Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 14 11:09
    AndersAbel commented #1334
  • Jan 13 22:54
    IhaleCMN commented #1334
  • Jan 13 22:53
    IhaleCMN commented #1334
  • Jan 13 22:51
    IhaleCMN commented #1334
  • Jan 13 17:57
    IhaleCMN commented #1334
  • Jan 13 09:36
    AndersAbel closed #1334
  • Jan 13 09:36
    AndersAbel commented #1334
  • Jan 13 09:34
    AndersAbel labeled #1333
  • Jan 13 09:34
    AndersAbel closed #1333
  • Jan 13 09:34
    AndersAbel commented #1333
  • Jan 12 23:49
    IhaleCMN commented #1334
  • Jan 12 23:47
    IhaleCMN commented #1334
  • Jan 12 23:47
    IhaleCMN commented #1334
  • Jan 12 21:51
    IhaleCMN edited #1334
  • Jan 12 20:02
    IhaleCMN labeled #1334
  • Jan 12 20:02
    IhaleCMN opened #1334
  • Jan 12 16:07
    briandesarmo edited #1333
  • Jan 12 16:06
    briandesarmo opened #1333
  • Dec 30 2021 21:08
    AndersAbel closed #1035
  • Dec 30 2021 21:08
    AndersAbel labeled #1035
PhilipWynn2
@PhilipWynn2
I am also finding that the IDP is still active when the ValidUntil date is passed.
Mike Lindegarde
@mlindegarde
@RoLYroLLs I'm glad I was able to help.
Mike Lindegarde
@mlindegarde
@AndersAbel I'm having a problem with HTTPS vs HTTP. When I run my identity server in a container locally I get the following:
[16:05:57 Debug] Sustainsys.Saml2.AspNetCore2.Saml2Handler
Expanded Saml2Url
  AssertionConsumerServiceUrl: https://localhost:5001/Saml2/Acs
  SignInUrl: https://localhost:5001/Saml2/SignIn
  LogoutUrl: https://localhost:5001/Saml2/Logout
  ApplicationUrl: https://localhost:5001/
The AssertionConsumerServiceUrl is properly using https.
When I run the container in Azure the AssertionConsumerServiceUrl is http://auth.my-company/Saml2/Acs. It's using http instead of https. I'm not sure why that is.
Mike Lindegarde
@mlindegarde
I found it... saml2Options.SPOptions.PublicOrigin = new Uri(config.Settings.BaseUrl);
mjcastillo
@mjcastillo
I am trying to use the MVC integration in my MVC app and read all the docs and looked at everything I can think of but for some reason the Saml2Controller does not seem to be loaded or responding to anything I get a 404 not found when accessing anything off that controller (e.g. https://localhost:44301/Saml2/Acs. This must be something simple that I am missing. My routing is just default MVC routing. No filters, just default. Added the sustainsys.saml.mvc package and set the configuration as in the docs, but just doesn
1 reply
doesn't seem to load or use the Saml2Controller. Any help would be appreciated!
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , I am using HTTPModules with Asp.Net 4.6 framework, I have implemented everything but getting the below Error after redirecting from ADFS on Saml2/ACS page.

Server Error in '/' Application.
The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Its been months and not able to find out solution.

Any gentleman can give their suggestion as well, please!

Md. Arshad Alam
@anarshadali

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Md. Arshad Alam
@anarshadali
Is there any one who can help me out
Please
I am still waiting for this

@AndersAbel PLEASE

whenever i am hitting my url https://test.xyz.com it redirects me to ADFS, and there after putting credential SAML2 HTTpModule again redirecting multiple times with different saml request and finally it is giving error as i have written above

Md. Arshad Alam
@anarshadali
Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Mike Lindegarde
@mlindegarde
@anarshadali I recently had to deal with this problem. Whenever you get back the status code Responder that means that the identity provider you are using did not like the SAML2 request it received. This is almost always because of a configuration issue.
Unfortunately I cannot remember exactly which value was improperly configured.
If you've recently changed configuration values, make sure that you clear all related cookies (the cookie for the IDP, your site, your identity server, etc...). If you have a cookie holding an old value that no longer matches up with what your IDP expects, that could also cause this problem.
Md. Arshad Alam
@anarshadali

Thanks @mlindegarde for your kind response. yes i have changed the configuration, but also i am sure i have cleaned all cookies and session even history as well. but no success.

i asked for adfs log as well from server team.
in the mean while if by chance you get remember the configuration part then please let me know.

thanks once again

Mike Lindegarde
@mlindegarde
@anarshadali Reading through my notes, I believe my problem ended up being that I had an old cookie using the wrong entity id after making changes to the IDP. I'll be curious to see what you find in the ADFS log. In my case I didn't realize the problem until I decided to try using Edge (a browser I don't normally use) instead of Chrome. That's how I narrowed my problem down to a cookie issue.
Md. Arshad Alam
@anarshadali

Hi everyone i am getting below error, please suggest i am using correct certificate files.

The signature verified correctly with the key contained in the signature, but that key is not trusted.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.

//
even after using correct certificate file (private and public key i am getting this above error.
is there any way to resolve this or stop validating this part.
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , Regarding above certificate validation issue.

I am getting response successfully from ADFS server (as i checked in one of the chrome extension) but due to certificate validation method called i am not getting response in thread principle claims.

please suggest me that how can i resolve this.
Can i stop certificate validation part by changing in some configuration.

using latest stable version of SAML.HttpModule.

I will be grateful if you will revert me on my issue.

Anders Abel
@AndersAbel
@anarshadali No, you're not using the correct certificate. If you check in the chrome extension you'll see that the certificate that is embedded in the signature in the incoming response/assertion is not the one you have configured for the Idp.
Md. Arshad Alam
@anarshadali
Annotation 2020-07-20 182651.png
Md. Arshad Alam
@anarshadali

Hello @AndersAbel ,

First of all, it's a very kind of you that you given time to reply me.

But as I have matched again both the public certificate and the token signing certificate The IDP Certificate which is coming in response from ADFS are identical to what i have configured in my application as an idp certificate as you can see in the image above.

The only things new i have found is my ADFS contains 2 token signing certificate 1 is newer which i am using and other is older one which is not in use anymore.

Please help me if there is any suggestion or guidance.
(i am using chrome 3rd party extension named "SAML message decoder")

Rob King
@robert_p_king_twitter
Hi, am I correct in my assumption that a new claim is added to the claims identity for each additional attribute in the saml response?
And so, if the IdP adds an attribute named "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", that will create a claim with the same name and ,in turn, map to User.Identity.Name?
It certainly looks that way from my testing, but I want to confirm because our app will possibly be integrating with numerous customer IdPs and I want to make sure I have standard setup instructions that we can give out.
Md. Arshad Alam
@anarshadali
Hi @AndersAbel ,
Md. Arshad Alam
@anarshadali

Is there not any way to control manually or to redirect to some custom page of alternate login if due to any reason user will not able to logged in on runtime.
I want my user will able to become login using manual login form, in case any issue occurred during authentication from either ADFS side or from Application side (instead of throwing YELLOW error page).

Brief:
on application 1st hit i want to redirect my user to ADFS, Whether ADFS do not responded OR ADFS do respond but SAML response was not able to parse from Sustainsys SAML httpmodule OR SAML response Status code is something other than success then in any such scenario i want user get auto redirect on to some other existing login page.

i am using
SAML2.HTTPModules
Asp.Net, C#, and 4.6 framework of dot net

Md. Arshad Alam
@anarshadali
anyone can help me please
it would be my pleasure if someone will asisst me on this query
Md. Arshad Alam
@anarshadali
I am still awaiting for response, PLEASE
Kyle Senkevich
@ksenkevich_gitlab
Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?
AhmedAssaf
@AhmedAssaf
How to fix browser back button to (SAML2/ACS) issue after SAML SSO success
Anders Abel
@AndersAbel

Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?

The handler does support that. But it needs to be enabled in the settings.

How to fix browser back button to (SAML2/ACS) issue after SAML SSO success

There is no fix for that currently. There is an open issue, please see discussion in there.

Aftab Gani Mulani
@gani_mulani_twitter
I want to implement SAML2 in our existing ASP.NET MVC (framework 4.6.2) application with ADFS 2016. As the Sustainsys.Saml2.MVC is not supporting 4.6.2 framework. So I tried to implement it with Sustainsys.Saml2.Owin package but it is not redirecting to ADFS login page. Is any one has working example which uses Sustainsys.Saml2.Owin with ADFS?
AlexOliinyk1
@AlexOliinyk1

@AndersAbel

Sure, I can point you in the right direction...

Hi Guys, I used this code as a sample for my project. It works for old IDP and after I add new, it also works. But when I want to delete it we getting Idp as null from the GetProvider method, as result in the method ValidateSignature, we getting a null reference error. Prety same as here Sustainsys/Saml2#1046
Any advice, how to resolve it?

builder.AddSaml2(
    saml2Options =>
    {
        saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
        saml2Options.SPOptions.ServiceCertificates.Add(certificate);

        saml2Options.Notifications.SelectIdentityProvider =
            (id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);

        saml2Options.Notifications.GetIdentityProvider =
            (id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);

        saml2Options.Notifications.AcsCommandResultCreated =
            (commandResult, response) =>
            {
                if (commandResult.Principal.Identity is ClaimsIdentity identity)
                    identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
            };
    });
this one code
@mlindegarde
Rob King
@robert_p_king_twitter

In the docs, it says about service certificates, "Specifies the certificate(s) that the service provider uses for encrypted assertions (and for signed requests, once that feature is added). If neither of those features are used, this element can be omitted."

What does it mean by "once that feature is added"?

Also, does anyone have an example of how to add a certificate in code (not using .config)?

Anders Abel
@AndersAbel
@robert_p_king_twitter That looks like stale docs. Signed requests are supported. See https://stackoverflow.com/questions/67230532/cannot-create-sustainsys-certificateelement-from-x509certificate2-object-to-upda
Rob King
@robert_p_king_twitter
@AndersAbel yeah I actually found that exact post a bit earlier. It helped me get further along. I think my issue is largely around the actual certs I'm using.
Rob King
@robert_p_king_twitter

Can I get a brief explanation of how multiple SP or IdP certificates are used once loaded?

Scenario: we want to load up a certificate and at a later date, its successor to make a seamless transation with no downtime or synchronisation with the IdP. I can load these easily into the ServiceCertificateCollection and they are both emitted through the SP metadata fine.

Question: given I have two certificates loaded, when signing the request, which certificate will Sustainsys use?

Likewise, when an ACS is returned from the IdP and we have two certificates of theirs loaded, does the middleware just look a matching cert?

Anders Abel
@AndersAbel
Q1: The one that is marked as current. If multiple have status current, one of them is picked.
Q2: The signature validation loops the certificates/keys of the Idp until one is found that validates the signature.
Nuno Cruz
@nmocruz
Hi, Quick question, there's any way to resolve/get services from notifications? I was trying to access a service from AcsCommandResultCreated but without success
on others authentication middlewares we can access the request httpcontext and then get service from there