Sustainsys/Saml2

Jake Aitchison

@milkshakeuk

does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.

loicnoramsoft

@loicnoramsoft

Hello, I try to add multiple Identity Providers. but I receive an error during login. I don't know if I code the right way. Did you succeed to login with 1 saml option and 2 identity providers? I modified SampleIdentityServer4AspNetIdentity sample.

.AddSaml2(options =>
                {
                    options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
                    options.IdentityProviders.Add(
                        new IdentityProvider(
                            new EntityId("https://sts.windows.net/a4063b47-a5d6-439****4edea677d/"), options.SPOptions)
                        {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/a4063b47-a5d6-4391-9***ea677d/federationmetadata/2007-06/federationmetadata.xml?appid=487fc7e9-22****61bb78e6924d",
                            AllowUnsolicitedAuthnResponse = true
                        });

                    options.IdentityProviders.Add(new IdentityProvider(
                                new EntityId("https://sts.windows.net/d4017a0a-1b19-4045-****9105deb9/"), options.SPOptions)
                    {
                        LoadMetadata = true,
                        MetadataLocation = "https://login.microsoftonline.com/d4017a0a-1b19-4045-*****5deb9/federationmetadata/2007-06/federationmetadata.xml?appid=12ac1f71-564b-4e5****610328f55",
                        AllowUnsolicitedAuthnResponse = true
                    });

                    options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
                    //options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
                    //    HostingEnvironment.ContentRootPath + "\\App_Data\\Sustainsys.Saml2.SampleIdentityServer4AspNetIdentity.pfx"));
                })

I received this error after login in microsoft azure ad :

Microsoft
Pick an account
Selected user account does not exist in tenant 'sss' and cannot access the application 'https://localhost:44342/Saml2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

loicnoramsoft

@loicnoramsoft

when I try with a user present in the first identity provider, it works.
the problem is only when I use a user in the second identity provider

loicnoramsoft

@loicnoramsoft

I received this error after login on azure ad :

Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'bob@*.onmicrosoft.com' from identity provider 'https://sts.windows.net/d4017a0a-1****b309105deb9/' does not exist in tenant 'simetsdev' and cannot access the application 'https://localhost:44342/Saml2'(Ma*) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

4 replies

Anders Abel

@AndersAbel

does anyone know when this Sustainsys/Saml2#1313 will get merged, its preventing a .net6 upgrade.

Finally found some time to handle this. I'm merging it to develop and v2right now.

I will make a 2.9.0 release with #1313 and #1321. If anyone has anything more that is urgent to get out in a release version, please comment.

microalps

@microalps

@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving

Anders Abel

@AndersAbel

@AndersAbel you said you would merge #1255 for .net support as it removes the hack completely. I created #1307 to address a bug with ephemeral keys and incorporated parts of #1255. A v2 branch is also available if interested. We forked the project internally so we aren't waiting for this but others may be. Happy Thanksgiving

You're right - too much to do and to bad memory from my side. I'll look at it again.

microalps

@microalps

Rebased my PR to resolve conflicts. Please approve CI @AndersAbel

microalps

@microalps

@AndersAbel what's the next steps here?

Anders Abel

@AndersAbel

That I do the merge and the release.

I'm sorry but time for OSS work has been limited, I'll really try within the next few days to get it done.

Is it an option to only merge your PR to develop and not to v2? Develop would mean a lot less review work as that is a non-supported version.

^^^ @microalps

microalps

@microalps

I don't care personally, but other people have complained of related issues

We are using v1 in our production and have created a fork with this change for v1. Let's start with develop and see what the community requests on a separate PR for v2 (they are slightly different code)

Anders Abel

@AndersAbel

I'll see what I can do. Generally I would like to keep v2 work to a minimum and take the time I have to develop

Oh, so you got stuck on that even in v1. Well that is on kind of life-support. I would really prefer to not do anything but security fixes on that.

microalps

@microalps

That's what I said, we are fine no matter which way you go. But others may not be. For their sake it might make sense to do v2 - but first let's get it into develop then discuss next steps (if there is interest)

We initially did an entire upgrade to v2 just to get this feature, but when it wasn't merged we rolled back and fixed v1 itself.

Md. Arshad Alam

@anarshadali

Hi
Need help in implementing SAML in organisation apps. I am able to use SAML in Individual and separate application having their own separate DNS.

but stuck at the point, where i have to implement SAML in all application hosted under "Default website" of IIS Server, which are getting accessible with one DNS.

Can someone guide me how can I implement SAML in all those applications which is hosted under "default website" of IIS manager and having same URL (e.g. https://xyz.com/app1 , https://xyz.com/app2 and https://xyz.com/app3 and so on.0

all are mapped under https://xyz.com

@AndersAbel can you please guide me

Md. Arshad Alam

@anarshadali

i am using asp.net webform (dotnet framework 4.0, 4.5 and 4.6)

Anders Abel

@AndersAbel

As some of you might have seen - I've done a bit of end-of-year-work on the issue list and I also (finally, sorry for the delay) pushed 2.9.0 to Nuget. I'll try to work through the rest of the issue list too after the Holidays. And then I've set a side some time to work on the develop branch and get long over due architectural work done. For anyone with opinions - now is the right time to come up with them.

My intention is to drop support for everything except .NET 6 and Asp.NET Core in the develop branch. The multi-targeting (both frameworks and web platforms) costs a lot to maintain. I think that the existing v1 and v2 versions will work for anyone still on those platforms.

IrvanWijaya

@IrvanWijaya_gitlab

Hi everyone,
just wondering if there are anybody ever try to use dynamics 365 channel integration framework (D365 CIF) and do an SSO with the Sustainsys/Saml2?
D365 CIF : https://docs.microsoft.com/en-us/dynamics365/customer-service/channel-integration-framework/authenticate-channel-users

I'm new to SAML workflow and integration so I follow this tutorial for implementin SAML with Azure AD with asp net core 3.1 webapp.
https://matthijs.hoekstraonline.net/2020/04/14/authenticate-an-azure-ad-user-with-saml-for-asp-net-core/

I tested it locally and everything working fine. After that I try deploy it to azure app service and everything still working.
Last I try to add the app to D365 CIF but its not working because there are an infinite loop of authenticating process and keep adding cookie until the header is too long.

As you can see in the screen shot below it will send SAMLRequest (success) then it is redirected to /Saml2/Acs (I guss this is from the sustainsys?) then redirected back to my app homepage but then the SAML request is send again and repeat.

*note
I guess D365 CIF is using an Iframe to displaying the app that implementing SSO.

I've been looking around for 2 days but didn't get any solution.

Thanks in advance

IrvanWijaya

@IrvanWijaya_gitlab

Anders Abel

@AndersAbel

@IrvanWijaya_gitlab Since the .AspNetCore.Cookies cookie is set, the Saml2 response was successfully processed and a user session established. Looks like your application has some authorization rules that makes the user session not being valied - which creates a renewed authentication

Rob King

@robert_p_king_twitter

We are starting to migrate our single-tenant applications into a multi-tenant architecture. Currently each SAML site has its own config loaded on startup. We obviously can't do this with multi-tenant. How would I go about using Sustainsys Saml in a mult-tenant web app where I would dynamically need to load/configure the SAML settings on-the-fly instead of in Startup.cs?

Anders Abel

@AndersAbel

@robert_p_king_twitter Use the SelectIdentityProvider and GetIdentityProvider notifications to override the internal lookup logic for what IdentityProvider to use. If you override both of those, you can leave the IdentityProviders collection empty.

Anders Abel

@AndersAbel

I finally got around to do some more development on v3. After looking through the code and how much has change in .NET and C# over nearly a decade I made a spike starting from scratch with a new architecture - but of course copying both test cases and code where relevant. So far I've done work on the basic XML handling and navigation including signature validation. It's all in the BasicMetadataReading branch in the repo now.

For the XML processing I am exploring a solution where we use XmlDocument+SignedXml and have a light weight traverser instead of the XmlNodeReader. The reason is that the XmlNodeReader do not allow access back to the document in an easy way, which is needed to use SignedXml. Back when I started the project I thought that linq-to-xml was "the way forward" and tried to use that as much as possible - until I found out that SignedXml requires the XmlDocument-based API. So the new effort is completely based on the XmlDocument/SignedXml concept. With good helper methods it's ok to work on that API too.

Anders Abel

@AndersAbel

I'm also designing the new XML processing to not throw exceptions and abort directly on error, but rather report and if possible continue the processing. The default behaviour is to throw exceptions if there are any errors after processing, but this leaves it open to add hooks to supress errors if needed. The general impression I have after the years with this library is that there is a huge need for flexibility to handle different scenarios.

joaorsfonseca

@joaorsfonseca

Hi all.. I'm trying to implement this with Google Suite Applications but no luck yet. I'm always getting the error No Idp with entity id "https://accounts.google.com/o/saml2?idpid=xxxx" found
I was able to configure it for Okta.
Any sample on how to configure Google and AddSaml2 on my site?

Anders Abel

@AndersAbel

Why would you use Saml2 with Google and not a built in Google provider? Anyways, looks like you've got the EntityId of the Google Idp wrong in the config.

joaorsfonseca

@joaorsfonseca

Client Requirements.
I've also removed Okta configuration since it was in conflit with Google's identityproviders.

joaorsfonseca

@joaorsfonseca

I think i did it

I was able to Register the account on my web site

but now i'm getting the error Unsolicited responses are not allowed for idp

when using the shortcut in google workspace applications

Anders Abel

@AndersAbel

You need to set Idp.AllowUnsolicitedAuthnResponse

joaorsfonseca

@joaorsfonseca

i've already added it and the issue remains

authenticationBuilder.AddSaml2("googlesuite", "Google Suite", options =>
            {
                options.SPOptions.EntityId = new EntityId(Configuration["Authentication:GoogleSuite:Issuer"]);
                var identityProvider = new IdentityProvider(new EntityId("https://accounts.google.com/o/saml2?idpid=ID"),
                    options.SPOptions)
                {
                    AllowUnsolicitedAuthnResponse = true,
                    SingleSignOnServiceUrl = new Uri("https://accounts.google.com/o/saml2/idp?idpid=ID"),
                    Binding = Saml2BindingType.HttpRedirect,
                };
                identityProvider.SigningKeys.AddConfiguredKey(new X509Certificate2("GoogleSuite.pem"));
                options.IdentityProviders.Add(identityProvider);
            });

Anders Abel

@AndersAbel

Sorry, I cannot see what's immediately wrong here, would need to see the flow and/or some logs - this is as far as I can help for free.

Anders Abel

@AndersAbel

For development, I've done some more work. The develop branch is now reorganized with the new Metadata library and corresponding tests. All existing code from previous versions has been moved to the legacy folder. The idea forward is to add back functionality incrementally in a new design. Code and tests can of course be copied from the existing code base where suitable, but when doing so it needs to be reviewed that it follows the new standards.

joaorsfonseca

@joaorsfonseca

Hi. I'm trying to debug locally (using ngrok) some mappings made on my Google Suite saml mappings.
But i'm getting this error:

Saml2 Status Message: Invalid request, ACS Url in request https://localhost:44307/Saml2/Acs doesn't match configured ACS Url https://xxx.ngrok.io/Saml2/Acs.
Saml2 Second Level Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied

Is there a way to force this localhos request to be the ngrok tunnel?

Anders Abel

@AndersAbel

@joaorsfonseca Ideally you would add a custom middleware that changes the Request.Host. But to just affect Saml2 you can use the PublicOrigin setting

Where communities thrive

People

Repo info

Activity