Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 28 18:48
    ethan-agencyQ labeled #1336
  • Jan 28 18:48
    ethan-agencyQ opened #1336
  • Jan 25 20:06
    AndersAbel closed #1335
  • Jan 25 20:06
    AndersAbel commented #1335
  • Jan 25 14:51
    AlexAlexGoTO commented #1335
  • Jan 25 14:19
    AlexAlexGoTO commented #1335
  • Jan 25 13:16
    AndersAbel commented #1335
  • Jan 25 12:35
    AlexAlexGoTO commented #1335
  • Jan 25 12:29
    AlexAlexGoTO commented #1335
  • Jan 25 12:12
    AlexAlexGoTO commented #1335
  • Jan 25 12:11
    AlexAlexGoTO commented #1335
  • Jan 25 10:53
    AlexAlexGoTO commented #1335
  • Jan 25 10:37
    AlexAlexGoTO commented #1335
  • Jan 25 10:37
    AlexAlexGoTO commented #1335
  • Jan 24 21:40
    snypenet commented #1097
  • Jan 24 21:40
    snypenet commented #1097
  • Jan 24 20:49
    AlexAlexGoTO commented #1335
  • Jan 24 20:38
    AndersAbel commented #1335
  • Jan 24 15:50
    AlexAlexGoTO edited #1335
  • Jan 24 15:49
    AlexAlexGoTO edited #1335
mjcastillo
@mjcastillo
I am trying to use the MVC integration in my MVC app and read all the docs and looked at everything I can think of but for some reason the Saml2Controller does not seem to be loaded or responding to anything I get a 404 not found when accessing anything off that controller (e.g. https://localhost:44301/Saml2/Acs. This must be something simple that I am missing. My routing is just default MVC routing. No filters, just default. Added the sustainsys.saml.mvc package and set the configuration as in the docs, but just doesn
1 reply
doesn't seem to load or use the Saml2Controller. Any help would be appreciated!
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , I am using HTTPModules with Asp.Net 4.6 framework, I have implemented everything but getting the below Error after redirecting from ADFS on Saml2/ACS page.

Server Error in '/' Application.
The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Its been months and not able to find out solution.

Any gentleman can give their suggestion as well, please!

Md. Arshad Alam
@anarshadali

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Md. Arshad Alam
@anarshadali
Is there any one who can help me out
Please
I am still waiting for this

@AndersAbel PLEASE

whenever i am hitting my url https://test.xyz.com it redirects me to ADFS, and there after putting credential SAML2 HTTpModule again redirecting multiple times with different saml request and finally it is giving error as i have written above

Md. Arshad Alam
@anarshadali
Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Mike Lindegarde
@mlindegarde
@anarshadali I recently had to deal with this problem. Whenever you get back the status code Responder that means that the identity provider you are using did not like the SAML2 request it received. This is almost always because of a configuration issue.
Unfortunately I cannot remember exactly which value was improperly configured.
If you've recently changed configuration values, make sure that you clear all related cookies (the cookie for the IDP, your site, your identity server, etc...). If you have a cookie holding an old value that no longer matches up with what your IDP expects, that could also cause this problem.
Md. Arshad Alam
@anarshadali

Thanks @mlindegarde for your kind response. yes i have changed the configuration, but also i am sure i have cleaned all cookies and session even history as well. but no success.

i asked for adfs log as well from server team.
in the mean while if by chance you get remember the configuration part then please let me know.

thanks once again

Mike Lindegarde
@mlindegarde
@anarshadali Reading through my notes, I believe my problem ended up being that I had an old cookie using the wrong entity id after making changes to the IDP. I'll be curious to see what you find in the ADFS log. In my case I didn't realize the problem until I decided to try using Edge (a browser I don't normally use) instead of Chrome. That's how I narrowed my problem down to a cookie issue.
Md. Arshad Alam
@anarshadali

Hi everyone i am getting below error, please suggest i am using correct certificate files.

The signature verified correctly with the key contained in the signature, but that key is not trusted.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.

//
even after using correct certificate file (private and public key i am getting this above error.
is there any way to resolve this or stop validating this part.
Md. Arshad Alam
@anarshadali

Hi @AndersAbel , Regarding above certificate validation issue.

I am getting response successfully from ADFS server (as i checked in one of the chrome extension) but due to certificate validation method called i am not getting response in thread principle claims.

please suggest me that how can i resolve this.
Can i stop certificate validation part by changing in some configuration.

using latest stable version of SAML.HttpModule.

I will be grateful if you will revert me on my issue.

Anders Abel
@AndersAbel
@anarshadali No, you're not using the correct certificate. If you check in the chrome extension you'll see that the certificate that is embedded in the signature in the incoming response/assertion is not the one you have configured for the Idp.
Md. Arshad Alam
@anarshadali
Annotation 2020-07-20 182651.png
Md. Arshad Alam
@anarshadali

Hello @AndersAbel ,

First of all, it's a very kind of you that you given time to reply me.

But as I have matched again both the public certificate and the token signing certificate The IDP Certificate which is coming in response from ADFS are identical to what i have configured in my application as an idp certificate as you can see in the image above.

The only things new i have found is my ADFS contains 2 token signing certificate 1 is newer which i am using and other is older one which is not in use anymore.

Please help me if there is any suggestion or guidance.
(i am using chrome 3rd party extension named "SAML message decoder")

Rob King
@robert_p_king_twitter
Hi, am I correct in my assumption that a new claim is added to the claims identity for each additional attribute in the saml response?
And so, if the IdP adds an attribute named "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", that will create a claim with the same name and ,in turn, map to User.Identity.Name?
It certainly looks that way from my testing, but I want to confirm because our app will possibly be integrating with numerous customer IdPs and I want to make sure I have standard setup instructions that we can give out.
Md. Arshad Alam
@anarshadali
Hi @AndersAbel ,
Md. Arshad Alam
@anarshadali

Is there not any way to control manually or to redirect to some custom page of alternate login if due to any reason user will not able to logged in on runtime.
I want my user will able to become login using manual login form, in case any issue occurred during authentication from either ADFS side or from Application side (instead of throwing YELLOW error page).

Brief:
on application 1st hit i want to redirect my user to ADFS, Whether ADFS do not responded OR ADFS do respond but SAML response was not able to parse from Sustainsys SAML httpmodule OR SAML response Status code is something other than success then in any such scenario i want user get auto redirect on to some other existing login page.

i am using
SAML2.HTTPModules
Asp.Net, C#, and 4.6 framework of dot net

Md. Arshad Alam
@anarshadali
anyone can help me please
it would be my pleasure if someone will asisst me on this query
Md. Arshad Alam
@anarshadali
I am still awaiting for response, PLEASE
Kyle Senkevich
@ksenkevich_gitlab
Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?
AhmedAssaf
@AhmedAssaf
How to fix browser back button to (SAML2/ACS) issue after SAML SSO success
Anders Abel
@AndersAbel

Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?

The handler does support that. But it needs to be enabled in the settings.

How to fix browser back button to (SAML2/ACS) issue after SAML SSO success

There is no fix for that currently. There is an open issue, please see discussion in there.

Aftab Gani Mulani
@gani_mulani_twitter
I want to implement SAML2 in our existing ASP.NET MVC (framework 4.6.2) application with ADFS 2016. As the Sustainsys.Saml2.MVC is not supporting 4.6.2 framework. So I tried to implement it with Sustainsys.Saml2.Owin package but it is not redirecting to ADFS login page. Is any one has working example which uses Sustainsys.Saml2.Owin with ADFS?
AlexOliinyk1
@AlexOliinyk1

@AndersAbel

Sure, I can point you in the right direction...

Hi Guys, I used this code as a sample for my project. It works for old IDP and after I add new, it also works. But when I want to delete it we getting Idp as null from the GetProvider method, as result in the method ValidateSignature, we getting a null reference error. Prety same as here Sustainsys/Saml2#1046
Any advice, how to resolve it?

builder.AddSaml2(
    saml2Options =>
    {
        saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
        saml2Options.SPOptions.ServiceCertificates.Add(certificate);

        saml2Options.Notifications.SelectIdentityProvider =
            (id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);

        saml2Options.Notifications.GetIdentityProvider =
            (id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);

        saml2Options.Notifications.AcsCommandResultCreated =
            (commandResult, response) =>
            {
                if (commandResult.Principal.Identity is ClaimsIdentity identity)
                    identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
            };
    });
this one code
@mlindegarde
Rob King
@robert_p_king_twitter

In the docs, it says about service certificates, "Specifies the certificate(s) that the service provider uses for encrypted assertions (and for signed requests, once that feature is added). If neither of those features are used, this element can be omitted."

What does it mean by "once that feature is added"?

Also, does anyone have an example of how to add a certificate in code (not using .config)?

Anders Abel
@AndersAbel
@robert_p_king_twitter That looks like stale docs. Signed requests are supported. See https://stackoverflow.com/questions/67230532/cannot-create-sustainsys-certificateelement-from-x509certificate2-object-to-upda
Rob King
@robert_p_king_twitter
@AndersAbel yeah I actually found that exact post a bit earlier. It helped me get further along. I think my issue is largely around the actual certs I'm using.
Rob King
@robert_p_king_twitter

Can I get a brief explanation of how multiple SP or IdP certificates are used once loaded?

Scenario: we want to load up a certificate and at a later date, its successor to make a seamless transation with no downtime or synchronisation with the IdP. I can load these easily into the ServiceCertificateCollection and they are both emitted through the SP metadata fine.

Question: given I have two certificates loaded, when signing the request, which certificate will Sustainsys use?

Likewise, when an ACS is returned from the IdP and we have two certificates of theirs loaded, does the middleware just look a matching cert?

Anders Abel
@AndersAbel
Q1: The one that is marked as current. If multiple have status current, one of them is picked.
Q2: The signature validation loops the certificates/keys of the Idp until one is found that validates the signature.
Nuno Cruz
@nmocruz
Hi, Quick question, there's any way to resolve/get services from notifications? I was trying to access a service from AcsCommandResultCreated but without success
on others authentication middlewares we can access the request httpcontext and then get service from there
Nuno Cruz
@nmocruz
ok, I think I have the awnser,
  services.AddOptions<Saml2Options>(Saml2Defaults.Scheme)
                .Configure<IHttpContextAccessor, ...
`
Murad
@muradgaribzada
Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?
1 reply
Rob King
@robert_p_king_twitter
We're seeing an issue with one customer of ours where despite us specifying HTTP-POST bindings for login requests and responses, when their users sign in or out, it reverts to using HTTP-Redirect. Their IdP metadata emits Redirect, Post and SOAP options for login/logout. If we load their metadata from a URL then specify "Binding = Saml2BindingType.HttpPost," it seems to be ignored. Is HTTP-Redirect the default binding used?
2 replies
microalps
@microalps
@AndersAbel I am getting a different issue with the same cause as #1298 (accessing PrivateKey instead of GetRsaPrivateKey()) when using X509KeyStorageFlags.EphemeralKeySet - I see you are managing the v1 branch - is there a shot of a PR being accepted and pushed to nuget?
7 replies
bertmckay79
@bertmckay79:matrix.org
[m]

Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?

I'm getting the same issue after the idp change the account creation process, it now allow the user to log in after the account creation process which can take some time. is it possible to increase the expiration time on the cookie?

1 reply
microalps
@microalps
@AndersAbel how do we proceed with #1307 ? It needs approval (again) to run workflow and I'm not even sure next steps to get this merged into v2 itself. Can you point me to contribution guidelines or another active member that can assist?
2 replies