[Bug 1897117] Re: [SRU] liblasso3 on Bionic fails to process the ECP authn response

Launchpad Bug Tracker 1897117 at bugs.launchpad.net
Tue Oct 20 13:20:52 UTC 2020 

This bug was fixed in the package lasso - 2.6.0-7ubuntu1.1

---------------
lasso (2.6.0-7ubuntu1.1) focal; urgency=medium

  * d/p/Fix-ECP-signature-not-found-error-when-only-assertion.patch:
    Cherry-picked from upstream bugfix for handling authn responses correctly
    (LP: #1897117).

 -- Chris MacNaughton <chris.macnaughton at canonical.com>  Fri, 25 Sep
2020 14:29:11 +0000

** Changed in: lasso (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to lasso in Ubuntu.
https://bugs.launchpad.net/bugs/1897117

Title:
  [SRU] liblasso3 on Bionic fails to process the ECP authn response

Status in lasso package in Ubuntu:
  Fix Released
Status in lasso source package in Focal:
  Fix Released
Status in lasso source package in Groovy:
  Fix Released

Bug description:
  [Impact]

   * liblasso3 fails when processing an ECP authn response

   * ECP authn responses are required to make Keystone <-> Keystone
  federation work

  [Test Case]

  Follow setup guide at
  https://github.com/ionutbalutoiu/juju-keystone-federation to validate that the Keystone <-> Keystone federattion works after this update.

  [Regression Potential]

  Minimal. There are very few other packages that depend on it, and the
  change is trivial. There are fixes in handling SAML responses in which
  only the assertions are signed, in addition to a couple of fixes
  around handling assertion hints unexpectedly aborting.

  -------------------------------------------------------------------

  The liblasso3 package (dependency of libapache2-mod-auth-mellon) fails
  when processing a ECP authn response.

  Error message given by the Apache2 Mellon auth module:
  [auth_mellon:error] Error processing ECP authn response. Lasso error: [101] Signature element not found.

  This issue can be reproduced into an OpenStack environment with
  Keystone to Keystone federation, using Apache2 Mellon module for the
  SP (service provider).

  I managed to reproduce this on:
  * Ubuntu 18.04 (Bionic) with liblasso3 2.5.1-0ubuntu1.1
  * Ubuntu 20.04 (Focal) with liblasso3 2.6.0-7ubuntu1

  This was fixed in the upstream Lasso project
  (https://dev.entrouvert.org/issues/26828), and it is shipped with
  versions 2.6.1 or newer.

  I tested liblasso3 2.6.1 on both Bionic and Focal and it fixes the
  problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1897117/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list