ComponentSpace

Forums



InitiateSSO call contains null


InitiateSSO call contains null

Author
Message
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
ComponentSpace - 9/25/2021
I suggest checking the network traffic first just in case the issue is at your end.

The issue is that they expect to get the request as a POST with params in the body, but it is being sent as a GET with params in the query string. I don't see any way to change SAMLServiceProvider.InitiateSSO to accommodate this. Is there a setting to send as a POST?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
By default, we send the SAML authn request using the HTTP-Redirect binding (transport) which results in an HTTP Get to the identity provider.

There is also the option to send it using the HTTP-Post binding. To do so, specify SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your SAML configuration.

For example:


<PartnerIdentityProvider
  Name="https://ExampleIdentityProvider"
  Description="Example Identity Provider"
  SignAuthnRequest="true"
  SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  SingleSignOnServiceUrl="https://localhost:44390/SAML/SSOService.aspx"
  SingleLogoutServiceUrl="https://localhost:44390/SAML/SLOService.aspx">
  <PartnerCertificates>
   <Certificate FileName="Certificates\idp.cer"/>
  </PartnerCertificates>
</PartnerIdentityProvider>




Regards
ComponentSpace Development
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
ComponentSpace - 9/26/2021
By default, we send the SAML authn request using the HTTP-Redirect binding (transport) which results in an HTTP Get to the identity provider.

There is also the option to send it using the HTTP-Post binding. To do so, specify SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your SAML configuration.

For example:


<PartnerIdentityProvider
  Name="https://ExampleIdentityProvider"
  Description="Example Identity Provider"
  SignAuthnRequest="true"
  SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  SingleSignOnServiceUrl="https://localhost:44390/SAML/SSOService.aspx"
  SingleLogoutServiceUrl="https://localhost:44390/SAML/SLOService.aspx">
  <PartnerCertificates>
   <Certificate FileName="Certificates\idp.cer"/>
  </PartnerCertificates>
</PartnerIdentityProvider>



Thanks for the POST config, but I now get a different error. I noted in your example you also have the partner's cert, is that needed? They have my key and I have my cert, but nothing of theirs.
Here's the exception I am getting:
[CryptographicException: Cannot find the requested object.
]
 IdpName.Applications.OurName.Portal.Authentication.SAML2IDP.SingleSignonService.ProcessRequest(HttpContext context) +441
 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +790
 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195
 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +88


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Regards
ComponentSpace Development
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

Also, the IdP has their certificate exposed in their metadata endpoint like so:
<md:KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>base64String</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

Also, the IdP has their certificate exposed in their metadata endpoint like so:
<md:KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>base64String</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?

Hi again!
We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier).
I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully.
But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file?
Thanks again for all your help!


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

An HTML form is returned in the HTTP response to the browser. Some JavaScript automatically submits the form which results in an HTTP Post to the identity provider. This is perfectly normal and how the SAML HTTP-Post binding is supposed to work. The identity provider won't see the HTML form. They'll receive an HTTP Post with the SAML response as post data. If you use the browser developer tools to take a look at the network traffic you'll see what I mean. 

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

Also, the IdP has their certificate exposed in their metadata endpoint like so:
<md:KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>base64String</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?

The base-64 encoded X.509 certificate string can be copied to a .CER text file and this file specified as the partner identity provider's certificate.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

Also, the IdP has their certificate exposed in their metadata endpoint like so:
<md:KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>base64String</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?

Hi again!
We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier).
I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully.
But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file?
Thanks again for all your help!


That sounds like a configuration issue rather than a certificate issue. You should have a <PartnerIdentityProvider> entry with a Name of "xxx".

You're welcome to send the SAML log file as an email attachment to [email protected] if you'd like us to take a look.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search