ComponentSpace

Forums



The SAML response destination ... doesn't match the expected destination ...


The SAML response destination ... doesn't match the expected...

Author
Message
aheho
aheho
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Forum Members
Posts: 17, Visits: 74
After upgrading to version 2. 6.0.19


ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML response destination https://domain.com/saml/acs2 doesn't match the expected destination https://domain.com/SAML/acs1
   at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDestination(StatusResponseType samlResponse, String destinationUrl)
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes)
   at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
   at SAML.AdminACS.ProcessRequest(HttpContext context)


Note: In the service providers saml.config the AssertionConsumerServiceUrl attribute references acs1, however I have use an alternate acs endpoint for this specific Identity provider (acs2).

It seems prior to this upgrade there was no SP side checking to see if the destination match the setting in the saml.config, but that has now changed. Is there a way to disable this check? Or a different way to address this issue? Note: I have control of both sides of this exchange, so if there is a change I can make on the IdP end, I can go that route.



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You can disable the check by specifying DisableDestinationCheck="true" for the <PartnerIdentityProvider> entry in your service provider's saml.config.
<PartnerIdentityProvider
    Name="XXXX"
    DisableDestinationCheck="true"

Regards
ComponentSpace Development
aheho
aheho
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Forum Members
Posts: 17, Visits: 74
ComponentSpace - 3/7/2017
You can disable the check by specifying DisableDestinationCheck="true" for the <PartnerIdentityProvider> entry in your service provider's saml.config.
<PartnerIdentityProvider
    Name="XXXX"
    DisableDestinationCheck="true"

It didn't work. I have version v2.6.0.19

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please enable SAML trace and send the generated log file as an email attachment to [email protected], mentioning this forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also include your saml.config with any passwords removed.
Thanks.

Regards
ComponentSpace Development
aheho
aheho
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Forum Members
Posts: 17, Visits: 74
ComponentSpace - 3/7/2017
Please enable SAML trace and send the generated log file as an email attachment to [email protected], mentioning this forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also include your saml.config with any passwords removed.
Thanks.

Done

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You need to disable the recipient check also.
<PartnerIdentityProvider
    Name="XXXX"
    DisableDestinationCheck="true" 
    DisableRecipientCheck="true"

Regards
ComponentSpace Development
satya_saml_idp
satya_saml_idp
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Awaiting Activation
Posts: 1, Visits: 3
Hello, 

I have similar issue:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML response destination https://domain.com/api/saml/AssertionConsumerService doesn't match the expected destination http://domain.com/api/SAML/AssertionConsumerService.  at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDestination(StatusResponseType samlResponse, String destinationUrl)  at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)  at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)  at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, IDictionary`2& attributes, String& relayState)

Any thoughts on this?  Application is running in container.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
As part of the various security checks we make, we check the destination in the SAML response against the assertion consumer service URL configured in your saml.config.

The expectation is that HTTPS rather than HTTP will be used for all SSO flows.

I recommend switching to HTTPS to resolve this issue and to avoid other issues related to the SAML protocol and the secure cookie we use to support it.

This check can be disabled by setting DisableDestinationCheck="true" for the <PartnerIdentityProvider> in your saml.config. However, my recommendation is to not disable the check but instead switch to HTTPS.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search