Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 25 20:06
    AndersAbel closed #1335
  • Jan 25 20:06
    AndersAbel commented #1335
  • Jan 25 14:51
    AlexAlexGoTO commented #1335
  • Jan 25 14:19
    AlexAlexGoTO commented #1335
  • Jan 25 13:16
    AndersAbel commented #1335
  • Jan 25 12:35
    AlexAlexGoTO commented #1335
  • Jan 25 12:29
    AlexAlexGoTO commented #1335
  • Jan 25 12:12
    AlexAlexGoTO commented #1335
  • Jan 25 12:11
    AlexAlexGoTO commented #1335
  • Jan 25 10:53
    AlexAlexGoTO commented #1335
  • Jan 25 10:37
    AlexAlexGoTO commented #1335
  • Jan 25 10:37
    AlexAlexGoTO commented #1335
  • Jan 24 21:40
    snypenet commented #1097
  • Jan 24 21:40
    snypenet commented #1097
  • Jan 24 20:49
    AlexAlexGoTO commented #1335
  • Jan 24 20:38
    AndersAbel commented #1335
  • Jan 24 15:50
    AlexAlexGoTO edited #1335
  • Jan 24 15:49
    AlexAlexGoTO edited #1335
  • Jan 24 15:49
    AlexAlexGoTO edited #1335
  • Jan 24 15:48
    AlexAlexGoTO labeled #1335
Md. Arshad Alam
@anarshadali
Hi @AndersAbel ,
Md. Arshad Alam
@anarshadali

Is there not any way to control manually or to redirect to some custom page of alternate login if due to any reason user will not able to logged in on runtime.
I want my user will able to become login using manual login form, in case any issue occurred during authentication from either ADFS side or from Application side (instead of throwing YELLOW error page).

Brief:
on application 1st hit i want to redirect my user to ADFS, Whether ADFS do not responded OR ADFS do respond but SAML response was not able to parse from Sustainsys SAML httpmodule OR SAML response Status code is something other than success then in any such scenario i want user get auto redirect on to some other existing login page.

i am using
SAML2.HTTPModules
Asp.Net, C#, and 4.6 framework of dot net

Md. Arshad Alam
@anarshadali
anyone can help me please
it would be my pleasure if someone will asisst me on this query
Md. Arshad Alam
@anarshadali
I am still awaiting for response, PLEASE
Kyle Senkevich
@ksenkevich_gitlab
Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?
AhmedAssaf
@AhmedAssaf
How to fix browser back button to (SAML2/ACS) issue after SAML SSO success
Anders Abel
@AndersAbel

Hi, I have an Idp that wants to use Idp Initiated Sign on and pass in a relaystate for a redirect url after login. From my understanding this Saml2 handler does not support that, is that correct?

The handler does support that. But it needs to be enabled in the settings.

How to fix browser back button to (SAML2/ACS) issue after SAML SSO success

There is no fix for that currently. There is an open issue, please see discussion in there.

Aftab Gani Mulani
@gani_mulani_twitter
I want to implement SAML2 in our existing ASP.NET MVC (framework 4.6.2) application with ADFS 2016. As the Sustainsys.Saml2.MVC is not supporting 4.6.2 framework. So I tried to implement it with Sustainsys.Saml2.Owin package but it is not redirecting to ADFS login page. Is any one has working example which uses Sustainsys.Saml2.Owin with ADFS?
AlexOliinyk1
@AlexOliinyk1

@AndersAbel

Sure, I can point you in the right direction...

Hi Guys, I used this code as a sample for my project. It works for old IDP and after I add new, it also works. But when I want to delete it we getting Idp as null from the GetProvider method, as result in the method ValidateSignature, we getting a null reference error. Prety same as here Sustainsys/Saml2#1046
Any advice, how to resolve it?

builder.AddSaml2(
    saml2Options =>
    {
        saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
        saml2Options.SPOptions.ServiceCertificates.Add(certificate);

        saml2Options.Notifications.SelectIdentityProvider =
            (id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);

        saml2Options.Notifications.GetIdentityProvider =
            (id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);

        saml2Options.Notifications.AcsCommandResultCreated =
            (commandResult, response) =>
            {
                if (commandResult.Principal.Identity is ClaimsIdentity identity)
                    identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
            };
    });
this one code
@mlindegarde
Rob King
@robert_p_king_twitter

In the docs, it says about service certificates, "Specifies the certificate(s) that the service provider uses for encrypted assertions (and for signed requests, once that feature is added). If neither of those features are used, this element can be omitted."

What does it mean by "once that feature is added"?

Also, does anyone have an example of how to add a certificate in code (not using .config)?

Anders Abel
@AndersAbel
@robert_p_king_twitter That looks like stale docs. Signed requests are supported. See https://stackoverflow.com/questions/67230532/cannot-create-sustainsys-certificateelement-from-x509certificate2-object-to-upda
Rob King
@robert_p_king_twitter
@AndersAbel yeah I actually found that exact post a bit earlier. It helped me get further along. I think my issue is largely around the actual certs I'm using.
Rob King
@robert_p_king_twitter

Can I get a brief explanation of how multiple SP or IdP certificates are used once loaded?

Scenario: we want to load up a certificate and at a later date, its successor to make a seamless transation with no downtime or synchronisation with the IdP. I can load these easily into the ServiceCertificateCollection and they are both emitted through the SP metadata fine.

Question: given I have two certificates loaded, when signing the request, which certificate will Sustainsys use?

Likewise, when an ACS is returned from the IdP and we have two certificates of theirs loaded, does the middleware just look a matching cert?

Anders Abel
@AndersAbel
Q1: The one that is marked as current. If multiple have status current, one of them is picked.
Q2: The signature validation loops the certificates/keys of the Idp until one is found that validates the signature.
Nuno Cruz
@nmocruz
Hi, Quick question, there's any way to resolve/get services from notifications? I was trying to access a service from AcsCommandResultCreated but without success
on others authentication middlewares we can access the request httpcontext and then get service from there
Nuno Cruz
@nmocruz
ok, I think I have the awnser,
  services.AddOptions<Saml2Options>(Saml2Defaults.Scheme)
                .Configure<IHttpContextAccessor, ...
`
Murad
@muradgaribzada
Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?
1 reply
Rob King
@robert_p_king_twitter
We're seeing an issue with one customer of ours where despite us specifying HTTP-POST bindings for login requests and responses, when their users sign in or out, it reverts to using HTTP-Redirect. Their IdP metadata emits Redirect, Post and SOAP options for login/logout. If we load their metadata from a URL then specify "Binding = Saml2BindingType.HttpPost," it seems to be ignored. Is HTTP-Redirect the default binding used?
2 replies
microalps
@microalps
@AndersAbel I am getting a different issue with the same cause as #1298 (accessing PrivateKey instead of GetRsaPrivateKey()) when using X509KeyStorageFlags.EphemeralKeySet - I see you are managing the v1 branch - is there a shot of a PR being accepted and pushed to nuget?
7 replies
bertmckay79
@bertmckay79:matrix.org
[m]

Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?

I'm getting the same issue after the idp change the account creation process, it now allow the user to log in after the account creation process which can take some time. is it possible to increase the expiration time on the cookie?

1 reply
microalps
@microalps
@AndersAbel how do we proceed with #1307 ? It needs approval (again) to run workflow and I'm not even sure next steps to get this merged into v2 itself. Can you point me to contribution guidelines or another active member that can assist?
2 replies
Alan Macdonald
@alan.macdonald_gitlab

Hello. I am a bit confused on the difference between loading metadata via a URL vs a file with regards to certificates on the local file system. If I configure an IDP with a metadata url then it works fine without having to install certificates. If I download the metadata to a file from that same url and instead load using a metadata location to that relative file path then I get "The signature verified correctly with the key contained in the signature, but that key is not trusted." after authenticating and being redirected back.

The metadata is the same, it's just loaded from a file instead of a URL. Why would I have to install the certificate separately for this case?

1 reply
Jake Aitchison
@milkshakeuk
does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.
loicnoramsoft
@loicnoramsoft

Hello, I try to add multiple Identity Providers. but I receive an error during login. I don't know if I code the right way. Did you succeed to login with 1 saml option and 2 identity providers? I modified SampleIdentityServer4AspNetIdentity sample.

.AddSaml2(options =>
                {
                    options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
                    options.IdentityProviders.Add(
                        new IdentityProvider(
                            new EntityId("https://sts.windows.net/a4063b47-a5d6-439****4edea677d/"), options.SPOptions)
                        {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/a4063b47-a5d6-4391-9***ea677d/federationmetadata/2007-06/federationmetadata.xml?appid=487fc7e9-22****61bb78e6924d",
                            AllowUnsolicitedAuthnResponse = true
                        });

                    options.IdentityProviders.Add(new IdentityProvider(
                                new EntityId("https://sts.windows.net/d4017a0a-1b19-4045-****9105deb9/"), options.SPOptions)
                    {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/d4017a0a-1b19-4045-*****5deb9/federationmetadata/2007-06/federationmetadata.xml?appid=12ac1f71-564b-4e5****610328f55",
                        AllowUnsolicitedAuthnResponse = true
                    });

                    options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
                    //options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
                    //    HostingEnvironment.ContentRootPath + "\\App_Data\\Sustainsys.Saml2.SampleIdentityServer4AspNetIdentity.pfx"));
                })

I received this error after login in microsoft azure ad :

Microsoft
Pick an account
Selected user account does not exist in tenant 'sss' and cannot access the application 'https://localhost:44342/Saml2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

loicnoramsoft
@loicnoramsoft
when I try with a user present in the first identity provider, it works.
the problem is only when I use a user in the second identity provider
loicnoramsoft
@loicnoramsoft

I received this error after login on azure ad :

Sign in
Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'bob@*.onmicrosoft.com' from identity provider 'https://sts.windows.net/d4017a0a-1****b309105deb9/' does not exist in tenant 'simetsdev' and cannot access the application 'https://localhost:44342/Saml2'(Ma*) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

4 replies
Anders Abel
@AndersAbel

does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.

Finally found some time to handle this. I'm merging it to develop and v2right now.

I will make a 2.9.0 release with #1313 and #1321. If anyone has anything more that is urgent to get out in a release version, please comment.
microalps
@microalps
@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving
Anders Abel
@AndersAbel

@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving

You're right - too much to do and to bad memory from my side. I'll look at it again.

microalps
@microalps
Rebased my PR to resolve conflicts. Please approve CI @AndersAbel
microalps
@microalps
@AndersAbel what's the next steps here?
Anders Abel
@AndersAbel
That I do the merge and the release.
I'm sorry but time for OSS work has been limited, I'll really try within the next few days to get it done.
Is it an option to only merge your PR to develop and not to v2? Develop would mean a lot less review work as that is a non-supported version.
^^^ @microalps
microalps
@microalps
I don't care personally, but other people have complained of related issues
We are using v1 in our production and have created a fork with this change for v1. Let's start with develop and see what the community requests on a separate PR for v2 (they are slightly different code)
Anders Abel
@AndersAbel
I'll see what I can do. Generally I would like to keep v2 work to a minimum and take the time I have to develop
Oh, so you got stuck on that even in v1. Well that is on kind of life-support. I would really prefer to not do anything but security fixes on that.
microalps
@microalps
That's what I said, we are fine no matter which way you go. But others may not be. For their sake it might make sense to do v2 - but first let's get it into develop then discuss next steps (if there is interest)
We initially did an entire upgrade to v2 just to get this feature, but when it wasn't merged we rolled back and fixed v1 itself.
Md. Arshad Alam
@anarshadali

Hi
Need help in implementing SAML in organisation apps. I am able to use SAML in Individual and separate application having their own separate DNS.

but stuck at the point, where i have to implement SAML in all application hosted under "Default website" of IIS Server, which are getting accessible with one DNS.

Can someone guide me how can I implement SAML in all those applications which is hosted under "default website" of IIS manager and having same URL (e.g. https://xyz.com/app1 , https://xyz.com/app2 and https://xyz.com/app3 and so on.0

image.png
all are mapped under https://xyz.com