ComponentSpace

Forums



IdP initiated SSO not working


IdP initiated SSO not working

Author
Message
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
Hi 
I was exploring your product and was creating one PoC on SAML 2 SSO for my application.  I have create a new SamlController in my existing Web API (built on ASPNET core) which has AssertionConsumer, SingleLogoutService and ArtifcatResolutionService methods. I have created a test IdP project outside of the my WEB API (serving as SP) and was not able to invoke the SSO. Can you please help to resolve the issue>
I have verified the config (appsettings.json on test IdP and SP ) and certificates, all are in place but still not able to hit SP with AssertionConsumer for SSO. I am getting site, can't be reach (Err_Connection_Refused) error.

Thanks

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please note that SAML is a browser-based protocol.
SAML messages are sent via HTTP posts and redirects rather than as web API calls.
I suggest running the ExampleIdentityProvider and ExampleServiceProvider projects in Visual Studio to confirm SSO is working in your environment.
You could then modify the ExampleIdentityProvider's appsettings.json to include your service provider and use this to test SSO.
Once you have your service provider working, you can switch to your own identity provider for testing if you wish.
Regarding the connection refused error, please try browsing to each of the URLs you've configured in the appsettings.json to check that the URLs are correct.
You might get 500 internal errors but I wouldn't expect you to receive connection refused.
If there's still an issue, please enable SAML trace at both your IdP and SP and send the generated log files as email attachments to [email protected].
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace


Regards
ComponentSpace Development
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
ComponentSpace - 9/27/2018
Please note that SAML is a browser-based protocol.
SAML messages are sent via HTTP posts and redirects rather than as web API calls.
I suggest running the ExampleIdentityProvider and ExampleServiceProvider projects in Visual Studio to confirm SSO is working in your environment.
You could then modify the ExampleIdentityProvider's appsettings.json to include your service provider and use this to test SSO.
Once you have your service provider working, you can switch to your own identity provider for testing if you wish.
Regarding the connection refused error, please try browsing to each of the URLs you've configured in the appsettings.json to check that the URLs are correct.
You might get 500 internal errors but I wouldn't expect you to receive connection refused.
If there's still an issue, please enable SAML trace at both your IdP and SP and send the generated log files as email attachments to [email protected].
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

I changed my Service provider similar to your Example service provider but still its not hitting the SP when initiated SSO from IdP sample. But when I changed my IdP sample to hit your example Service Provider it was hitting the break point. I tried with logging too but not much details about why its not hitting the SP break point (the call is not reaching the SP).  The log says it initiated SSO successfully from IdP. Any further guidance what's is missing from my side.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
So, just to confirm, when using your IdP and the ExampleServiceProvider, the breakpoint in the assertion consumer service endpoint is hit but when using your SP it doesn't.
What does the browser display?
What's the URL in the address bar? Is it still at your IdP or at your SP application?

Regards
ComponentSpace Development
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
ComponentSpace - 9/28/2018
So, just to confirm, when using your IdP and the ExampleServiceProvider, the breakpoint in the assertion consumer service endpoint is hit but when using your SP it doesn't.
What does the browser display?
What's the URL in the address bar? Is it still at your IdP or at your SP application?

It was hitting the SP and SP has authorized it correctly and was return the response correctly but it was not redirecting to the correct page.

await _samlIdp.InitiateSsoAsync(partnerName, userName, attributes, relaystate);
return new EmptyResult();

should I pass something valid value in relayState? and how should I open different page from IdP?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
InitiateSsoAsync will send the SAML response to the SP's configured assertion consumer service endpoint.
Control is now at the SP site. Control is not returned to the IdP.
For IdP-initiated SSO, the optional relay state specifies the target URL the SP should redirect to once SSO completes.
So, after receiving the SAML response at its assertion consumer service endpoint, the SP will redirect to the URL specified by the relay state.
If relay state isn't included, the SP typically redirects to whatever page it presents to a logged in user.

Regards
ComponentSpace Development
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
ComponentSpace - 10/1/2018
InitiateSsoAsync will send the SAML response to the SP's configured assertion consumer service endpoint.
Control is now at the SP site. Control is not returned to the IdP.
For IdP-initiated SSO, the optional relay state specifies the target URL the SP should redirect to once SSO completes.
So, after receiving the SAML response at its assertion consumer service endpoint, the SP will redirect to the URL specified by the relay state.
If relay state isn't included, the SP typically redirects to whatever page it presents to a logged in user.

Thank you for the quick reply, I was able to redirect but not able to pass few details as response headers to the page SP wants to redirect the IdP to. How can I pass the details to the redirect page (i don't want them to be sent as Query String)?
Also I want Metadata XML of client and pem files related to each individual IdP to be stored in DB and read those details from DB when they initiate the SSO (initiateSsoAsync)? How to achieve this?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
When the IdP sends a SAML response to the SP the following occurs.
1. IdP returns to the browser an HTTP response containing an HTML form and some JavaScript to automatically submit the form to the SP.
2. Browser executes the JavaScript and sends an HTTP Post with the SAML response as the post data to the SP.
3. SP receives the HTTP Post request containing the SAML response.
Did you want to include additional headers in the HTTP request to the SP?
If so, what type of information do you wish to include?
The standard way for sending information to the SP is to include SAML attributes in the SAML assertion.
Could the information be sent as SAML attributes rather than as HTTP headers?
You can store the SAML configuration including the certificates in a custom database rather than in the appsettings.json.
Please refer to our Configuration Guide which describes either specifying configuration programmatically or implementing the ISamlConfigurationResolver interface.
https://www.componentspace.com/Forums/8234/Configuration-Guide



Regards
ComponentSpace Development
idpInitiatedSSOUser
idpInitiatedSSOUser
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)

Group: Forum Members
Posts: 22, Visits: 101
I am not referring to information sent to SP (we can send data from IdP to SP through SAML attributes), I am referring to the information sent to the redirected page after SAML authentication is done (after Redirect from SP after SSO).
Also how can I do negative tests, if some one is sending crooked SAML request acting as IdP? I want to check how your SAML components behaves in such vulnerability scenarios. 
Thanks


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The only direct way to send information to the page redirected to after SAML SSO completes is as query string parameters.
The optional relay state parameter to the InitiateSsoAsync specifies the URL the SP should redirect to once SSO completes.
You could include query string parameters in this URL.
The only other option is to use SAML attributes. Your assertion consumer service page could then make these attributes available to the page you redirect to through session variables etc.
As far as negative testing, you can use Fiddler to capture the network traffic and replay it after making whatever modifications you wish to make.
https://www.telerik.com/fiddler
There's a SAML Burp extension for more comprehensive testing.
https://github.com/SAMLRaider/SAMLRaider
There are also SAML browser extensions for Chrome and Firefox that might prove useful.
For example:
https://addons.mozilla.org/es/firefox/addon/saml-tracer/



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search