ComponentSpace

Forums



Rolling Over Local Certificate Getting an error when Partner updates / fails SSO


Rolling Over Local Certificate Getting an error when Partner updates /...

Author
Message
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
Updated my Local Certificate that is expiring; my website is now using the new certificate successfully, but the old certificate is still active and in place for our SSO partners.
Following the rollover steps suggested in:  https://www.componentspace.com/documentation/saml-for-asp-net/ComponentSpace%20SAML%20for%20ASP.NET%20Certificate%20Guide.pdf

My previous working saml.config references the following under
<ServiceProvider
LocalCertificateSerialNumber="‎0ecbb074f6b12e8c920232b15eb61816"/>  so I updated the serial to the new serial number.

Under my Partner section, i updated this to use the old.
  <PartnerIdentityProvider 
LocalCertificateSerialNumber="‎09dcd423cd27de888c08a228c3e2677b"/>

----The above config works---

When I have my PartnerIDP update their side with my new local pub cert AND I update the PartnerIDP local Cert serial number to match the new CERT serial number; SSO fails and I don't hit their IDP sign-in page.

The idp.log shows the below exception error, but it's not clear.
I've tried cycling the IIS, but don't think I have to, as we can revert the changes and SSO resumes working.

I have to rely on the PartnerIDP resource to update to their side with my new pub cert, but I think they're doing it correctly because it's working when they roll it back and install the old.

Any suggestions are appreciated -

Exception Error:
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: XML signature verification was successful.
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: The SAML response signature verified.
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM: Exception: ComponentSpace.SAML2.Exceptions.SAMLErrorStatusException: An error SAML response status was received. urn:oasis:names:tc:SAML:2.0:status:Responder
ComponentSpace.SAML2 Verbose: 0 : 2812/60: 10/21/2021 7:22:53 PM:  at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
 at SAML.AssertionConsumerService.Page_Load(Object sender, EventArgs e) in ..\SAML\AssertionConsumerService.aspx.cs:line 22
 at System.Web.UI.Control.OnLoad(EventArgs e)
 at System.Web.UI.Control.LoadRecursive()
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 at System.Web.UI.Page.ProcessRequest()
 at System.Web.UI.Page.ProcessRequest(HttpContext context)
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
 at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
 at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're receiving an error status SAML response from the identity provider.

If the only thing that has changed is the certificate, it sounds like the SAML authn request failed to verify at the IdP and therefore it returned an error response.

If the IdP is ADFS, please ask the ADFS admin to check the Windows event log on the ADFS server. There'll be one or more error events associated with the failed SSO providing more details.

Also ask them to double check that the new certificate is configured for your relying party.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.




Regards
ComponentSpace Development
boyd98
boyd98
New Member
New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)New Member (45 reputation)

Group: Forum Members
Posts: 31, Visits: 164
Thanks for your response.
I found resolution to my issue.

https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates

My private key on the new CERT didn't have proper privs for the IIS.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the update. I'm glad you were able to resolve the issue.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search