ComponentSpace

Forums



InitiateSSO call contains null


InitiateSSO call contains null

Author
Message
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
ComponentSpace - 9/28/2021
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

Also, the IdP has their certificate exposed in their metadata endpoint like so:
<md:KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>base64String</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?

Hi again!
We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier).
I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully.
But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file?
Thanks again for all your help!


That sounds like a configuration issue rather than a certificate issue. You should have a <PartnerIdentityProvider> entry with a Name of "xxx".

You're welcome to send the SAML log file as an email attachment to [email protected] if you'd like us to take a look.

I do have that, I don't think I could connect to them at all otherwise. Here it is with their name changed:
<PartnerIdentityProviders>
  <PartnerIdentityProvider
    Name="https://my-idp.net"
    Description="Global Sign In IdP"
    SignAuthnRequest="true"
    SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    SingleSignOnServiceUrl="https://my-idp.net/Authentication/SAML2IDP/CertificationPortal/SingleSignonService.ashx"
    SingleLogoutServiceUrl="https://my-idp.net/Authentication/SAML2IDP/CertificationPortal/SingleLogoutService.ashx">
  </PartnerIdentityProvider>
</PartnerIdentityProviders>

paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
paulkeefe - 9/28/2021
ComponentSpace - 9/28/2021
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
ComponentSpace - 9/27/2021
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.

I suggest emailing us the SAML log file if you need assistance debugging the current issue. 

Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. 
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?

Also, the IdP has their certificate exposed in their metadata endpoint like so:
<md:KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>base64String</X509Certificate>
</X509Data>
</KeyInfo>
</md:KeyDescriptor>
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?

Hi again!
We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier).
I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully.
But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file?
Thanks again for all your help!


That sounds like a configuration issue rather than a certificate issue. You should have a <PartnerIdentityProvider> entry with a Name of "xxx".

You're welcome to send the SAML log file as an email attachment to [email protected] if you'd like us to take a look.

I do have that, I don't think I could connect to them at all otherwise. Here it is with their name changed:
<PartnerIdentityProviders>
  <PartnerIdentityProvider
    Name="https://my-idp.net"
    Description="Global Sign In IdP"
    SignAuthnRequest="true"
    SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    SingleSignOnServiceUrl="https://my-idp.net/Authentication/SAML2IDP/CertificationPortal/SingleSignonService.ashx"
    SingleLogoutServiceUrl="https://my-idp.net/Authentication/SAML2IDP/CertificationPortal/SingleLogoutService.ashx">
  </PartnerIdentityProvider>
</PartnerIdentityProviders>

Here is the stack trace if helpful:
[SAMLConfigurationException: The partner identity provider https://my-idp.net/ is not configured.]

 ComponentSpace.SAML2.Configuration.Resolver.SAMLConfigurationResolver.GetPartnerIdentityProviderConfiguration(String configurationID, String partnerName) +457
 ComponentSpace.SAML2.InternalSAMLServiceProvider.GetPartnerIdentityProviderConfiguration(String partnerName) +29
 ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState) +102
 CertificationPortal.Controllers.SamlController.AssertionConsumerService() in C:\Users\paul.keefe\Source\Repos\CertificationPortal\CertificationPortal\Controllers\SamlController.cs:61
 lambda_method(Closure , ControllerBase , Object[] ) +62
 System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +169
 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
 System.Web.Mvc.Async.<>c.<BeginInvokeSynchronousActionMethod>b__9_0(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22
 System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +29
 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
 System.Web.Mvc.Async.<>c__DisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b__0() +58
 System.Web.Mvc.Async.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2() +228
 System.Web.Mvc.Async.<>c__DisplayClass7_0.<BeginInvokeActionMethodWithFilters>b__1(IAsyncResult asyncResult) +10
 System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
 System.Web.Mvc.Async.<>c__DisplayClass3_6.<BeginInvokeAction>b__4() +35
 System.Web.Mvc.Async.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult) +100
 System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
 System.Web.Mvc.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) +11
 System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +45
 System.Web.Mvc.<>c.<BeginExecute>b__151_2(IAsyncResult asyncResult, Controller controller) +13
 System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +22
 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
 System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
 System.Web.Mvc.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) +28
 System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
 System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +577
 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +132
 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +163

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
The configured name is "https://my-idp.net". The issuer field in the SAML response is "https://my-idp.net/".

Update your saml.config so the name includes the trailing slash.

<PartnerIdentityProvider
    Name="https://my-idp.net/"


Regards
ComponentSpace Development
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
ComponentSpace - 9/28/2021
The configured name is "https://my-idp.net". The issuer field in the SAML response is "https://my-idp.net/".

Update your saml.config so the name includes the trailing slash.

<PartnerIdentityProvider
    Name="https://my-idp.net/"

Fantastic! I just sent you the log file, but this sounds like the first step. I'll give it a try now and let you know how it goes.
Thanks, Paul
paulkeefe
paulkeefe
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 16, Visits: 49
paulkeefe - 9/28/2021
ComponentSpace - 9/28/2021
The configured name is "https://my-idp.net". The issuer field in the SAML response is "https://my-idp.net/".

Update your saml.config so the name includes the trailing slash.

<PartnerIdentityProvider
    Name="https://my-idp.net/"

Fantastic! I just sent you the log file, but this sounds like the first step. I'll give it a try now and let you know how it goes.
Thanks, Paul

That worked! The issue now is the reading of the X509.

An X.509 signature certificate for the partner identity provider https://my-idp.net/ hasn't been configured.

This is a question I asked earlier, but now it is back to the front. Can I configure the product to read the certificate from their metadata (<X509Data>)? Or do I need to get their actual certificate and put it in my Certificates folder? Could I simply take their base64 from their metadata and use that somehow?



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
Thanks for the log file. This confirms that the issue is the missing trailing slash in the <PartnerIdentityProvider> Name. This name must match exactly with the name used at the identity provider site.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
paulkeefe - 9/28/2021
paulkeefe - 9/28/2021
ComponentSpace - 9/28/2021
The configured name is "https://my-idp.net". The issuer field in the SAML response is "https://my-idp.net/".

Update your saml.config so the name includes the trailing slash.

<PartnerIdentityProvider
    Name="https://my-idp.net/"

Fantastic! I just sent you the log file, but this sounds like the first step. I'll give it a try now and let you know how it goes.
Thanks, Paul

That worked! The issue now is the reading of the X509.

An X.509 signature certificate for the partner identity provider https://my-idp.net/ hasn't been configured.

This is a question I asked earlier, but now it is back to the front. Can I configure the product to read the certificate from their metadata (<X509Data>)? Or do I need to get their actual certificate and put it in my Certificates folder? Could I simply take their base64 from their metadata and use that somehow?



Simply copy the base-64 string to a text file with a .CER extension. Configure this file as the partner identity provider's certificate file. 

For example:

<PartnerIdentityProvider
  Name="https://my-idp.net/"
  <PartnerCertificates>
    <Certificate FileName="my-idp.cer"/>
  </PartnerCertificates>
</PartnerIdentityProvider>



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search