[SRU] liblasso3 on Bionic fails to process the ECP authn response
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lasso (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Groovy |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* liblasso3 fails when processing an ECP authn response
* ECP authn responses are required to make Keystone <-> Keystone federation work
[Test Case]
Follow setup guide at
https:/
[Regression Potential]
Minimal. There are very few other packages that depend on it, and the change is trivial. There are fixes in handling SAML responses in which only the assertions are signed, in addition to a couple of fixes around handling assertion hints unexpectedly aborting.
-------
The liblasso3 package (dependency of libapache2-
Error message given by the Apache2 Mellon auth module:
[auth_mellon:error] Error processing ECP authn response. Lasso error: [101] Signature element not found.
This issue can be reproduced into an OpenStack environment with Keystone to Keystone federation, using Apache2 Mellon module for the SP (service provider).
I managed to reproduce this on:
* Ubuntu 18.04 (Bionic) with liblasso3 2.5.1-0ubuntu1.1
* Ubuntu 20.04 (Focal) with liblasso3 2.6.0-7ubuntu1
This was fixed in the upstream Lasso project (https:/
I tested liblasso3 2.6.1 on both Bionic and Focal and it fixes the problem.
Changed in lasso (Ubuntu Groovy): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in lasso (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → High |
description: | updated |
summary: |
- liblasso3 on Bionic fails to process the ECP authn response + [SRU] liblasso3 on Bionic fails to process the ECP authn response |
description: | updated |
Changed in lasso (Ubuntu Focal): | |
status: | Incomplete → New |
tags: |
added: verification-done removed: verification-needed |
Thanks to Chris Macnaughton who has provided debdiffs for this for groovy and focal. New package versions are now uploaded to groovy and the focal unapproved queue.
Chris, can you add the required SRU fields and subscribe ubuntu-sru when done?