Description
I have setup Django application with sso via SAML with Azure AD in my Window PC .
But when trying to access URL saml2/login/ in browser, getting below issue
System check identified no issues (0 silenced).
February 25, 2025 - 13:28:59
Django version 5.1.6, using settings 'myproject.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CTRL-BREAK.
[25/Feb/2025 13:29:01] "GET /saml2/login/ HTTP/1.1" 200 1261
check_sig: [WinError 5] Access is denied
EXCEPTION: [WinError 5] Access is denied
Traceback (most recent call last):
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\response.py", line 360, in _loads
self.response = self.signature_check(
^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 1667, in correctly_signed_response
self._check_signature(decoded_xml, response, class_name(response), origdoc)
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 1507, in _check_signature
if self.verify_signature(
^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 1357, in verify_signature
return self.crypto.validate_signature(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 840, in validate_signature
(_stdout, stderr, _output) = self._run_xmlsec(com_list, [tmp.name])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 856, in _run_xmlsec
if self.version_nums >= (1, 3):
^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 610, in version_nums
vns = tuple(int(t) for t in self.version.split("."))
^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 656, in version
pof = Popen(com_list, stderr=PIPE, stdout=PIPE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\subprocess.py", line 1026, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\subprocess.py", line 1538, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [WinError 5] Access is denied
XML parse error: [WinError 5] Access is denied
Forbidden: /saml2/acs/
and below is SAML_config in setting.py
SAML_CONFIG = {
'attribute_mapping': {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": ("first_name",),
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": ("last_name",),
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": ("email",),
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": ("username",),
},
'SAML_VALIDATE_SIGNATURE': False,
# Use Python xmlsec instead of external xmlsec1
'xmlsec_binary': r"C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\xmlsec",
# Entity ID (SP Metadata URL)
'entityid': 'http://localhost:8000/saml2/metadata/',
# Metadata Configuration (Local SP & IdP metadata)
'metadata': {
#'local': [os.path.join(BASE_DIR, 'remote_metadata.xml')], # SP Metadata file
'remote': [
{
'url': 'https://login.microsoftonline.com/1c774691-8804-46e3-b382-0763151699e0/federationmetadata/2007-06/federationmetadata.xml?appid=55700b85-4678-47e5-b55b-c8ce799dcd3d',
#'cert': BASE_DIR / 'certs' / 'AzureAD.pem',
'certs':r"C:\Learning\Django\saml2\Test\djangotutorial\myproject\certs\AzureAD.pem"
}
], # Azure AD IdP Metadata URL
},
# Service Provider (SP) Settings
'service': {
'sp': {
#'authn_requests_signed': False, # No signing required for AuthnRequest
'want_assertions_signed': False, # Do not require signed assertions
'want_response_signed': False, # Do not require signed SAML Response
"want_assertions_or_response_signed": True,
'allow_unsolicited': True, # Allow IdP-initiated login
'name_id_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
#'private_key': os.path.join(BASE_DIR,'private.key'),
#'certificate': os.path.join(BASE_DIR,'private.key'),
'endpoints': {
'assertion_consumer_service': [
('http://localhost:8000/saml2/acs/', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'),
],
'single_logout_service': [
('http://localhost:8000/saml2/ls/', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
],
},
'required_attributes': ['emailAddress'],
},
},
# Identity Provider (IdP) Settings (Azure AD Example)
'service': {
'idp': {
'entity_id': 'https://sts.windows.net/1c774691-8804-46e3-b382-0763151699e0/', # Azure AD Entity ID
'single_sign_on_service': {
'url': 'https://login.microsoftonline.com/1c774691-8804-46e3-b382-0763151699e0/saml2',
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
},
# 'single_logout_service': {
# 'url': 'https://login.microsoftonline.com/1c774691-8804-46e3-b382-0763151699e0/saml2/logout',
# 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
# },
'x509cert': r"C:\Learning\Django\saml2\Test\djangotutorial\myproject\certs\AzureAD.pem", # Optional if Azure AD does not require signed responses
}
},
# Security Settings (No Signing)
'security': {
'signMetadata': False, # Do not sign SP metadata
#'digest_algorithm': 'http://www.w3.org/2001/04/xmlenc#sha256',
'signature_algorithm': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
},
# Debugging Mode
'debug': True,
"user_mapping": {"username":"email"},
# No Signing Keys
'key_file': '', # No private key needed
'cert_file': "", # No public certificate needed
}
Anyone please guide me here,Thanks