For the XML processing I am exploring a solution where we use XmlDocument+SignedXml and have a light weight traverser instead of the XmlNodeReader. The reason is that the XmlNodeReader do not allow access back to the document in an easy way, which is needed to use SignedXml. Back when I started the project I thought that linq-to-xml was "the way forward" and tried to use that as much as possible - until I found out that SignedXml requires the XmlDocument-based API. So the new effort is completely based on the XmlDocument/SignedXml concept. With good helper methods it's ok to work on that API too.
I'm also designing the new XML processing to not throw exceptions and abort directly on error, but rather report and if possible continue the processing. The default behaviour is to throw exceptions if there are any errors after processing, but this leaves it open to add hooks to supress errors if needed. The general impression I have after the years with this library is that there is a huge need for flexibility to handle different scenarios.
Hi all.. I'm trying to implement this with Google Suite Applications but no luck yet. I'm always getting the error No Idp with entity id "https://accounts.google.com/o/saml2?idpid=xxxx" found
I was able to configure it for Okta.
Any sample on how to configure Google and AddSaml2 on my site?
I was able to configure it for Okta.
Any sample on how to configure Google and AddSaml2 on my site?
I was able to Register the account on my web site
but now i'm getting the error Unsolicited responses are not allowed for idp
when using the shortcut in google workspace applications
authenticationBuilder.AddSaml2("googlesuite", "Google Suite", options =>
{
options.SPOptions.EntityId = new EntityId(Configuration["Authentication:GoogleSuite:Issuer"]);
var identityProvider = new IdentityProvider(new EntityId("https://accounts.google.com/o/saml2?idpid=ID"),
options.SPOptions)
{
AllowUnsolicitedAuthnResponse = true,
SingleSignOnServiceUrl = new Uri("https://accounts.google.com/o/saml2/idp?idpid=ID"),
Binding = Saml2BindingType.HttpRedirect,
};
identityProvider.SigningKeys.AddConfiguredKey(new X509Certificate2("GoogleSuite.pem"));
options.IdentityProviders.Add(identityProvider);
});
For development, I've done some more work. The
develop branch is now reorganized with the new Metadata library and corresponding tests. All existing code from previous versions has been moved to the legacy folder. The idea forward is to add back functionality incrementally in a new design. Code and tests can of course be copied from the existing code base where suitable, but when doing so it needs to be reviewed that it follows the new standards.
Hi. I'm trying to debug locally (using ngrok) some mappings made on my Google Suite saml mappings.
But i'm getting this error:
Saml2 Status Message: Invalid request, ACS Url in request https://localhost:44307/Saml2/Acs doesn't match configured ACS Url https://xxx.ngrok.io/Saml2/Acs.
Saml2 Second Level Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied
Is there a way to force this localhos request to be the ngrok tunnel?
One more thing. I'm trying to use the flag AllowUnsolicitedAuthnResponse.. I've already specified the ReturnUrl being my application homepage. From idp apps menu, I'm now being redirected to my application, but without login
But now. I've created a new method in my AccountController called IdpLoginCallback that will return a Challenge to my Idp
I don't know if this is the right way to do it
When initiating a single logout, where are the LogoutNameIdentifier and SessionIndex being pulled from to make the logout request? We have a login app which handles the sign in to the SAML IDP and then redirects the user to another app. When they sign out of that app, they are redirected back to the login app where their OWIN context user has lost the claims from the sign in. This should be ok because I persist the LogoutNameIdentifier and SessionIndex so they can be re-attached when the user returns. But whether I add them as claims or add them to the AuthenticationProperties, neither triggers the sign out.
@AndersAbel Hello Anders. I'm working on an university implementation with Shibboleth as a PoC. I was working off the following sample I found online: (https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample). As I worked on this, I started wondering what the ModuleName was used for (defaults to root/Saml2). I thought maybe the SP metadata was stored here or something so naturally I tried to access the url that way, but 404 of course. With that knowledge I'm trying to expose the SP Metadata in the event I need to given the sample I mentioned above. If you feel this sample is not a good sample to work from, please let me know. Additionally, if it is an ok sample to work from, do you believe I would need to expose the Metadata via the controller? As of now, I've gotten the sample to redirect to our Shibboleth IDP sign on screen, however; it indicates it is having trouble communicating with the application (still registering with the idp). I'm doing my best to make sure I'm not missing anything before moving forward. Thank you for your time.
I'm not familiar with that sample, so cannot tell how it works. The ModulePath indded should be the path of the Metadata. Accessing the Metadata is a good and simple way to see that the Saml2 SP module is correctly enabled. If you get a 404 on /Saml2 (and haven't changed the ModulePath) it indicates that the module/handler/middleware is not correctly configured.
I'm setting up our app behind a reverse proxy and I've noticed that the host part of AssertionConsumerServiceURL being sent out on the AuthnRequest is that of the actual web service and not the host of the reverse proxy. E.g. the app runs on localhost:44300 but the URL the user is seeing is localhost:7106. I can add both URLs in my test IDP, but I can't guarantee our customers can so is there any way to explicitly configure the whole ACS url?
1 reply
Hi , I am facing an Issue with SustainSys(v2.2) . In CommandResultHttpExtensions, ApplyCookies , Set-Cookie are getting duplicated . If i already set asp.net_sessionid , ApplyCookies is duplicating the SessionCookie also . Can anyone please help me in resolve this issue
You asked the same question on Stack Overflow, didn't you? Well, are you using the Kentor.OwinCookieSaver package i your application?