Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML Authentication with JupyterHub on EKS not working correctly #49

Open
VXJ7137 opened this issue Apr 8, 2020 · 1 comment
Open

SAML Authentication with JupyterHub on EKS not working correctly #49

VXJ7137 opened this issue Apr 8, 2020 · 1 comment

Comments

@VXJ7137
Copy link

VXJ7137 commented Apr 8, 2020
edited
Loading

Tried following steps for jupyter hub deployment with SAML authentication on EKS .
1)Changes in Docker image for jupyter hub+ saml authenticator + metadata.xml copied
Source :-
https://github.com/jupyterhub/zero-to-jupyterhub-k8s/tree/0.8.2/images/hub
Following lines were added in docker image :-
----ADD qa_metadata.xml /etc/jupyterhub/qa_metadata.xml

Following line was added in requirements.txt ->
----- jupyterhub-samlauthenticator==0.0.7

2)Once this docker image was built and pushed to ecr .Downloaded the helm deployment fro jupyterhub on eks . Steps to download : -
-------helm fetch jupyterhub/jupyterhub
-------tar -xvf jupyterhub-0.8.2.tgz
-------cd jupyterhub

3)Next is making following change in the above jupyterhub folder values.yaml
image:
name: jupyterhub/k8s-hub
tag: '0.8.2'

Changed it to :

image:
name: <ECR path created in point 1>
tag: <Tag of image created in point 1>
4)Next created a config.yaml file with following configurations for SMAL -Authentication :-

hub:
cookieSecret: 5dc84d73c19dd1621a03e2bbb791e17caf06d34c0595e5ae8d3a406b324bb252
extraConfig:
myConfig.py: |
c.JupyterHub.authenticator_class = 'samlauthenticator.SAMLAuthenticator'
c.SAMLAuthenticator.metadata_filepath = '/etc/jupyterhub/qa_metadata.xml'
c.JupyterHub.log_level = 'DEBUG'
c.LocalProcessSpawner.debug = True
c.Spawner.debug = True
5)Next setp is to do deloyment using helm .Following command was used to do helm deployment .

helm upgrade jhub-saml1 -f values.yaml . --values ../config.yaml --namespace jhub-saml1
After following all the steps above when i try to log in to jupyter hub using the ELB link and put in user/password i get following information in the logs of jupyet hub : -

[I 2020-04-08 10:40:49.159 JupyterHub app:1673] Using Authenticator: samlauthenticator.samlauthenticator.SAMLAuthenticator
[I 2020-04-08 10:40:49.159 JupyterHub app:1673] Using Spawner: kubespawner.spawner.KubeSpawner
[I 2020-04-08 10:40:49.159 JupyterHub app:1012] Loading cookie_secret from env[JPY_COOKIE_SECRET]
[D 2020-04-08 10:40:49.160 JupyterHub app:1071] Connecting to db: sqlite:///jupyterhub.sqlite
[D 2020-04-08 10:40:49.173 JupyterHub orm:685] database schema version found: 896818069c98
[D 2020-04-08 10:40:49.180 JupyterHub orm:685] database schema version found: 896818069c98
[W 2020-04-08 10:40:49.182 JupyterHub app:1131] JupyterHub.hub_connect_port is deprecated as of 0.9. Use JupyterHub.hub_connect_url to fully specify the URL for connecting to the Hub.
[W 2020-04-08 10:40:49.185 JupyterHub app:1173] No admin users, admin interface will be unavailable.
[W 2020-04-08 10:40:49.185 JupyterHub app:1174] Add any administrative users to c.Authenticator.admin_users in config.
[I 2020-04-08 10:40:49.185 JupyterHub app:1201] Not using whitelist. Any authenticated user will be allowed.
[D 2020-04-08 10:40:49.213 JupyterHub app:1489] Loaded users:

[I 2020-04-08 10:40:49.220 JupyterHub app:1855] Hub API listening on http://0.0.0.0:8081/hub/
[I 2020-04-08 10:40:49.220 JupyterHub app:1857] Private Hub API connect url http://10.0.1.4:8081/hub/
[I 2020-04-08 10:40:49.220 JupyterHub app:1870] Not starting proxy
[D 2020-04-08 10:40:49.220 JupyterHub proxy:296] Fetching routes to check
[D 2020-04-08 10:40:49.221 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes
[I 2020-04-08 10:40:49.222 JupyterHub proxy:301] Checking routes
[W 2020-04-08 10:40:49.222 JupyterHub proxy:314] Updating default route http://172.20.187.1:8081http://10.0.1.4:8081
[I 2020-04-08 10:40:49.222 JupyterHub proxy:370] Adding default route for Hub: / => http://10.0.1.4:8081
[D 2020-04-08 10:40:49.223 JupyterHub proxy:686] Proxy: Fetching POST http://172.20.149.211:8001/api/routes/
[I 2020-04-08 10:40:49.224 JupyterHub app:1912] JupyterHub is now running at http://172.20.24.188:80/
[D 2020-04-08 10:41:49.224 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes
[I 2020-04-08 10:41:49.225 JupyterHub proxy:301] Checking routes
[D 2020-04-08 10:42:49.224 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes
[I 2020-04-08 10:42:49.226 JupyterHub proxy:301] Checking routes
[I 2020-04-08 10:43:39.844 JupyterHub log:158] 302 GET / -> /hub (@10.16.40.165) 0.73ms
[D 2020-04-08 10:43:49.224 JupyterHub proxy:686] Proxy: Fetching GET http://172.20.149.211:8001/api/routes
[I 2020-04-08 10:43:49.226 JupyterHub proxy:301] Checking routes
[I 2020-04-08 10:44:00.389 JupyterHub log:158] 302 GET / -> /hub (@10.16.40.165) 0.86ms
[I 2020-04-08 10:44:00.689 JupyterHub log:158] 302 GET /hub -> /hub/ (@10.16.40.165) 0.60ms
[I 2020-04-08 10:44:01.000 JupyterHub log:158] 302 GET /hub/ -> /hub/login (@10.16.40.165) 0.70ms
[I 2020-04-08 10:44:01.634 JupyterHub samlauthenticator:711] Starting SP-initiated SAML Login
[D 2020-04-08 10:44:01.635 JupyterHub samlauthenticator:616] Got metadata etree
[D 2020-04-08 10:44:01.635 JupyterHub samlauthenticator:622] Got valid metadata etree
[D 2020-04-08 10:44:01.635 JupyterHub samlauthenticator:628] Final xpath is: //md:SingleSignOnService[@binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']/@location
[I 2020-04-08 10:44:01.636 JupyterHub log:158] 302 GET /hub/login -> https://qafedsso.yum.com/idp/SSO.saml2 (@10.16.40.165) 1.44ms
There is no error in jupyter hub logs . But the issue is i dont see any SAMLRequest with the URL.
Using SAML tracer for chrome got to understand that the SAMLRequest is not passed along as HTTP parameters with the SSO request and thats why i am getting 500 error .

Not sure what needs to be done to get a fix for this .Our Service provider says that they need a SAMLRequest along with the SSO request . Something like the following(copied from wiki https://en.wikipedia.org/wiki/SAML_2.0 ) also needs to sent .

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="aaf23196-1773-2113-474a-fe114412ab72"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="0"
AttributeConsumingServiceIndex="0">
saml:Issuerhttps://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
Any help will be greatly appreciated . Thanks
@VXJ7137
Copy link
Author

VXJ7137 commented Apr 8, 2020

In the link :- https://github.com/bluedatainc/jupyterhub-samlauthenticator.
I am assuming this might be something to do with proxy .There is a statement mentioned in the above link

"If the JupyterHub instance is sitting behind a proxy or if the entity_id provided above is not a url that refers to where the JupyterHub instance is listening, the acs_endpoint_url MUST be set. This is where a user should POST data to complete a SAML Login procedure.".

Not sure what config i need to be putting in to make that work .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VXJ7137