Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • May 26 13:11
    ilyakanevsky commented #1093
  • May 26 13:09
    ilyakanevsky commented #1093
  • May 26 13:07
    ilyakanevsky commented #1093
  • May 24 17:18
    AndersAbel commented #1349
  • May 23 19:13
    Shumiii commented #1349
  • May 23 18:44
    AndersAbel commented #1349
  • May 23 18:27
    Shumiii commented #1349
  • May 23 18:06
    AndersAbel commented #1349
  • May 18 15:13
    afandre labeled #1350
  • May 18 15:13
    afandre opened #1350
  • May 17 13:29
    Shumiii commented #1349
  • May 17 09:44
    AndersAbel commented #1349
  • May 17 09:41
    AndersAbel labeled #1349
  • May 17 09:41
    AndersAbel labeled #1349
  • May 17 09:00
    Shumiii edited #1349
  • May 17 08:59
    Shumiii edited #1349
  • May 17 08:58
    Shumiii opened #1349
  • May 17 08:49
    Shumiii commented #1302
  • May 17 07:55
    AndersAbel commented #1302
  • May 17 07:40
    Shumiii commented #1302
Huggy56
@Huggy56
Hi, I am looking for an example project (SampleIdentityServer4AspNetIdentity) but in .NET framework 4.6.1. Is it exist ? Thanks a lot.
RoLY roLLs
@RoLYroLLs
Hello all. I'm looking to load Idp's from a DB. I found this issue Sustainsys/Saml2#964 and I'm unsure how to implement the SelectIdentityProvider and GetIdentityProvider notifications. Anyone can guide me in the right direction would be appreciated. Thank you.
Mike Lindegarde
@mlindegarde
Sure, I can point you in the right direction... 
builder.AddSaml2(
    saml2Options =>
    {
        saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
        saml2Options.SPOptions.ServiceCertificates.Add(certificate);

        saml2Options.Notifications.SelectIdentityProvider =
            (id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);

        saml2Options.Notifications.GetIdentityProvider =
            (id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);

        saml2Options.Notifications.AcsCommandResultCreated =
            (commandResult, response) =>
            {
                if (commandResult.Principal.Identity is ClaimsIdentity identity)
                    identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
            };
    });
The GetProvider method looks something like this... 
private IdentityProvider GetProvider(IEegIdentityProviderStore identityProviderStore, EntityId id, IDictionary<string,string> data, IOptions options, ILogger logger)
{
    Saml2IdentityProvider provider = identityProviderStore.GetSamlProviderByEntityId(id.Id);

    if (provider == null)
        return null;

    idp =
        new IdentityProvider(new EntityId(provider.EntityId), options.SPOptions)
        {
            MetadataLocation = provider.Debug
                ? provider.DebugMetadataLocation
                : provider.MetadataLocation
        };

    logger.Verbose("Adding Identity Provider: {IdpName}", provider.DisplayName);

    if (provider.Debug)
        logger.Warning(
            "Provider {Provider} is in debug mode, using metadata URL: {MetadataUrl}",
            provider.DisplayName,
            provider.DebugMetadataLocation);

    options.IdentityProviders.Add(idp);
    return idp;
}
Mike Lindegarde
@mlindegarde
I hacked out some code that wasn't relevant to your question, I apologize if there are any errors in that code, but it should get you going.
@RoLYroLLs see above.
Anders Abel
@AndersAbel
@mlindegarde Thanks for sharing. Just a note: When using Idp metadata loading you should cache the IdentityProvider objects between the calls. If you don't, a metadata download will take place on every SAML2 operation.
Mike Lindegarde
@mlindegarde
@AndersAbel Thanks for the note. When I mentioned that I "hacked out some code", I was mostly referring to my caching code. You make a very good point. I should have mentioned that @RoLYroLLs will need to do some sort of caching.
I believe the above code would also result in adding the same IDP to the options.IdentityProviders collection multiple times. That would also be a problem.
RoLY roLLs
@RoLYroLLs

@mlindegarde and @AndersAbel thank you for your input. There are a couple methods there that I don't have a great understanding how they work, in either way here's what I've done adjusting your code to mine. FYI: this project is a legacy Asp.Net Web App (non-MVC).

in my Global.asax

    void Application_BeginRequest(object sender, EventArgs e) {
        Saml2Config.Initialize();
    }

In the Sam2Config file:

    public class Saml2Config {
        private static bool _alreadyInitialized;
        private static readonly object Lock = new object();
        private static NLog.Logger _logger = NLog.LogManager.GetCurrentClassLogger();
        public static void Initialize() {
            if (_alreadyInitialized) {
                return;
            }

            lock (Lock) {
                if (_alreadyInitialized) {
                    return;
                }

                spOptions = Options.FromConfiguration.SPOptions;

                // Get list of IdentityProviders
                var saml2IdentityProvidersRepository = new Saml2IdentityProvidersRepository();
                var saml2IdentityProviders = saml2IdentityProvidersRepository.FindByServiceProviderEntityId(spOptions.EntityId.Id, x => x.Saml2BindingType).OrderBy(x => x.OrderPreference);

                Options.FromConfiguration.Notifications.SelectIdentityProvider = (id, data) => GetProvider(saml2IdentityProviders, id, data, Options.FromConfiguration, _logger);
                Options.FromConfiguration.Notifications.GetIdentityProvider = (id, data, options) => GetProvider(saml2IdentityProviders, id, data, options, _logger);

                saml2IdentityProvidersRepository.Dispose();
                _alreadyInitialized = true;
            }
        }

        private static IdentityProvider GetProvider(IQueryable<Saml2IdentityProvider> identityProviderStore, EntityId id, IDictionary<string, string> data, IOptions options, ILogger logger) {
            var identityProvider = identityProviderStore.FirstOrDefault(x => x.IsActive && x.IdentityProviderEntityId.Equals(id.Id));

            if (identityProvider == null) {
                return null;
            }

            var idpEntityId = new EntityId(identityProvider.IdentityProviderEntityId);
            var bindingType = EnumHelper.NumToEnum<Sustainsys.Saml2.WebSso.Saml2BindingType>(identityProvider.Saml2BindingType.Value);

            var idp = new IdentityProvider(idpEntityId, options.SPOptions) {
                MetadataLocation = identityProvider.MetadataLocation,
                LoadMetadata = identityProvider.LoadMetadata,
                AllowUnsolicitedAuthnResponse = identityProvider.AllowUnsolicitedAuthnResponse,
                Binding = bindingType,
            };

            options.IdentityProviders.Add(idp);
            return idp;
        }
I'm not quite sure what else I'd have to do to get it to work. I get no errors, but I don't see a list of IDPs listed on a page I created similar to the Sample page at https://github.com/Sustainsys/Saml2/blob/v2/Samples/SampleHttpModuleApplication/Views/Home/Index.cshtml
RoLY roLLs
@RoLYroLLs
Hi @mlindegarde / @AndersAbel in some testing/logging, I found that the parameter id in GetProvider(...) is blank which returns null every time. How does this work when the only known Idp's are in a DB and the web.config file is empty?
Mike Lindegarde
@mlindegarde
@RoLYroLLs Somewhere your front-end should be generating the link used to initiate the SAML2 login. The URL should look something like /External/Challenge?scheme=${scheme}&idp=${entityId}&returnUrl=${returnUrl}. Your exact route is probably different than mine, but somewhere you should have a route that starts the SAML2 process.
The idp parameter in the query string is where the entity id value comes from.
In my scenario I make sure that the idp value is in the AuthenticationProperties.Items collection:
new AuthenticationProperties
                {
                    RedirectUri = Url.Action(nameof(Callback)),
                    Items =
                    {
                        { "returnUrl", returnUrl },
                        { "scheme", scheme },
                        { "idp", idp }
                    }
                }
As long as you have the idp value in the Items collection you should get that value in your GetProvider method. You can then use that value to look up the data in the database.
RoLY roLLs
@RoLYroLLs
@mlindegarde Thank you. Over the weekend I did test that once I accessed the link the prover was added. Thanks a lot for all your help!
PhilipWynn2
@PhilipWynn2
Hi, I am wondering if there is any way to disable automatic metadata refresh?
I have a situation where a metadata document is held in file storage. Retrieval of this document is relatively expensive. Once the document reaches it's refresh time, the system will continually attempt to re-load it, even though the document will not change. In this instance, I would like to disable the automatic refresh feature. If I release all references to the IDP, the requests still seem to get generated. I am assuming there is no Notification Hook I could use here?
PhilipWynn2
@PhilipWynn2
I am also finding that the IDP is still active when the ValidUntil date is passed.
Mike Lindegarde
@mlindegarde
@RoLYroLLs I'm glad I was able to help.
Mike Lindegarde
@mlindegarde
@AndersAbel I'm having a problem with HTTPS vs HTTP. When I run my identity server in a container locally I get the following:
[16:05:57 Debug] Sustainsys.Saml2.AspNetCore2.Saml2Handler
Expanded Saml2Url
  AssertionConsumerServiceUrl: https://localhost:5001/Saml2/Acs
  SignInUrl: https://localhost:5001/Saml2/SignIn
  LogoutUrl: https://localhost:5001/Saml2/Logout
  ApplicationUrl: https://localhost:5001/
The AssertionConsumerServiceUrl is properly using https.
When I run the container in Azure the AssertionConsumerServiceUrl is http://auth.my-company/Saml2/Acs. It's using http instead of https. I'm not sure why that is.
Mike Lindegarde
@mlindegarde
I found it... saml2Options.SPOptions.PublicOrigin = new Uri(config.Settings.BaseUrl);
mjcastillo
@mjcastillo
I am trying to use the MVC integration in my MVC app and read all the docs and looked at everything I can think of but for some reason the Saml2Controller does not seem to be loaded or responding to anything I get a 404 not found when accessing anything off that controller (e.g. https://localhost:44301/Saml2/Acs. This must be something simple that I am missing. My routing is just default MVC routing. No filters, just default. Added the sustainsys.saml.mvc package and set the configuration as in the docs, but just doesn
1 reply
doesn't seem to load or use the Saml2Controller. Any help would be appreciated!
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , I am using HTTPModules with Asp.Net 4.6 framework, I have implemented everything but getting the below Error after redirecting from ADFS on Saml2/ACS page.

Server Error in '/' Application.
The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Its been months and not able to find out solution.

Any gentleman can give their suggestion as well, please!

Md. Arshad Alam
@anarshadali

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Md. Arshad Alam
@anarshadali
Is there any one who can help me out
Please
I am still waiting for this

@AndersAbel PLEASE

whenever i am hitting my url https://test.xyz.com it redirects me to ADFS, and there after putting credential SAML2 HTTpModule again redirecting multiple times with different saml request and finally it is giving error as i have written above

Md. Arshad Alam
@anarshadali
Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Mike Lindegarde
@mlindegarde
@anarshadali I recently had to deal with this problem. Whenever you get back the status code Responder that means that the identity provider you are using did not like the SAML2 request it received. This is almost always because of a configuration issue.
Unfortunately I cannot remember exactly which value was improperly configured.
If you've recently changed configuration values, make sure that you clear all related cookies (the cookie for the IDP, your site, your identity server, etc...). If you have a cookie holding an old value that no longer matches up with what your IDP expects, that could also cause this problem.
Md. Arshad Alam
@anarshadali

Thanks @mlindegarde for your kind response. yes i have changed the configuration, but also i am sure i have cleaned all cookies and session even history as well. but no success.

i asked for adfs log as well from server team.
in the mean while if by chance you get remember the configuration part then please let me know.

thanks once again

Mike Lindegarde
@mlindegarde
@anarshadali Reading through my notes, I believe my problem ended up being that I had an old cookie using the wrong entity id after making changes to the IDP. I'll be curious to see what you find in the ADFS log. In my case I didn't realize the problem until I decided to try using Edge (a browser I don't normally use) instead of Chrome. That's how I narrowed my problem down to a cookie issue.
Md. Arshad Alam
@anarshadali

Hi everyone i am getting below error, please suggest i am using correct certificate files.

The signature verified correctly with the key contained in the signature, but that key is not trusted.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.

//
even after using correct certificate file (private and public key i am getting this above error.
is there any way to resolve this or stop validating this part.
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , Regarding above certificate validation issue.

I am getting response successfully from ADFS server (as i checked in one of the chrome extension) but due to certificate validation method called i am not getting response in thread principle claims.

please suggest me that how can i resolve this.
Can i stop certificate validation part by changing in some configuration.

using latest stable version of SAML.HttpModule.

I will be grateful if you will revert me on my issue.

Anders Abel
@AndersAbel
@anarshadali No, you're not using the correct certificate. If you check in the chrome extension you'll see that the certificate that is embedded in the signature in the incoming response/assertion is not the one you have configured for the Idp.
Md. Arshad Alam
@anarshadali
Annotation 2020-07-20 182651.png
Md. Arshad Alam
@anarshadali

Hello @AndersAbel ,

First of all, it's a very kind of you that you given time to reply me.

But as I have matched again both the public certificate and the token signing certificate The IDP Certificate which is coming in response from ADFS are identical to what i have configured in my application as an idp certificate as you can see in the image above.

The only things new i have found is my ADFS contains 2 token signing certificate 1 is newer which i am using and other is older one which is not in use anymore.

Please help me if there is any suggestion or guidance.
(i am using chrome 3rd party extension named "SAML message decoder")

Rob King
@robert_p_king_twitter
Hi, am I correct in my assumption that a new claim is added to the claims identity for each additional attribute in the saml response?
And so, if the IdP adds an attribute named "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", that will create a claim with the same name and ,in turn, map to User.Identity.Name?