Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 28 11:25
    JerkerPihl commented #1052
  • Sep 28 11:14
    JerkerPihl commented #1052
  • Sep 28 09:13
    JerkerPihl commented #1052
  • Sep 27 10:41
    AntonioSCoelho commented #758
  • Sep 26 10:06
    AntonioSCoelho commented #758
  • Sep 21 13:37
    ritocesura edited #1367
  • Sep 21 10:07
    ritocesura commented #1367
  • Sep 21 04:43
    semi07 labeled #1368
  • Sep 21 04:43
    semi07 labeled #1368
  • Sep 21 04:43
    semi07 opened #1368
  • Sep 21 04:29
    github-actions[bot] closed #1366
  • Sep 20 20:09
    rikrak commented #1345
  • Sep 20 13:40
    ritocesura edited #1367
  • Sep 20 13:39
    ritocesura labeled #1367
  • Sep 20 13:39
    ritocesura opened #1367
  • Sep 11 04:17
    github-actions[bot] labeled #1366
  • Sep 06 19:01
    mickey-stringer commented #1030
  • Sep 06 13:31
    Narshe1412 commented #1030
  • Sep 06 04:30

    dependabot[bot] on nuget

    (compare)

  • Sep 06 04:30

    dependabot[bot] on nuget

    (compare)

joaorsfonseca
@joaorsfonseca
but now i'm getting the error Unsolicited responses are not allowed for idp
when using the shortcut in google workspace applications
Anders Abel
@AndersAbel
You need to set Idp.AllowUnsolicitedAuthnResponse
joaorsfonseca
@joaorsfonseca
i've already added it and the issue remains
authenticationBuilder.AddSaml2("googlesuite", "Google Suite", options => { options.SPOptions.EntityId = new EntityId(Configuration["Authentication:GoogleSuite:Issuer"]); var identityProvider = new IdentityProvider(new EntityId("https://accounts.google.com/o/saml2?idpid=ID"), options.SPOptions) { AllowUnsolicitedAuthnResponse = true, SingleSignOnServiceUrl = new Uri("https://accounts.google.com/o/saml2/idp?idpid=ID"), Binding = Saml2BindingType.HttpRedirect, }; identityProvider.SigningKeys.AddConfiguredKey(new X509Certificate2("GoogleSuite.pem")); options.IdentityProviders.Add(identityProvider); });
Anders Abel
@AndersAbel
Sorry, I cannot see what's immediately wrong here, would need to see the flow and/or some logs - this is as far as I can help for free.
Anders Abel
@AndersAbel
For development, I've done some more work. The develop branch is now reorganized with the new Metadata library and corresponding tests. All existing code from previous versions has been moved to the legacy folder. The idea forward is to add back functionality incrementally in a new design. Code and tests can of course be copied from the existing code base where suitable, but when doing so it needs to be reviewed that it follows the new standards.
joaorsfonseca
@joaorsfonseca

Hi. I'm trying to debug locally (using ngrok) some mappings made on my Google Suite saml mappings.
But i'm getting this error:

Saml2 Status Message: Invalid request, ACS Url in request https://localhost:44307/Saml2/Acs doesn't match configured ACS Url https://xxx.ngrok.io/Saml2/Acs.
Saml2 Second Level Status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied

Is there a way to force this localhos request to be the ngrok tunnel?

Anders Abel
@AndersAbel
@joaorsfonseca Ideally you would add a custom middleware that changes the Request.Host. But to just affect Saml2 you can use the PublicOrigin setting
joaorsfonseca
@joaorsfonseca
@AndersAbel great! it worked
One more thing. I'm trying to use the flag AllowUnsolicitedAuthnResponse.. I've already specified the ReturnUrl being my application homepage. From idp apps menu, I'm now being redirected to my application, but without login
Anders Abel
@AndersAbel
What URL did you set your Idp to send the response to?
joaorsfonseca
@joaorsfonseca
But now. I've created a new method in my AccountController called IdpLoginCallback that will return a Challenge to my Idp
image.png
I don't know if this is the right way to do it
Anders Abel
@AndersAbel
The Idp should post the response to /Saml2/Acs. That's an internal endpoint handled by the Saml2 handler. Then configure the ReturnUrl in SPOptions to be the start page of the application
Rob King
@robert_p_king_twitter
When initiating a single logout, where are the LogoutNameIdentifier and SessionIndex being pulled from to make the logout request? We have a login app which handles the sign in to the SAML IDP and then redirects the user to another app. When they sign out of that app, they are redirected back to the login app where their OWIN context user has lost the claims from the sign in. This should be ok because I persist the LogoutNameIdentifier and SessionIndex so they can be re-attached when the user returns. But whether I add them as claims or add them to the AuthenticationProperties, neither triggers the sign out.
Anders Abel
@AndersAbel
@robert_p_king_twitter They are read from the current user Claims. There is a log entry that lists all the requirements to do a federated logout, check if you can get that information, it should show what's happening.
Scott Ladd
@h5aaimtron
@AndersAbel Hello Anders. I'm working on an university implementation with Shibboleth as a PoC. I was working off the following sample I found online: (https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample). As I worked on this, I started wondering what the ModuleName was used for (defaults to root/Saml2). I thought maybe the SP metadata was stored here or something so naturally I tried to access the url that way, but 404 of course. With that knowledge I'm trying to expose the SP Metadata in the event I need to given the sample I mentioned above. If you feel this sample is not a good sample to work from, please let me know. Additionally, if it is an ok sample to work from, do you believe I would need to expose the Metadata via the controller? As of now, I've gotten the sample to redirect to our Shibboleth IDP sign on screen, however; it indicates it is having trouble communicating with the application (still registering with the idp). I'm doing my best to make sure I'm not missing anything before moving forward. Thank you for your time.
Anders Abel
@AndersAbel
I'm not familiar with that sample, so cannot tell how it works. The ModulePath indded should be the path of the Metadata. Accessing the Metadata is a good and simple way to see that the Saml2 SP module is correctly enabled. If you get a 404 on /Saml2 (and haven't changed the ModulePath) it indicates that the module/handler/middleware is not correctly configured.
Scott Ladd
@h5aaimtron
Yeah, definitely getting a 404 on that path. I'll see if there is some additional configuration as compared to your MVC samples. Are there any newer samples available in the sustainsys repo?
Scott Ladd
@h5aaimtron
Simple mistake, added app.UseAuthorization() before app.UseAuthentication() in error. Swapping them to the correct order made the endpoint appear :)
Scott Ladd
@h5aaimtron
@AndersAbel I got pretty much everything up and running locally, just hit a snag deploying into a container. The SP metadata keeps setting everything to http instead of https, but keeps https locally. Is there a way to override which it uses?
Scott Ladd
@h5aaimtron
Nevermind, PublicOrigin..... :) All working now.
Rob King
@robert_p_king_twitter
I'm setting up our app behind a reverse proxy and I've noticed that the host part of AssertionConsumerServiceURL being sent out on the AuthnRequest is that of the actual web service and not the host of the reverse proxy. E.g. the app runs on localhost:44300 but the URL the user is seeing is localhost:7106. I can add both URLs in my test IDP, but I can't guarantee our customers can so is there any way to explicitly configure the whole ACS url?
1 reply
pranith12345
@pranith12345
Hi , I am facing an Issue with SustainSys(v2.2) . In CommandResultHttpExtensions, ApplyCookies , Set-Cookie are getting duplicated . If i already set asp.net_sessionid , ApplyCookies is duplicating the SessionCookie also . Can anyone please help me in resolve this issue
Anders Abel
@AndersAbel

Nevermind, PublicOrigin..... :) All working now.

Good :)

Hi , I am facing an Issue with SustainSys(v2.2) . In CommandResultHttpExtensions, ApplyCookies , Set-Cookie are getting duplicated . If i already set asp.net_sessionid , ApplyCookies is duplicating the SessionCookie also . Can anyone please help me in resolve this issue

You asked the same question on Stack Overflow, didn't you? Well, are you using the Kentor.OwinCookieSaver package i your application?

kktun
@kktun
BadFormatSamlResponseException: The SAML response contains incorrect XML
It cause when federation logout is success and redirected to https://localhost:5000/Saml2/Acs which is azure AD logout url
I would like to know sustainsys can handle logout saml2 logout response then redirect to my application controller action with result.
Anders Abel
@AndersAbel
Yes it can handle logout, but the endpoint for the logout is /Saml2/Logout
Zach Graceffa
@ZachGraceffa
Hi Anders, this package is hindering our projects upgrade to .NET Core. Are there any efforts to port this library over?
Scott Ladd
@h5aaimtron
@ZachGraceffa we're using it with a .NET 6 project which is core, so you shouldn't be experiencing any issues with it.
Zach Graceffa
@ZachGraceffa
@h5aaimtron Thats good to hear. Are you using it via nuget? While I don't see any restrictions on framework version in the dependencies, we used the .NET Upgrade Assistant to upgrade our project to .NET 6 and now get the following: warning NU1701: Package 'Sustainsys.Saml2.Owin 2.9.0' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework 'net6.0'. This package may not be fully compatible with your project.
Anders Abel
@AndersAbel
The Owin authentication system isn't compatible with Asp.Net Core at all. For Asp.Net Core you need to use the Sustainsys.Saml2.AspNetCore2 package (name was chosen back when Asp.Net Core 1.x and 2.x had different authentication architecture, it should be named 2+ since it works all the way up to 7)
Zach Graceffa
@ZachGraceffa
Thanks @AndersAbel, I'll look into that package. I think it would be worth an updated readme on the https://github.com/Sustainsys/Saml2 page
Just to help others in the same position as me
Zach Graceffa
@ZachGraceffa

Is there a repo for Sustainsys.Saml2.AspNetCore2? Is see one referenced in one of your old comments @AndersAbel

https://stackoverflow.com/a/54233191

But I cannot find the actual repo

Anders Abel
@AndersAbel
@ZachGraceffa Look in the v2 branch.
Zach Graceffa
@ZachGraceffa
Thanks
Dale Francis
@dalefrancis88
I'm trying learn about setting up SAML2 and i feel like i'm really close, i've just got it logging in but now when it goes to the '/Saml2/Acs' route i'm getting an Object Reference Exception, quite unhelpful
System.NullReferenceException: Object reference not set to an instance of an object.
   at System.Security.Cryptography.Xml.SignedXml.IsKeyTheCorrectAlgorithm(AsymmetricAlgorithm key, Type expectedType)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at Sustainsys.Saml2.XmlHelpers.VerifySignature(IEnumerable`1 signingKeys, SignedXml signedXml, XmlElement signatureElement, Boolean validateCertificate)
   at Sustainsys.Saml2.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable`1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm)
   at Sustainsys.Saml2.Saml2P.Saml2Response.<>c__DisplayClass60_0.<ValidateSignature>b__0(XmlElement a)
   at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
   at Sustainsys.Saml2.Saml2P.Saml2Response.ValidateSignature(IOptions options, IdentityProvider idp)
   at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)
   at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState)
   at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
   at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Has anyone seen anything like this, it strikes me as something that'd be common
Dale Francis
@dalefrancis88
I think it may be down to not using the SigningKeys property on the IdentityProvider but i don't see any examples where this is used
Anders Abel
@AndersAbel
Did you set any SigninKeys on the IdentityProvider? Or did you use Metadata from the Idp?
Dale Francis
@dalefrancis88
So this actually turned out to be something silly/crazy, because i was refrencing this off of another project https://blog.redbaronofazure.com/?p=7720 i was using code from there and it added in two algorithms and it's implemented with the type name only on the KeyAlgorithm property and not the full type name resulting in the Type.GetType call in IsKeyTheCorrectAlgorithm to return null
Dale Francis
@dalefrancis88
Removing those two lines got it working but sadly that was the end of my journey, I'm trying to implement this in blazor but while i can get the application to auth and i can see the auth cookie chilling out in the browser their is no way that i can find with Blazor to add in RemoteAPIAuthorization for it
Anders Abel
@AndersAbel
The algorithms being a global registry is really a pain. There should be a way for a library to only affect the library's code and not the entire application, nor other libraries.