Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 07 03:57
    github-actions[bot] labeled #1356
  • Aug 05 10:05
    shnal commented #1357
  • Aug 04 12:32
    AndersAbel commented #1357
  • Aug 04 12:30
    shnal commented #1357
  • Aug 04 12:22
    AndersAbel labeled #1357
  • Aug 04 12:22
    AndersAbel unlabeled #1357
  • Aug 04 12:22
    AndersAbel labeled #1357
  • Aug 04 12:22
    AndersAbel unlabeled #1357
  • Aug 04 12:22
    AndersAbel closed #1357
  • Aug 04 12:22
    AndersAbel commented #1357
  • Aug 04 08:25
    shnal commented #1357
  • Aug 04 08:22
    shnal commented #1357
  • Aug 04 08:21
    shnal labeled #1357
  • Aug 04 08:21
    shnal opened #1357
  • Aug 04 08:21
    shnal labeled #1357
  • Aug 02 04:17

    dependabot[bot] on nuget

    (compare)

  • Aug 02 04:17

    dependabot[bot] on nuget

    (compare)

  • Aug 02 04:17
    dependabot[bot] commented #1354
  • Aug 02 04:17
    dependabot[bot] commented #1355
  • Aug 02 04:17
    github-actions[bot] closed #1354
Anders Abel
@AndersAbel
As some of you might have seen - I've done a bit of end-of-year-work on the issue list and I also (finally, sorry for the delay) pushed 2.9.0 to Nuget. I'll try to work through the rest of the issue list too after the Holidays. And then I've set a side some time to work on the develop branch and get long over due architectural work done. For anyone with opinions - now is the right time to come up with them.
My intention is to drop support for everything except .NET 6 and Asp.NET Core in the develop branch. The multi-targeting (both frameworks and web platforms) costs a lot to maintain. I think that the existing v1 and v2 versions will work for anyone still on those platforms.
IrvanWijaya
@IrvanWijaya_gitlab

Hi everyone,
just wondering if there are anybody ever try to use dynamics 365 channel integration framework (D365 CIF) and do an SSO with the Sustainsys/Saml2?
D365 CIF : https://docs.microsoft.com/en-us/dynamics365/customer-service/channel-integration-framework/authenticate-channel-users

I'm new to SAML workflow and integration so I follow this tutorial for implementin SAML with Azure AD with asp net core 3.1 webapp.
https://matthijs.hoekstraonline.net/2020/04/14/authenticate-an-azure-ad-user-with-saml-for-asp-net-core/

I tested it locally and everything working fine. After that I try deploy it to azure app service and everything still working.
Last I try to add the app to D365 CIF but its not working because there are an infinite loop of authenticating process and keep adding cookie until the header is too long.

As you can see in the screen shot below it will send SAMLRequest (success) then it is redirected to /Saml2/Acs (I guss this is from the sustainsys?) then redirected back to my app homepage but then the SAML request is send again and repeat.

*note
I guess D365 CIF is using an Iframe to displaying the app that implementing SSO.

I've been looking around for 2 days but didn't get any solution.

Thanks in advance
IrvanWijaya
@IrvanWijaya_gitlab
image.png
Anders Abel
@AndersAbel
@IrvanWijaya_gitlab Since the .AspNetCore.Cookies cookie is set, the Saml2 response was successfully processed and a user session established. Looks like your application has some authorization rules that makes the user session not being valied - which creates a renewed authentication
Rob King
@robert_p_king_twitter
We are starting to migrate our single-tenant applications into a multi-tenant architecture. Currently each SAML site has its own config loaded on startup. We obviously can't do this with multi-tenant. How would I go about using Sustainsys Saml in a mult-tenant web app where I would dynamically need to load/configure the SAML settings on-the-fly instead of in Startup.cs?
Anders Abel
@AndersAbel
@robert_p_king_twitter Use the SelectIdentityProvider and GetIdentityProvider notifications to override the internal lookup logic for what IdentityProvider to use. If you override both of those, you can leave the IdentityProviders collection empty.
Anders Abel
@AndersAbel
I finally got around to do some more development on v3. After looking through the code and how much has change in .NET and C# over nearly a decade I made a spike starting from scratch with a new architecture - but of course copying both test cases and code where relevant. So far I've done work on the basic XML handling and navigation including signature validation. It's all in the BasicMetadataReading branch in the repo now.
For the XML processing I am exploring a solution where we use XmlDocument+SignedXml and have a light weight traverser instead of the XmlNodeReader. The reason is that the XmlNodeReader do not allow access back to the document in an easy way, which is needed to use SignedXml. Back when I started the project I thought that linq-to-xml was "the way forward" and tried to use that as much as possible - until I found out that SignedXml requires the XmlDocument-based API. So the new effort is completely based on the XmlDocument/SignedXml concept. With good helper methods it's ok to work on that API too.
Anders Abel
@AndersAbel
I'm also designing the new XML processing to not throw exceptions and abort directly on error, but rather report and if possible continue the processing. The default behaviour is to throw exceptions if there are any errors after processing, but this leaves it open to add hooks to supress errors if needed. The general impression I have after the years with this library is that there is a huge need for flexibility to handle different scenarios.
joaorsfonseca
@joaorsfonseca
Hi all.. I'm trying to implement this with Google Suite Applications but no luck yet. I'm always getting the error No Idp with entity id "https://accounts.google.com/o/saml2?idpid=xxxx" found
I was able to configure it for Okta.
Any sample on how to configure Google and AddSaml2 on my site?
Anders Abel
@AndersAbel
Why would you use Saml2 with Google and not a built in Google provider? Anyways, looks like you've got the EntityId of the Google Idp wrong in the config.
joaorsfonseca
@joaorsfonseca
Client Requirements.
I've also removed Okta configuration since it was in conflit with Google's identityproviders.
joaorsfonseca
@joaorsfonseca
I think i did it
I was able to Register the account on my web site
but now i'm getting the error Unsolicited responses are not allowed for idp
when using the shortcut in google workspace applications
Anders Abel
@AndersAbel
You need to set Idp.AllowUnsolicitedAuthnResponse
joaorsfonseca
@joaorsfonseca
i've already added it and the issue remains
authenticationBuilder.AddSaml2("googlesuite", "Google Suite", options => { options.SPOptions.EntityId = new EntityId(Configuration["Authentication:GoogleSuite:Issuer"]); var identityProvider = new IdentityProvider(new EntityId("https://accounts.google.com/o/saml2?idpid=ID"), options.SPOptions) { AllowUnsolicitedAuthnResponse = true, SingleSignOnServiceUrl = new Uri("https://accounts.google.com/o/saml2/idp?idpid=ID"), Binding = Saml2BindingType.HttpRedirect, }; identityProvider.SigningKeys.AddConfiguredKey(new X509Certificate2("GoogleSuite.pem")); options.IdentityProviders.Add(identityProvider); });
Anders Abel
@AndersAbel
Sorry, I cannot see what's immediately wrong here, would need to see the flow and/or some logs - this is as far as I can help for free.
Anders Abel
@AndersAbel
For development, I've done some more work. The develop branch is now reorganized with the new Metadata library and corresponding tests. All existing code from previous versions has been moved to the legacy folder. The idea forward is to add back functionality incrementally in a new design. Code and tests can of course be copied from the existing code base where suitable, but when doing so it needs to be reviewed that it follows the new standards.
joaorsfonseca
@joaorsfonseca

Hi. I'm trying to debug locally (using ngrok) some mappings made on my Google Suite saml mappings.
But i'm getting this error:

Saml2 Status Message: Invalid request, ACS Url in request https://localhost:44307/Saml2/Acs doesn't match configured ACS Url https://xxx.ngrok.io/Saml2/Acs.
Saml2 Second Level Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied

Is there a way to force this localhos request to be the ngrok tunnel?

Anders Abel
@AndersAbel
@joaorsfonseca Ideally you would add a custom middleware that changes the Request.Host. But to just affect Saml2 you can use the PublicOrigin setting
joaorsfonseca
@joaorsfonseca
@AndersAbel great! it worked
One more thing. I'm trying to use the flag AllowUnsolicitedAuthnResponse.. I've already specified the ReturnUrl being my application homepage. From idp apps menu, I'm now being redirected to my application, but without login
Anders Abel
@AndersAbel
What URL did you set your Idp to send the response to?
joaorsfonseca
@joaorsfonseca
https://localhost:44307/
But now. I've created a new method in my AccountController called IdpLoginCallback that will return a Challenge to my Idp
image.png
I don't know if this is the right way to do it
Anders Abel
@AndersAbel
The Idp should post the response to /Saml2/Acs. That's an internal endpoint handled by the Saml2 handler. Then configure the ReturnUrl in SPOptions to be the start page of the application
Rob King
@robert_p_king_twitter
When initiating a single logout, where are the LogoutNameIdentifier and SessionIndex being pulled from to make the logout request? We have a login app which handles the sign in to the SAML IDP and then redirects the user to another app. When they sign out of that app, they are redirected back to the login app where their OWIN context user has lost the claims from the sign in. This should be ok because I persist the LogoutNameIdentifier and SessionIndex so they can be re-attached when the user returns. But whether I add them as claims or add them to the AuthenticationProperties, neither triggers the sign out.
Anders Abel
@AndersAbel
@robert_p_king_twitter They are read from the current user Claims. There is a log entry that lists all the requirements to do a federated logout, check if you can get that information, it should show what's happening.
Scott Ladd
@h5aaimtron
@AndersAbel Hello Anders. I'm working on an university implementation with Shibboleth as a PoC. I was working off the following sample I found online: (https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample). As I worked on this, I started wondering what the ModuleName was used for (defaults to root/Saml2). I thought maybe the SP metadata was stored here or something so naturally I tried to access the url that way, but 404 of course. With that knowledge I'm trying to expose the SP Metadata in the event I need to given the sample I mentioned above. If you feel this sample is not a good sample to work from, please let me know. Additionally, if it is an ok sample to work from, do you believe I would need to expose the Metadata via the controller? As of now, I've gotten the sample to redirect to our Shibboleth IDP sign on screen, however; it indicates it is having trouble communicating with the application (still registering with the idp). I'm doing my best to make sure I'm not missing anything before moving forward. Thank you for your time.
Anders Abel
@AndersAbel
I'm not familiar with that sample, so cannot tell how it works. The ModulePath indded should be the path of the Metadata. Accessing the Metadata is a good and simple way to see that the Saml2 SP module is correctly enabled. If you get a 404 on /Saml2 (and haven't changed the ModulePath) it indicates that the module/handler/middleware is not correctly configured.
Scott Ladd
@h5aaimtron
Yeah, definitely getting a 404 on that path. I'll see if there is some additional configuration as compared to your MVC samples. Are there any newer samples available in the sustainsys repo?
Scott Ladd
@h5aaimtron
Simple mistake, added app.UseAuthorization() before app.UseAuthentication() in error. Swapping them to the correct order made the endpoint appear :)
Scott Ladd
@h5aaimtron
@AndersAbel I got pretty much everything up and running locally, just hit a snag deploying into a container. The SP metadata keeps setting everything to http instead of https, but keeps https locally. Is there a way to override which it uses?
Scott Ladd
@h5aaimtron
Nevermind, PublicOrigin..... :) All working now.
Rob King
@robert_p_king_twitter
I'm setting up our app behind a reverse proxy and I've noticed that the host part of AssertionConsumerServiceURL being sent out on the AuthnRequest is that of the actual web service and not the host of the reverse proxy. E.g. the app runs on localhost:44300 but the URL the user is seeing is localhost:7106. I can add both URLs in my test IDP, but I can't guarantee our customers can so is there any way to explicitly configure the whole ACS url?
1 reply
pranith12345
@pranith12345
Hi , I am facing an Issue with SustainSys(v2.2) . In CommandResultHttpExtensions, ApplyCookies , Set-Cookie are getting duplicated . If i already set asp.net_sessionid , ApplyCookies is duplicating the SessionCookie also . Can anyone please help me in resolve this issue
Anders Abel
@AndersAbel

Nevermind, PublicOrigin..... :) All working now.

Good :)

Hi , I am facing an Issue with SustainSys(v2.2) . In CommandResultHttpExtensions, ApplyCookies , Set-Cookie are getting duplicated . If i already set asp.net_sessionid , ApplyCookies is duplicating the SessionCookie also . Can anyone please help me in resolve this issue

You asked the same question on Stack Overflow, didn't you? Well, are you using the Kentor.OwinCookieSaver package i your application?