Debugging ckanext-saml2auth for CKAN

I recently had to set up SAML2 Single-SignOn (SSO) with CKAN. It was a bit of a challenge so I am posting some of the error messages I encountered with fixes below. Hopefully, someone else will find this helpful. 🤞 You can find the excellent ckanext-saml2auth plugin here:

Issue 1: Config in the wrong section of CKAN .ini file

CKAN failed to start with ckanext-saml2auth plugin enabled. When I loaded CKAN in my browser I got an Internal Server error. I used tail -500 /etc/ckan/default/uwsgi.ERR to check the error log after restarting the service and found the following error:

RuntimeError: ckanext.saml2auth.user_email is not configured. Please amend your .ini file.

I verified I had the saml2auth config line in my ckan.ini (in addition to others):

ckanext.saml2auth.user_email = NameID

I moved my saml2auth config items under the [app:main] section of the ckan.ini file and that fixed it.

Issue 2: validUntil date expired in metadata XML from IdP

Now that saml2auth could see its config, I got a new error in my CKAN uwsgi.ERR file:

saml2.client_base.IdpUnspecified: No IdP to send to given the premises

After some searching and debugging I figured out that the “validUntil” field in the metadata XML file I was given by my identity provider was in the past. I edited the file and set a date in the future, restarted and that got me further but ultimately I ended up requesting a new metadata XML file with an updated “validUntil” date.

Issue 3: User not authorized to log into the app in the IdP

I got a little further at this point but hit another error when I attempt to log into CKAN:

Bad login request: unsuccesssful operation: ...
... User is not authoirized to perfrom Federation SSO ...

To fix this issue the identify provider (Oracle) had to be configured to allow users to log into the app. I don’t have visibility into the IdP side so can’t provide more detail than that.

Issue 4: saml2auth can’t verify the signature

We got a bit further along in the process but encountered this error.

Bad login request: Failed to verify signature

To fix it, I obtained a new metadata XML file from the IdP with a future “validUntil” date on it.

Finally, success!