Updated my Local Certificate that is expiring; my website is now using the new certificate successfully, but the old certificate is still active and in place for our SSO partners.
Following the rollover steps suggested in:
https://www.componentspace.com/documentation/saml-for-asp-net/ComponentSpace%20SAML%20for%20ASP.NET%20Certificate%20Guide.pdfMy previous working saml.config references the following under
<ServiceProvider
LocalCertificateSerialNumber="0ecbb074f6b12e8c920232b15eb61816"/> so I updated the serial to the new serial number.
Under my Partner section, i updated this to use the old.
<PartnerIdentityProvider
LocalCertificateSerialNumber="09dcd423cd27de888c08a228c3e2677b"/>
----The above config works---
When I have my PartnerIDP update their side with my new local pub cert AND I update the PartnerIDP local Cert serial number to match the new CERT serial number; SSO fails and I don't hit their IDP sign-in page.
The idp.log shows the below exception error, but it's not clear.
I've tried cycling the IIS, but don't think I have to, as we can revert the changes and SSO resumes working.
I have to rely on the PartnerIDP resource to update to their side with my new pub cert, but I think they're doing it correctly because it's working when they roll it back and install the old.
Any suggestions are appreciated -
Exception Error:
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: XML signature verification was successful.
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: The SAML response signature verified.
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: Exception: ComponentSpace.SAML2.Exceptions.SAMLErrorStatusException: An error SAML response status was received. urn:oasis:names:tc:SAML:2.0:status:Responder
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
at SAML.AssertionConsumerService.Page_Load(Object sender, EventArgs e) in ..\SAML\AssertionConsumerService.aspx.cs:line 22
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)