ComponentSpace

Forums



ArtifactResolution configuration in PartnerIdentityProvider


ArtifactResolution configuration in PartnerIdentityProvider

Author
Message
raas
raas
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 45
Hi, 

first time user of this component, first time doing a SAML 2.0 implementiation. 
Platform is DigiD which is supported by the Dutch Government. 

I have received an artifact-resolve url which I need to configure, but can't figure out which parameter to use. 

here's my config:

<PartnerIdentityProvider Name="https://was-preprod1.digid.nl"
          Description="DigiD PreProd"
          AuthnContextComparison="minimum"
          AuthnContext="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
          SignAuthnRequest="true"
          SingleSignOnServiceUrl="https://preprod1.digid.nl/saml/idp/request_authentication"
          SingleLogoutServiceUrl="https://preprod1.digid.nl/saml/idp/request_logout"
          PartnerCertificateFile="Certificates\digid_preprod.cer"
          
          />


tried adding

ArtifactResolutionServiceUrl="https://was-preprod1.digid.nl/saml/idp/resolve_artifact"


but it's telling me that "ArtifactResolutionServiceUrl" attribute is not declared. 

which attribute/property do I need to use to configure my PartnerIdentityProvider correctly?

Thanks!!!


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We support the HTTP-Artifact binding in the SAML low-level API but I'm afraid it's not supported in the high-level API and through configuration.
The reason for this is that in 99% of use cases HTTP-Post is used to send SAML responses.
Is it possible to use HTTP-Post instead of HTTP-Artifact for receiving SAML responses?
If not, you would need to use the SAML low-level API. The SAML2ServiceProvider project under the Examples\SSO\LowLevelAPI\SP-Initiated folder demonstrates support for all the bindings including HTTP-Artifact. The SAML/AssertionConsumerService.aspx page shows how to receive the artifact and then make a call via the back channel to receive the SAML response.

Regards
ComponentSpace Development
raas
raas
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 45
Hi, 

Thanks for your reply,
In the AuthnRequest I'm able to configure Redirect or Post. 

As I understand, i will have a look at the low level api. 
have talked to a friend working at a different company, already done this, using component space, also low level...

was wondering if it was able in the high-level api. 

Thanks, 

will check back if I have questions. 



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thank you.

Regards
ComponentSpace Development
raas
raas
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 45
Ok, so I'm a bit puzzled here.. 

In the high-level api I was able to configure my identity provider as displayed in the 1st post. 

Now in the low-level api I understand it's a bit different. 
I'll do this step by step, so first I changed "idpssoURL" in web.config to the correct url of my IdP.
Just to test to see if it was doing a request a the correct url I tried, worked partially as I didn't provide complete attributes as 'AuthnContextComparison" or "AuthnContext" ... 

But where do I configure these in the low-level api?
I might be missing something, but is there documentation on the low-level specifically?

also right now, without configuring the IdP correctly I noticed that the request was partially different at the beginning..

from high-level: (starts directly with SAMLRequest parameter)
https://preprod1.digid.nl/saml/idp/request_authentication?SAMLRequest=nVNNj9owEP0rke%2F5ImF3.......


from low-level  (has 'binding' parameter in front, do I need to change this?)
https://preprod1.digid.nl/saml/idp/request_authentication?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-Redirect&SAMLRequest=lZLNTsMwEIRfJbLEMXGaVLRYTVGhQlTiJ6KFAxf



Thanks!




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The low-level API doesn't support SAML configuration. You pass into the API such things as the partner provider URLs etc. The example stores some of this information in web.config but this is information accessed by the application rather than the API.

The SAML2ServiceProvider example includes a binding query string parameter but this is something specific to this example and not something you would normally do in a production application. You'll see LoginChoice.aspx includes a CreateSSOServiceURL method that includes the binding parameter.

The RequestLoginAtIdentityProvider method in LoginChoice.aspx demonstrates how to send a SAML authn request using the various SAML bindings including HTTP-Artifact.

The ReceiveSAMLResponse method in SAML/AssertionConsumerService.aspx demonstrates how to receive a SAML response using the various SAML binding methods including HTTP-Artifact. In the example we use the binding query string parameter to identify which binding to use to receive the SAML response but this is only for demonstration purposes. In a production environment you wouldn't use a binding parameter as you would know which binding you support.

SAML/ArtifactResponder.aspx is a separate endpoint that receives and processes artifact resolution messages in support of the HTTP-Artifact binding. For example, if the SAML authn request is sent via HTTP-Artifact, the IdP will send an artifact resolve message to the SP's SAML/ArtifactResponder.aspx. It will send an artifact response with the authn request as its payload.

Regards
ComponentSpace Development
raas
raas
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 45
ComponentSpace - 8/6/2019


Thank you!

doing the artifact resolve in the low level API right now. 

receiving a SSL/TLS error, have searched the forum and in the browser I am able to access the url although it requests me to install a certificate.  https://was-preprod1.digid.nl/saml/idp/resolve_artifact
my server (Azure web app)  is on TLS 1.2 and have tried 1.1 and 1.0 to no avail. 

here's the log:
what do I need to do. 


4544/8: 10-8-2019 20:01:55: Initiation of SSO to the partner identity provider https://was-preprod1.digid.nl has completed successfully.
aspx.page: End Raise PostBackEvent
aspx.page: Begin LoadComplete
aspx.page: End LoadComplete
aspx.page: Begin PreRender
aspx.page: End PreRender
aspx.page: Begin PreRenderComplete
aspx.page: End PreRenderComplete
aspx.page: Begin SaveState
aspx.page: End SaveState
aspx.page: Begin SaveStateComplete
aspx.page: End SaveStateComplete
aspx.page: Begin Render
aspx.page: End Render
aspx.page: Begin PreInit
aspx.page: End PreInit
aspx.page: Begin Init
aspx.page: End Init
aspx.page: Begin InitComplete
aspx.page: End InitComplete
aspx.page: Begin PreLoad
aspx.page: End PreLoad
aspx.page: Begin Load
4544/12: 10-8-2019 20:02:15: Receiving artifact in query string over HTTP Artifact
4544/12: 10-8-2019 20:02:15: HTTP request:
GET /deelnemers/digid/SAML/AssertionConsumerService.aspx?SAMLart=AAQAAM2K4swP9wWZMpSMawzmyp%2B75KEUGYV8hoWXtDsBrhMYRumyttUFjeY%3D&RelayState=%2Fdeelnemers%2Fdigid%2F HTTP/1.1
Cache-Control: max-age=0
Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ASP.NET_SessionId=mnzsurqdaohxindxsicstetk; ARRAffinity=6591cf898a2df97f256faef2b3ccdfd7ce2616b02ae94737cf84d54a31a581db; jsCookieCheck=null; SAML_SessionId=d9a7c9ef-c276-4211-bcac-edfb0be07c6f
Host: www.spx-preprod.nl
Max-Forwards: 10
Referer: https://preprod1.digid.nl/inloggen_basis
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Upgrade-Insecure-Requests: 1
X-WAWS-Unencoded-URL: /deelnemers/digid/SAML/AssertionConsumerService.aspx?SAMLart=AAQAAM2K4swP9wWZMpSMawzmyp%2B75KEUGYV8hoWXtDsBrhMYRumyttUFjeY%3D&RelayState=%2Fdeelnemers%2Fdigid%2F
CLIENT-IP: 31.20.113.75:56896
X-ARR-LOG-ID: 89428828-de34-4f2b-9456-1d2cd4e0550a
DISGUISED-HOST: www.spx-preprod.nl
X-SITE-DEPLOYMENT-ID: xeroxpensioenfondsen__8fc6
WAS-DEFAULT-HOSTNAME: xeroxpensioenfondsen-spx-preprod.azurewebsites.net
X-Original-URL: /deelnemers/digid/SAML/AssertionConsumerService.aspx?SAMLart=AAQAAM2K4swP9wWZMpSMawzmyp%2B75KEUGYV8hoWXtDsBrhMYRumyttUFjeY%3D&RelayState=%2Fdeelnemers%2Fdigid%2F
X-Forwarded-For: 31.20.113.75:56896
X-ARR-SSL: 2048|256|C=NL, O=KPN B.V., OID.2.5.4.97=NTRNL-27124701, CN=KPN BV PKIoverheid Organisatie Server CA - G3|C=NL, S=Limburg, L=Venray, O=Stichting Pensioenfonds Xerox, SERIALNUMBER=00000003120399100000, CN=www.spx-preprod.nl
X-Forwarded-Proto: https
X-AppService-Proto: https

4544/12: 10-8-2019 20:02:15: Query string value: SAMLart=AAQAAM2K4swP9wWZMpSMawzmyp+75KEUGYV8hoWXtDsBrhMYRumyttUFjeY=
4544/12: 10-8-2019 20:02:15: Query string value: RelayState=/deelnemers/digid/
4544/12: 10-8-2019 20:02:15: Received artifact in query string over HTTP Artifact, artifact=AAQAAM2K4swP9wWZMpSMawzmyp+75KEUGYV8hoWXtDsBrhMYRumyttUFjeY=, relayState=/deelnemers/digid/
4544/12: 10-8-2019 20:02:15: Sending request over SOAP, destinationURL=https://was-preprod1.digid.nl/saml/idp/resolve_artifact, samlMessage=<samlp:ArtifactResolve ID="_f9ccaef4-ff62-4759-b632-f90624f9ca04" Version="2.0" IssueInstant="2019-08-10T20:02:15.886Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">www.spx-preprod.nl</saml:Issuer><samlp:Artifact>AAQAAM2K4swP9wWZMpSMawzmyp+75KEUGYV8hoWXtDsBrhMYRumyttUFjeY=</samlp:Artifact></samlp:ArtifactResolve>
4544/12: 10-8-2019 20:02:15: Sending request over SOAP, samlMessage=<samlp:ArtifactResolve ID="_f9ccaef4-ff62-4759-b632-f90624f9ca04" Version="2.0" IssueInstant="2019-08-10T20:02:15.886Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">www.spx-preprod.nl</saml:Issuer><samlp:Artifact>AAQAAM2K4swP9wWZMpSMawzmyp+75KEUGYV8hoWXtDsBrhMYRumyttUFjeY=</samlp:Artifact></samlp:ArtifactResolve>
4544/12: 10-8-2019 20:02:16: Sending SOAP request: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><samlp:ArtifactResolve ID="_f9ccaef4-ff62-4759-b632-f90624f9ca04" Version="2.0" IssueInstant="2019-08-10T20:02:15.886Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">www.spx-preprod.nl</saml:Issuer><samlp:Artifact>AAQAAM2K4swP9wWZMpSMawzmyp+75KEUGYV8hoWXtDsBrhMYRumyttUFjeY=</samlp:Artifact></samlp:ArtifactResolve></SOAP-ENV:Body></SOAP-ENV:Envelope>
4544/12: 10-8-2019 20:02:16: Exception: ComponentSpace.SAML2.Exceptions.SAMLBindingException: Failed to send/receive SAML request/response over SOAP. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
 at System.Net.HttpWebRequest.GetResponse()
 at ComponentSpace.SAML2.Bindings.SOAPBinding.SendRequestReceiveResponse(WebRequest webRequest, XmlElement samlMessage)
 --- End of inner exception stack trace ---
4544/12: 10-8-2019 20:02:16:  at ComponentSpace.SAML2.Bindings.SOAPBinding.SendRequestReceiveResponse(WebRequest webRequest, XmlElement samlMessage)
 at ComponentSpace.SAML2.Bindings.SOAPBinding.SendRequestReceiveResponse(String destinationURL, XmlElement samlMessage)
 at ComponentSpace.SAML2.Profiles.ArtifactResolution.ArtifactResolver.SendRequestReceiveResponse(String destinationURL, XmlElement artifactResolve)
 at ExampleServiceProvider.SAML.AssertionConsumerService.ReceiveSAMLResponse(SAMLResponse& samlResponse, String& relayState) in C:\Users\raas\Documents\************\spx-preprod.nl\SPX-DigiD\SAML\AssertionConsumerService.aspx.cs:line 66
 at ExampleServiceProvider.SAML.AssertionConsumerService.ProcessSAMLResponse() in C:\Users\raas\Documents\***********\spx-preprod.nl\SPX-DigiD\SAML\AssertionConsumerService.aspx.cs:line 147
 at ExampleServiceProvider.SAML.AssertionConsumerService.Page_Load(Object sender, EventArgs e) in C:\Users\raas\Documents\********\spx-preprod.nl\SPX-DigiD\SAML\AssertionConsumerService.aspx.cs:line 170
 at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
 at System.Web.UI.Control.OnLoad(EventArgs e)
 at System.Web.UI.Control.LoadRecursive()
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 at System.Web.UI.Page.ProcessRequest()
 at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
 at System.Web.UI.Page.ProcessRequest(HttpContext context)
 at ASP.saml_assertionconsumerservice_aspx.ProcessRequest(HttpContext context) in d:\local\Temporary ASP.NET Files\deelnemers_digid\f40fc632\13dbac8d\App_Web_u4jzbbk1.3.cs:line 0
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
 at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
 at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)

aspx.page: End Load
aspx.page: Begin LoadComplete
aspx.page: End LoadComplete
aspx.page: Begin PreRender
aspx.page: End PreRender
aspx.page: Begin PreRenderComplete
aspx.page: End PreRenderComplete
aspx.page: Begin SaveState
aspx.page: End SaveState
aspx.page: Begin SaveStateComplete
aspx.page: End SaveStateComplete
aspx.page: Begin Render
aspx.page: End Render




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I can't see the full stack trace but I presume the issue is with the SOAP connection and a self-signed certificate. Try adding the following code to your application start-up. It allows self-signed certificates to be trusted. Once working, you can refine the code as required.


using System.Net;

private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
  return true;
}

ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;




Regards
ComponentSpace Development
raas
raas
New Member
New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)New Member (13 reputation)

Group: Forum Members
Posts: 10, Visits: 45
ComponentSpace - 8/10/2019


Hi! Many thanks for your reply.

Actually, no, these certificates are not self signed. They are obtained at the dutch government and consists of a total of 4 certificates in a chain.
I already found the 'trust certificate' solution in the forum and tried it, but that didn't work immediately.

I have to debug this to see what's going on.
I've created some kind of a 'hybrid' solution consisting of the high-level and low-level api.
Authentication is done with high-level, because that just works perfectly with only configuring.
and I'm doing the artifact resolve with the low-level solution, now running into a tls/ssl configuration issue.

Thanks!

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Let us know what you find. Thanks.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search