer and nginx proxy
ZULIP_VERSION = "5.1"
Can someone please help me with exact changes with file location? I have already tried adding custom headers without success.
Server log for reference:
2022-04-04 18:42:44.864 INFO [zulip.auth.saml] AuthFailed: Authentication failed: SAML login failed: ['invalid_response'] (The response was received at https://chat.example.com:80/complete/saml/ instead of https://chat.example.com/complete/saml/)

[AmanBhangre]

I am facing this error -
AuthFailed("SAML login failed: ['invalid_response'] (The status code of the Response was not Success, was Requester -> Invalid request, ACS Url in request http://application:8000/v1/social/complete/saml/ doesn't match configured ACS Url https://example.com/v1/social/complete/saml/.)")
I am using docker which is running the django on application:8000, nginx which is proxy passing all the request made on port 80 to this docker, I also have a load balancer which is connected to the domain and connected to the autoscaling group.