I recently had to set up SAML2 Single-SignOn (SSO) with CKAN. It was a bit of a challenge so I am posting some of the error messages I encountered with fixes below. Hopefully, someone else will find this helpful. 🤞 You can find the excellent ckanext-saml2auth plugin here: https://github.com/keitaroinc/ckanext-saml2auth
Issue 1: Config in the wrong section of CKAN .ini file
CKAN failed to start with ckanext-saml2auth plugin enabled. When I loaded CKAN in my browser I got an Internal Server error. I used
tail -500 /etc/ckan/default/uwsgi.ERR to check the error log after restarting the service and found the following error:
RuntimeError: ckanext.saml2auth.user_email is not configured. Please amend your .ini file.
I verified I had the saml2auth config line in my ckan.ini (in addition to others):
ckanext.saml2auth.user_email = NameID
I moved my saml2auth config items under the
[app:main] section of the ckan.ini file and that fixed it.
Issue 2: validUntil date expired in metadata XML from IdP
Now that saml2auth could see its config, I got a new error in my CKAN uwsgi.ERR file:
saml2.client_base.IdpUnspecified: No IdP to send to given the premises
After some searching and debugging I figured out that the “validUntil” field in the metadata XML file I was given by my identity provider was in the past. I edited the file and set a date in the future, restarted and that got me further but ultimately I ended up requesting a new metadata XML file with an updated “validUntil” date.
Issue 3: User not authorized to log into the app in the IdP
I got a little further at this point but hit another error when I attempt to log into CKAN:
Bad login request: unsuccesssful operation: ... ... User is not authoirized to perfrom Federation SSO ...
To fix this issue the identify provider (Oracle) had to be configured to allow users to log into the app. I don’t have visibility into the IdP side so can’t provide more detail than that.
Issue 4: saml2auth can’t verify the signature
We got a bit further along in the process but encountered this error.
Bad login request: Failed to verify signature
To fix it, I obtained a new metadata XML file from the IdP with a future “validUntil” date on it.