Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error handling for an edge case of KeyError encountered during 'global_logout' #972

Open
kmsunmin opened this issue Nov 1, 2024 · 0 comments
Open

Error handling for an edge case of KeyError encountered during 'global_logout' #972

kmsunmin opened this issue Nov 1, 2024 · 0 comments

Comments

@kmsunmin
Copy link

kmsunmin commented Nov 1, 2024
edited
Loading

Hi pysaml2 team, we've been using djangosaml2 library which uses pysaml2 for SAML SSO for many years.
Since a few years ago, we started noticing issues during global_logout method where pysaml2 tries to find out IdPs/AAs that are associated with the given name_id of a SAML subject. When I follow the stack trace, I see the KeyError occurs in saml/cache.py 'entities' method where it returns the list of the subject's entities.

Code Version

pysaml2: 7.5.0
(djangosaml2 1.9.3)

Expected Behavior

KeyError is handled. For instance, by raising a logout-related exception. This way, the request can be redirected and the SP application can handle the logout situation (ex: by overriding djangosaml2's handle_unsupported_slo_exception method).

Current Behavior

KeyError raised during global_logout method when pysaml2 cannot find out any IdPs/AAs that are associated with the SAML subject who wants to log out. The KeyError occurs in saml/cache.py 'entities' method where it returns the list of the subject's entities:

def entities(self, name_id):
    """Returns all the entities of assertions for a subject, disregarding
    whether the assertion still is valid or not.

    :param name_id: The subject identifier, a NameID instance
    :return: A possibly empty list of entity identifiers
    """
    cni = code(name_id)
    # KeyError for self._db[cni]
    return list(self._db[cni].keys())

Possible Solution

Error handling of KeyError such as raising an exception like LogOutError so that djangosaml2 can catch the exception and redirect the request to handle the situation (ex: SP application overriding djangosaml2's handle_unsupported_slo_exception()).

  • We also wonder about what maintainers think about this KeyError such that if this error might indicate any serious security implications which we don't want to ignore.

Steps to Reproduce

Unfortunately, we have not been able to reproduce this issue but received reports of this KeyError issue regularly during the last few years. Although we don't know the exact scenario where this issue occurs, we think that user's session on Django application (SP) might have been expired and the user tries to access the SP application again.

We also have a guess that clearing browser cache might help resolve this issue but we are not certain on this as we cannot reproduce the issue.

I searched the "Issues" section and found several posts related to this KeyError but I haven't been able to find a solution for this issue (most of them are a few years old) so I wanted to reach out here.

Thank you.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kmsunmin