Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 16 12:02
    prrami commented #1365
  • Aug 15 14:13
    AndersAbel closed #1365
  • Aug 15 14:13
    AndersAbel commented #1365
  • Aug 15 14:06
    AndersAbel closed #1356
  • Aug 15 13:53
    prrami closed #1364
  • Aug 15 13:53
    prrami commented #1364
  • Aug 15 13:53
    prrami labeled #1365
  • Aug 15 13:53
    prrami opened #1365
  • Aug 15 13:48
    prrami opened #1364
  • Aug 11 21:36
    dependabot[bot] labeled #1363
  • Aug 11 21:36
    dependabot[bot] opened #1363
  • Aug 11 21:36

    dependabot[bot] on nuget

    Bump System.Security.Cryptograp… (compare)

  • Aug 11 21:25
    dependabot[bot] labeled #1362
  • Aug 11 21:25
    dependabot[bot] opened #1362
  • Aug 11 21:25

    dependabot[bot] on nuget

    Bump System.Security.Cryptograp… (compare)

  • Aug 11 21:24
    dependabot[bot] labeled #1361
  • Aug 11 21:24
    dependabot[bot] labeled #1360
  • Aug 11 21:24
    dependabot[bot] opened #1361
  • Aug 11 21:24
    dependabot[bot] opened #1360
  • Aug 11 21:24

    dependabot[bot] on nuget

    Bump System.Security.Cryptograp… (compare)

Anders Abel
@AndersAbel

How to fix browser back button to (SAML2/ACS) issue after SAML SSO success

There is no fix for that currently. There is an open issue, please see discussion in there.

Aftab Gani Mulani
@gani_mulani_twitter
I want to implement SAML2 in our existing ASP.NET MVC (framework 4.6.2) application with ADFS 2016. As the Sustainsys.Saml2.MVC is not supporting 4.6.2 framework. So I tried to implement it with Sustainsys.Saml2.Owin package but it is not redirecting to ADFS login page. Is any one has working example which uses Sustainsys.Saml2.Owin with ADFS?
AlexOliinyk1
@AlexOliinyk1

@AndersAbel

Sure, I can point you in the right direction...

Hi Guys, I used this code as a sample for my project. It works for old IDP and after I add new, it also works. But when I want to delete it we getting Idp as null from the GetProvider method, as result in the method ValidateSignature, we getting a null reference error. Prety same as here Sustainsys/Saml2#1046
Any advice, how to resolve it?

builder.AddSaml2(
    saml2Options =>
    {
        saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
        saml2Options.SPOptions.ServiceCertificates.Add(certificate);

        saml2Options.Notifications.SelectIdentityProvider =
            (id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);

        saml2Options.Notifications.GetIdentityProvider =
            (id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);

        saml2Options.Notifications.AcsCommandResultCreated =
            (commandResult, response) =>
            {
                if (commandResult.Principal.Identity is ClaimsIdentity identity)
                    identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
            };
    });
this one code
@mlindegarde
Rob King
@robert_p_king_twitter

In the docs, it says about service certificates, "Specifies the certificate(s) that the service provider uses for encrypted assertions (and for signed requests, once that feature is added). If neither of those features are used, this element can be omitted."

What does it mean by "once that feature is added"?

Also, does anyone have an example of how to add a certificate in code (not using .config)?

Anders Abel
@AndersAbel
@robert_p_king_twitter That looks like stale docs. Signed requests are supported. See https://stackoverflow.com/questions/67230532/cannot-create-sustainsys-certificateelement-from-x509certificate2-object-to-upda
Rob King
@robert_p_king_twitter
@AndersAbel yeah I actually found that exact post a bit earlier. It helped me get further along. I think my issue is largely around the actual certs I'm using.
Rob King
@robert_p_king_twitter

Can I get a brief explanation of how multiple SP or IdP certificates are used once loaded?

Scenario: we want to load up a certificate and at a later date, its successor to make a seamless transation with no downtime or synchronisation with the IdP. I can load these easily into the ServiceCertificateCollection and they are both emitted through the SP metadata fine.

Question: given I have two certificates loaded, when signing the request, which certificate will Sustainsys use?

Likewise, when an ACS is returned from the IdP and we have two certificates of theirs loaded, does the middleware just look a matching cert?

Anders Abel
@AndersAbel
Q1: The one that is marked as current. If multiple have status current, one of them is picked.
Q2: The signature validation loops the certificates/keys of the Idp until one is found that validates the signature.
Nuno Cruz
@nmocruz
Hi, Quick question, there's any way to resolve/get services from notifications? I was trying to access a service from AcsCommandResultCreated but without success
on others authentication middlewares we can access the request httpcontext and then get service from there
Nuno Cruz
@nmocruz
ok, I think I have the awnser,
  services.AddOptions<Saml2Options>(Saml2Defaults.Scheme)
                .Configure<IHttpContextAccessor, ...
`
Murad
@muradgaribzada
Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?
1 reply
Rob King
@robert_p_king_twitter
We're seeing an issue with one customer of ours where despite us specifying HTTP-POST bindings for login requests and responses, when their users sign in or out, it reverts to using HTTP-Redirect. Their IdP metadata emits Redirect, Post and SOAP options for login/logout. If we load their metadata from a URL then specify "Binding = Saml2BindingType.HttpPost," it seems to be ignored. Is HTTP-Redirect the default binding used?
2 replies
microalps
@microalps
@AndersAbel I am getting a different issue with the same cause as #1298 (accessing PrivateKey instead of GetRsaPrivateKey()) when using X509KeyStorageFlags.EphemeralKeySet - I see you are managing the v1 branch - is there a shot of a PR being accepted and pushed to nuget?
7 replies
bertmckay79
@bertmckay79:matrix.org
[m]

Hi, i'm getting
An unhandled exception occurred while processing the request.
UnexpectedInResponseToException: Received message _82c677e7a5d90abca945562c19e4f868bbd8be7999 contains unexpected InResponseTo "id72b826e83a75492f95940df6de82c7b3". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
after login click. How can i resolve the problem?

I'm getting the same issue after the idp change the account creation process, it now allow the user to log in after the account creation process which can take some time. is it possible to increase the expiration time on the cookie?

1 reply
microalps
@microalps
@AndersAbel how do we proceed with #1307 ? It needs approval (again) to run workflow and I'm not even sure next steps to get this merged into v2 itself. Can you point me to contribution guidelines or another active member that can assist?
2 replies
Alan Macdonald
@alan.macdonald_gitlab

Hello. I am a bit confused on the difference between loading metadata via a URL vs a file with regards to certificates on the local file system. If I configure an IDP with a metadata url then it works fine without having to install certificates. If I download the metadata to a file from that same url and instead load using a metadata location to that relative file path then I get "The signature verified correctly with the key contained in the signature, but that key is not trusted." after authenticating and being redirected back.

The metadata is the same, it's just loaded from a file instead of a URL. Why would I have to install the certificate separately for this case?

1 reply
Jake Aitchison
@milkshakeuk
does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.
loicnoramsoft
@loicnoramsoft

Hello, I try to add multiple Identity Providers. but I receive an error during login. I don't know if I code the right way. Did you succeed to login with 1 saml option and 2 identity providers? I modified SampleIdentityServer4AspNetIdentity sample.

.AddSaml2(options =>
                {
                    options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
                    options.IdentityProviders.Add(
                        new IdentityProvider(
                            new EntityId("https://sts.windows.net/a4063b47-a5d6-439****4edea677d/"), options.SPOptions)
                        {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/a4063b47-a5d6-4391-9***ea677d/federationmetadata/2007-06/federationmetadata.xml?appid=487fc7e9-22****61bb78e6924d",
                            AllowUnsolicitedAuthnResponse = true
                        });

                    options.IdentityProviders.Add(new IdentityProvider(
                                new EntityId("https://sts.windows.net/d4017a0a-1b19-4045-****9105deb9/"), options.SPOptions)
                    {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/d4017a0a-1b19-4045-*****5deb9/federationmetadata/2007-06/federationmetadata.xml?appid=12ac1f71-564b-4e5****610328f55",
                        AllowUnsolicitedAuthnResponse = true
                    });

                    options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
                    //options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
                    //    HostingEnvironment.ContentRootPath + "\\App_Data\\Sustainsys.Saml2.SampleIdentityServer4AspNetIdentity.pfx"));
                })

I received this error after login in microsoft azure ad :

Microsoft
Pick an account
Selected user account does not exist in tenant 'sss' and cannot access the application 'https://localhost:44342/Saml2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

loicnoramsoft
@loicnoramsoft
when I try with a user present in the first identity provider, it works.
the problem is only when I use a user in the second identity provider
loicnoramsoft
@loicnoramsoft

I received this error after login on azure ad :

Sign in
Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'bob@*.onmicrosoft.com' from identity provider 'https://sts.windows.net/d4017a0a-1****b309105deb9/' does not exist in tenant 'simetsdev' and cannot access the application 'https://localhost:44342/Saml2'(Ma*) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

4 replies
Anders Abel
@AndersAbel

does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.

Finally found some time to handle this. I'm merging it to develop and v2right now.

I will make a 2.9.0 release with #1313 and #1321. If anyone has anything more that is urgent to get out in a release version, please comment.
microalps
@microalps
@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving
Anders Abel
@AndersAbel

@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving

You're right - too much to do and to bad memory from my side. I'll look at it again.

microalps
@microalps
Rebased my PR to resolve conflicts. Please approve CI @AndersAbel
microalps
@microalps
@AndersAbel what's the next steps here?
Anders Abel
@AndersAbel
That I do the merge and the release.
I'm sorry but time for OSS work has been limited, I'll really try within the next few days to get it done.
Is it an option to only merge your PR to develop and not to v2? Develop would mean a lot less review work as that is a non-supported version.
^^^ @microalps
microalps
@microalps
I don't care personally, but other people have complained of related issues
We are using v1 in our production and have created a fork with this change for v1. Let's start with develop and see what the community requests on a separate PR for v2 (they are slightly different code)
Anders Abel
@AndersAbel
I'll see what I can do. Generally I would like to keep v2 work to a minimum and take the time I have to develop
Oh, so you got stuck on that even in v1. Well that is on kind of life-support. I would really prefer to not do anything but security fixes on that.
microalps
@microalps
That's what I said, we are fine no matter which way you go. But others may not be. For their sake it might make sense to do v2 - but first let's get it into develop then discuss next steps (if there is interest)
We initially did an entire upgrade to v2 just to get this feature, but when it wasn't merged we rolled back and fixed v1 itself.
Md. Arshad Alam
@anarshadali

Hi
Need help in implementing SAML in organisation apps. I am able to use SAML in Individual and separate application having their own separate DNS.

but stuck at the point, where i have to implement SAML in all application hosted under "Default website" of IIS Server, which are getting accessible with one DNS.

Can someone guide me how can I implement SAML in all those applications which is hosted under "default website" of IIS manager and having same URL (e.g. https://xyz.com/app1 , https://xyz.com/app2 and https://xyz.com/app3 and so on.0

image.png
all are mapped under https://xyz.com
@AndersAbel can you please guide me
Md. Arshad Alam
@anarshadali
i am using asp.net webform (dotnet framework 4.0, 4.5 and 4.6)
Anders Abel
@AndersAbel
As some of you might have seen - I've done a bit of end-of-year-work on the issue list and I also (finally, sorry for the delay) pushed 2.9.0 to Nuget. I'll try to work through the rest of the issue list too after the Holidays. And then I've set a side some time to work on the develop branch and get long over due architectural work done. For anyone with opinions - now is the right time to come up with them.
My intention is to drop support for everything except .NET 6 and Asp.NET Core in the develop branch. The multi-targeting (both frameworks and web platforms) costs a lot to maintain. I think that the existing v1 and v2 versions will work for anyone still on those platforms.
IrvanWijaya
@IrvanWijaya_gitlab

Hi everyone,
just wondering if there are anybody ever try to use dynamics 365 channel integration framework (D365 CIF) and do an SSO with the Sustainsys/Saml2?
D365 CIF : https://docs.microsoft.com/en-us/dynamics365/customer-service/channel-integration-framework/authenticate-channel-users

I'm new to SAML workflow and integration so I follow this tutorial for implementin SAML with Azure AD with asp net core 3.1 webapp.
https://matthijs.hoekstraonline.net/2020/04/14/authenticate-an-azure-ad-user-with-saml-for-asp-net-core/

I tested it locally and everything working fine. After that I try deploy it to azure app service and everything still working.
Last I try to add the app to D365 CIF but its not working because there are an infinite loop of authenticating process and keep adding cookie until the header is too long.

As you can see in the screen shot below it will send SAMLRequest (success) then it is redirected to /Saml2/Acs (I guss this is from the sustainsys?) then redirected back to my app homepage but then the SAML request is send again and repeat.

*note
I guess D365 CIF is using an Iframe to displaying the app that implementing SSO.

I've been looking around for 2 days but didn't get any solution.

Thanks in advance
IrvanWijaya
@IrvanWijaya_gitlab
image.png
Anders Abel
@AndersAbel
@IrvanWijaya_gitlab Since the .AspNetCore.Cookies cookie is set, the Saml2 response was successfully processed and a user session established. Looks like your application has some authorization rules that makes the user session not being valied - which creates a renewed authentication