Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 07:53
    IncoFB commented #419
  • Dec 03 10:54
    IncoFB commented #419
  • Dec 03 08:58
    IncoFB opened #1325
  • Dec 02 21:21
    AndersAbel closed #1317
  • Dec 02 21:21
    AndersAbel labeled #1317
  • Dec 02 21:20
    AndersAbel closed #1265
  • Dec 02 21:20
    AndersAbel commented #1265
  • Dec 02 21:19
    AndersAbel labeled #1265
  • Dec 02 21:16
    AndersAbel labeled #1324
  • Dec 02 21:16
    AndersAbel closed #1324
  • Dec 02 21:16
    AndersAbel commented #1324
  • Dec 02 21:15
    AndersAbel commented #1311
  • Dec 02 19:21
    AlexAlexGoTO edited #1324
  • Dec 02 18:10
    AlexAlexGoTO commented #1311
  • Dec 02 17:49
    AlexAlexGoTO commented #1323
  • Dec 02 17:48
    AlexAlexGoTO edited #1324
  • Dec 02 17:47
    AlexAlexGoTO edited #1324
  • Dec 02 17:47
    AlexAlexGoTO edited #1324
  • Dec 02 17:46
    AlexAlexGoTO edited #1324
  • Dec 02 17:46
    AlexAlexGoTO opened #1324
Mike Lindegarde
@mlindegarde
Unfortunately I cannot remember exactly which value was improperly configured.
If you've recently changed configuration values, make sure that you clear all related cookies (the cookie for the IDP, your site, your identity server, etc...). If you have a cookie holding an old value that no longer matches up with what your IDP expects, that could also cause this problem.
Md. Arshad Alam
@anarshadali

Thanks @mlindegarde for your kind response. yes i have changed the configuration, but also i am sure i have cleaned all cookies and session even history as well. but no success.

i asked for adfs log as well from server team.
in the mean while if by chance you get remember the configuration part then please let me know.

thanks once again

Mike Lindegarde
@mlindegarde
@anarshadali Reading through my notes, I believe my problem ended up being that I had an old cookie using the wrong entity id after making changes to the IDP. I'll be curious to see what you find in the ADFS log. In my case I didn't realize the problem until I decided to try using Edge (a browser I don't normally use) instead of Chrome. That's how I narrowed my problem down to a cookie issue.
Md. Arshad Alam
@anarshadali

Hi everyone i am getting below error, please suggest i am using correct certificate files.

The signature verified correctly with the key contained in the signature, but that key is not trusted.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.

//
even after using correct certificate file (private and public key i am getting this above error.
is there any way to resolve this or stop validating this part.
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , Regarding above certificate validation issue.

I am getting response successfully from ADFS server (as i checked in one of the chrome extension) but due to certificate validation method called i am not getting response in thread principle claims.

please suggest me that how can i resolve this.
Can i stop certificate validation part by changing in some configuration.

using latest stable version of SAML.HttpModule.

I will be grateful if you will revert me on my issue.

Anders Abel
@AndersAbel
@anarshadali No, you're not using the correct certificate. If you check in the chrome extension you'll see that the certificate that is embedded in the signature in the incoming response/assertion is not the one you have configured for the Idp.
Md. Arshad Alam
@anarshadali
Annotation 2020-07-20 182651.png
Md. Arshad Alam
@anarshadali

Hello @AndersAbel ,

First of all, it's a very kind of you that you given time to reply me.

But as I have matched again both the public certificate and the token signing certificate The IDP Certificate which is coming in response from ADFS are identical to what i have configured in my application as an idp certificate as you can see in the image above.

The only things new i have found is my ADFS contains 2 token signing certificate 1 is newer which i am using and other is older one which is not in use anymore.

Please help me if there is any suggestion or guidance.
(i am using chrome 3rd party extension named "SAML message decoder")

Rob King
@robert_p_king_twitter
Hi, am I correct in my assumption that a new claim is added to the claims identity for each additional attribute in the saml response?
And so, if the IdP adds an attribute named "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", that will create a claim with the same name and ,in turn, map to User.Identity.Name?
It certainly looks that way from my testing, but I want to confirm because our app will possibly be integrating with numerous customer IdPs and I want to make sure I have standard setup instructions that we can give out.
Md. Arshad Alam
@anarshadali
Hi @AndersAbel ,
Md. Arshad Alam
@anarshadali

Is there not any way to control manually or to redirect to some custom page of alternate login if due to any reason user will not able to logged in on runtime.
I want my user will able to become login using manual login form, in case any issue occurred during authentication from either ADFS side or from Application side (instead of throwing YELLOW error page).

Brief:
on application 1st hit i want to redirect my user to ADFS, Whether ADFS do not responded OR ADFS do respond but SAML response was not able to parse from Sustainsys SAML httpmodule OR SAML response Status code is something other than success then in any such scenario i want user get auto redirect on to some other existing login page.

i am using
SAML2.HTTPModules
Asp.Net, C#, and 4.6 framework of dot net

Md. Arshad Alam
@anarshadali
anyone can help me please
it would be my pleasure if someone will asisst me on this query
Md. Arshad Alam
@anarshadali
I am still awaiting for response, PLEASE
Kyle Senkevich
@ksenkevich_gitlab
Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?
AhmedAssaf
@AhmedAssaf
How to fix browser back button to (SAML2/ACS) issue after SAML SSO success
Anders Abel
@AndersAbel

Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?

The handler does support that. But it needs to be enabled in the settings.

How to fix browser back button to (SAML2/ACS) issue after SAML SSO success

There is no fix for that currently. There is an open issue, please see discussion in there.

Aftab Gani Mulani
@gani_mulani_twitter
I want to implement SAML2 in our existing ASP.NET MVC (framework 4.6.2) application with ADFS 2016. As the Sustainsys.Saml2.MVC is not supporting 4.6.2 framework. So I tried to implement it with Sustainsys.Saml2.Owin package but it is not redirecting to ADFS login page. Is any one has working example which uses Sustainsys.Saml2.Owin with ADFS?
AlexOliinyk1
@AlexOliinyk1

@AndersAbel

Sure, I can point you in the right direction...

Hi Guys, I used this code as a sample for my project. It works for old IDP and after I add new, it also works. But when I want to delete it we getting Idp as null from the GetProvider method, as result in the method ValidateSignature, we getting a null reference error. Prety same as here Sustainsys/Saml2#1046
Any advice, how to resolve it?

builder.AddSaml2(
    saml2Options =>
    {
        saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
        saml2Options.SPOptions.ServiceCertificates.Add(certificate);

        saml2Options.Notifications.SelectIdentityProvider =
            (id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);

        saml2Options.Notifications.GetIdentityProvider =
            (id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);

        saml2Options.Notifications.AcsCommandResultCreated =
            (commandResult, response) =>
            {
                if (commandResult.Principal.Identity is ClaimsIdentity identity)
                    identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
            };
    });
this one code
@mlindegarde
Rob King
@robert_p_king_twitter

In the docs, it says about service certificates, "Specifies the certificate(s) that the service provider uses for encrypted assertions (and for signed requests, once that feature is added). If neither of those features are used, this element can be omitted."

What does it mean by "once that feature is added"?

Also, does anyone have an example of how to add a certificate in code (not using .config)?

Anders Abel
@AndersAbel
@robert_p_king_twitter That looks like stale docs. Signed requests are supported. See https://stackoverflow.com/questions/67230532/cannot-create-sustainsys-certificateelement-from-x509certificate2-object-to-upda
Rob King
@robert_p_king_twitter
@AndersAbel yeah I actually found that exact post a bit earlier. It helped me get further along. I think my issue is largely around the actual certs I'm using.
Rob King
@robert_p_king_twitter

Can I get a brief explanation of how multiple SP or IdP certificates are used once loaded?

Scenario: we want to load up a certificate and at a later date, its successor to make a seamless transation with no downtime or synchronisation with the IdP. I can load these easily into the ServiceCertificateCollection and they are both emitted through the SP metadata fine.

Question: given I have two certificates loaded, when signing the request, which certificate will Sustainsys use?

Likewise, when an ACS is returned from the IdP and we have two certificates of theirs loaded, does the middleware just look a matching cert?

Anders Abel
@AndersAbel
Q1: The one that is marked as current. If multiple have status current, one of them is picked.
Q2: The signature validation loops the certificates/keys of the Idp until one is found that validates the signature.
Nuno Cruz
@nmocruz
Hi, Quick question, there's any way to resolve/get services from notifications? I was trying to access a service from AcsCommandResultCreated but without success
on others authentication middlewares we can access the request httpcontext and then get service from there
Nuno Cruz
@nmocruz
ok, I think I have the awnser,
  services.AddOptions<Saml2Options>(Saml2Defaults.Scheme)
                .Configure<IHttpContextAccessor, ...
`
Murad
@muradgaribzada
Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?
1 reply
Rob King
@robert_p_king_twitter
We're seeing an issue with one customer of ours where despite us specifying HTTP-POST bindings for login requests and responses, when their users sign in or out, it reverts to using HTTP-Redirect. Their IdP metadata emits Redirect, Post and SOAP options for login/logout. If we load their metadata from a URL then specify "Binding = Saml2BindingType.HttpPost," it seems to be ignored. Is HTTP-Redirect the default binding used?
2 replies
microalps
@microalps
@AndersAbel I am getting a different issue with the same cause as #1298 (accessing PrivateKey instead of GetRsaPrivateKey()) when using X509KeyStorageFlags.EphemeralKeySet - I see you are managing the v1 branch - is there a shot of a PR being accepted and pushed to nuget?
7 replies
bertmckay79
@bertmckay79:matrix.org
[m]

Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?

I'm getting the same issue after the idp change the account creation process, it now allow the user to log in after the account creation process which can take some time. is it possible to increase the expiration time on the cookie?

1 reply
microalps
@microalps
@AndersAbel how do we proceed with #1307 ? It needs approval (again) to run workflow and I'm not even sure next steps to get this merged into v2 itself. Can you point me to contribution guidelines or another active member that can assist?
2 replies
Alan Macdonald
@alan.macdonald_gitlab

Hello. I am a bit confused on the difference between loading metadata via a URL vs a file with regards to certificates on the local file system. If I configure an IDP with a metadata url then it works fine without having to install certificates. If I download the metadata to a file from that same url and instead load using a metadata location to that relative file path then I get "The signature verified correctly with the key contained in the signature, but that key is not trusted." after authenticating and being redirected back.

The metadata is the same, it's just loaded from a file instead of a URL. Why would I have to install the certificate separately for this case?

1 reply
Jake Aitchison
@milkshakeuk
does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.
loicnoramsoft
@loicnoramsoft

Hello, I try to add multiple Identity Providers. but I receive an error during login. I don't know if I code the right way. Did you succeed to login with 1 saml option and 2 identity providers? I modified SampleIdentityServer4AspNetIdentity sample.

.AddSaml2(options =>
                {
                    options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
                    options.IdentityProviders.Add(
                        new IdentityProvider(
                            new EntityId("https://sts.windows.net/a4063b47-a5d6-439****4edea677d/"), options.SPOptions)
                        {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/a4063b47-a5d6-4391-9***ea677d/federationmetadata/2007-06/federationmetadata.xml?appid=487fc7e9-22****61bb78e6924d",
                            AllowUnsolicitedAuthnResponse = true
                        });

                    options.IdentityProviders.Add(new IdentityProvider(
                                new EntityId("https://sts.windows.net/d4017a0a-1b19-4045-****9105deb9/"), options.SPOptions)
                    {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/d4017a0a-1b19-4045-*****5deb9/federationmetadata/2007-06/federationmetadata.xml?appid=12ac1f71-564b-4e5****610328f55",
                        AllowUnsolicitedAuthnResponse = true
                    });

                    options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
                    //options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
                    //    HostingEnvironment.ContentRootPath + "\\App_Data\\Sustainsys.Saml2.SampleIdentityServer4AspNetIdentity.pfx"));
                })

I received this error after login in microsoft azure ad :

Microsoft
Pick an account
Selected user account does not exist in tenant 'sss' and cannot access the application 'https://localhost:44342/Saml2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

loicnoramsoft
@loicnoramsoft
when I try with a user present in the first identity provider, it works.
the problem is only when I use a user in the second identity provider
loicnoramsoft
@loicnoramsoft

I received this error after login on azure ad :

Sign in
Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'bob@*.onmicrosoft.com' from identity provider 'https://sts.windows.net/d4017a0a-1****b309105deb9/' does not exist in tenant 'simetsdev' and cannot access the application 'https://localhost:44342/Saml2'(Ma*) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

4 replies
Anders Abel
@AndersAbel

does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.

Finally found some time to handle this. I'm merging it to develop and v2right now.

I will make a 2.9.0 release with #1313 and #1321. If anyone has anything more that is urgent to get out in a release version, please comment.
microalps
@microalps
@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving
Anders Abel
@AndersAbel

@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving

You're right - too much to do and to bad memory from my side. I'll look at it again.

microalps
@microalps
Rebased my PR to resolve conflicts. Please approve CI @AndersAbel