rocksolidknowledge / samples.saml2p Goto Github PK
View Code? Open in Web Editor NEWIdentityServer 4 implementation acting as SAML 2.0 IdP and SP
Home Page: https://www.identityserver.com/products/saml2p
License: Apache License 2.0
IdentityServer 4 implementation acting as SAML 2.0 IdP and SP
Home Page: https://www.identityserver.com/products/saml2p
License: Apache License 2.0
Its not Id4 or rsk saml plugin issue (most probably Owin monster issue as per Anders or Chellengeresult AuthenticationProperties or SignInManager.ConfigureExternalAuthenticationProperties or AspNetIdentity cookie issue), but since it is reproducible with id4+rsk github sample, hence I am mentioning here.
I am just using the sample repo (No customization) given here with demo license. Got interesting behavior of IDP.
Steps:
Following is the log of IDP, moment before it says logged in and after navigating/refreshing the idp page, its unauthenticated.
@scottbrady91 Any insight on this please.
Hi, we face a problem when integrate with Google Workspace using SAML.
The Google workspace SSO URL looks like this:
https://accounts.google.com/o/saml2/idp?idpid=xyz
When generating the SAML request, the generated URL looks like this:
https://accounts.google.com/o/saml2/idp?idpid=xyz?SAMLRequest=fJFNb8IwDIb%2FSp
This result an error from Google. We need to replace the "?" with "&" to make it as a valid request:
https://accounts.google.com/o/saml2/idp?idpid=xyz&SAMLRequest=fJFNb8IwDIb%2FSp
Could you fix the issue please?
Hi there
I found this request in the Azure Ad Issues MicrosoftDocs/azure-docs#19654 and this part of the SAML Spec - https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf (See 3.4.1).
It implies that there is a way to tell ADFS via SAML that we would like to login as a particular subject.
Is this possible? What parameter should we set on the request to add this data to the SAML ?
With the latest release on Rsk.IdentityServer4.Saml version 2.2, I'm seeing the below note:
Added full support for redirect and post bindings
Added SP-initiated logout
So shall I assume that Single Logout SAML response will be posted from Idp to service provider wtih HttpPost binding? If so, can you provide us some sample code on how to achieve that?
I just upgraded the Rsk.IdentityServer4.Saml version from 2.1.2.18 to 2.3.2.55 and I noticed that when single sign on with HttpRedirect binding we are getting an error in signature validation.
Same action was working fine though with my previous version of this library.
Something got changed with latest build?
StackTrace:
System.NullReferenceException: Object reference not set to an instance of an object.
at IdentityServer4.Saml.Validation.Validators.SignatureValidator.Validate() in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Validation\Validators\SignatureValidator.cs:line 78
at IdentityServer4.Saml.Validation.Saml2SingleSignOnRequestValidator.ValidateAsync(NameValueCollection parameters, String bindingType, String rawUrl, String baseUrl, String issuerUri, ClaimsPrincipal subject) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Validation\Saml2SingleSignOnRequestValidator.cs:line 58
at IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint.ProcessSingleSignOnRequest(HttpContext context, NameValueCollection parameters, String bindingType, String samlRequestUrl, ClaimsPrincipal user) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Endpoints\Saml2SingleSignOnEndpoint.cs:line 139
at IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint.ProcessSingleSignOn(HttpContext context) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Endpoints\Saml2SingleSignOnEndpoint.cs:line 100
at IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint.ProcessAsync(HttpContext context) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Endpoints\Saml2SingleSignOnEndpoint.cs:line 59
at IdentityServer4.Saml.Hosting.IdentityServerSamlMiddleware.Invoke(HttpContext context, ISamlEndpointRouter router, IMemoryCache cache, SamlIdpOptions options) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Hosting\IdentityServerSamlMiddleware.cs:line 39
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in C:\local\identity\server4\IdentityServer4\src\Hosting\IdentityServerMiddleware.cs:line 72
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line 36
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Hi,
I am currently using the trial version to implement IdentityServer as a SAML Service Provider and I often got this error
Exception: SAMLRequest IssueInstant is in the future. System: 9/19/2018 1:22:48 PM with tolerance of 0 seconds. SAML: 9/19/2018 1:22:48 PM
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+<HandleRequestAsync>d__12.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Rsk.AspNetCore.Authentication.Saml2p.Saml2pAuthenticationHandler+<HandleRequestAsync>d__3.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper+<HandleRequestAsync>d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+<Invoke>d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware+<Invoke>d__7.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.BaseUrlMiddleware+<Invoke>d__3.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+<Invoke>d__7.MoveNext()
I wonder what is the proper way to fix this issue.
Thanks,
SAMLResponse contains incorrect audience restriction.
I am using the Demo RSK Saml component connecting to a corporate secure auth server and receiving an exception (audience restriction.) Is there a way to set require audience restriction to false?
I am still in development and host is localhost.
Hello,
I have the same issue described on issue 6 (#6).
Exception: SAMLRequest IssueInstant is in the future. System: 11/5/2018 9:59:52 AM with tolerance of 0 seconds. SAML:
System.Exception: An error was encountered while handling the remote login. ---> System.Exception: SAMLRequest IssueInstant is in the future. System: 11/5/2018 9:59:52 AM with tolerance of 0 seconds. SAML: 11/5/2018 9:59:52 AM
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Rsk.AspNetCore.Authentication.Saml2p.Saml2pAuthenticationHandler.HandleRequestAsync()
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
How is it possible to set the "TimeComparisonTolerance" property ?
Thanks a lot.
I'm testing federation of my Identity Provider with external SAML Identity Provider. I want to enable decryption of incoming SAML assertions. Everything seems to work fine when SAML IP selects PKCS1 as padding algorithm.
But when OAEP padding is used to encrypt SAML assertion than an exception is thrown based on response from native library Interop.NCrypt
with ErrorCode.NTE_INVALID_PARAMETER.
System.SecurityCryptography supports both padding algorithms. Over internet you can find some weakness of PCKS1.
BTW do you provide access to source code -reporter- once someone obtain license?
2020-08-17 16:12:17.289 +05:30 [INF] Starting IdentityServer4 version 4.0.4+1b36d1b414f4e0f965af97ab2a7e9dd1b5167bca
2020-08-17 16:12:17.322 +05:30 [INF] You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
2020-08-17 16:12:17.335 +05:30 [INF] Using the default authentication scheme idsrv for IdentityServer
2020-08-17 16:12:17.335 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for authentication
2020-08-17 16:12:17.336 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for sign-in
2020-08-17 16:12:17.336 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for sign-out
2020-08-17 16:12:17.336 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for challenge
2020-08-17 16:12:17.338 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for forbid
2020-08-17 16:12:34.744 +05:30 [DBG] Login Url: /Account/Login
2020-08-17 16:12:34.746 +05:30 [DBG] Login Return Url Parameter: ReturnUrl
2020-08-17 16:12:34.746 +05:30 [DBG] Logout Url: /Account/Logout
2020-08-17 16:12:34.747 +05:30 [DBG] ConsentUrl Url: /consent
2020-08-17 16:12:34.748 +05:30 [DBG] Consent Return Url Parameter: returnUrl
2020-08-17 16:12:34.748 +05:30 [DBG] Error Url: /home/error
2020-08-17 16:12:34.751 +05:30 [DBG] Error Id Parameter: errorId
2020-08-17 16:12:34.769 +05:30 [DBG] Request path /saml/sso matched to endpoint type "Saml2Sso"
2020-08-17 16:12:34.773 +05:30 [DBG] Mapping found for endpoint: "Saml2Sso", creating handler: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint
2020-08-17 16:12:34.776 +05:30 [INF] Invoking IdentityServer endpoint: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint for /saml/sso
2020-08-17 16:12:34.981 +05:30 [DBG] Start SAML2P SSO request
2020-08-17 16:12:34.994 +05:30 [DBG] No user present in SAML2P SSO request
2020-08-17 16:12:34.997 +05:30 [DBG] Starting SAML 2 SSO request validation
2020-08-17 16:12:35.064 +05:30 [INF] Checking if 17-08-2020 10:42:34 is greater than curent time of 17-08-2020 10:42:35. Allowing values 0 seconds in the future to continue.
2020-08-17 16:12:35.065 +05:30 [INF] Checking if 17-08-2020 10:47:34 is less than curent time of 17-08-2020 10:42:35. Allowing values 0 seconds in the past to continue.
2020-08-17 16:12:35.069 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:35.081 +05:30 [INF] Showing login: User is not authenticated
2020-08-17 16:12:35.264 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:35.267 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:41.115 +05:30 [DBG] CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
2020-08-17 16:12:43.015 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:43.036 +05:30 [INF] {"Username":"bob","Provider":null,"ProviderUserId":null,"SubjectId":"88421113","DisplayName":"bob","Endpoint":"UI","ClientId":null,"Category":"Authentication","Name":"User Login Success","EventType":"Success","Id":1000,"Message":null,"ActivityId":"0HM22J9071QHE:00000003","TimeStamp":"2020-08-17T10:42:43.0000000Z","ProcessId":26172,"LocalIpAddress":"::1:5000","RemoteIpAddress":"::1","$type":"UserLoginSuccessEvent"}
2020-08-17 16:12:43.055 +05:30 [DBG] Augmenting SignInContext
2020-08-17 16:12:43.056 +05:30 [DBG] Adding idp claim with value: local
2020-08-17 16:12:43.056 +05:30 [DBG] Adding amr claim with value: pwd
2020-08-17 16:12:43.057 +05:30 [DBG] Adding auth_time claim with value: 1597660963
2020-08-17 16:12:43.071 +05:30 [INF] AuthenticationScheme: idsrv signed in.
2020-08-17 16:12:43.073 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:43.099 +05:30 [DBG] Request path /saml/sso/login matched to endpoint type "Saml2Sso"
2020-08-17 16:12:43.100 +05:30 [DBG] Mapping found for endpoint: "Saml2Sso", creating handler: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint
2020-08-17 16:12:43.101 +05:30 [INF] Invoking IdentityServer endpoint: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint for /saml/sso/login
2020-08-17 16:12:43.105 +05:30 [DBG] Start SAML2P SSO request (after login)
2020-08-17 16:12:43.105 +05:30 [ERR] User is not authenticated
I got an exception after login and when i were back to client website. They are requires SubjectConfirmationData in response. Do you know how can i include this in response? am I missing some setting?
This issue have been fixed by upgraded package Rsk.IdentityServer4.Saml
I am having hard time trying to make mvc app client (port 7000) to connect to IDS4 SAML SP which in turn federates to IDS4 SAML IDP to authenticate. I am using demo license for the plugin provided by RSK team.
Needed Scenario: ASP.NET Core APP ---talks--> IDS4 SAML SP ---talks--> IDS4 SAML IDP
Error I am getting:
Invalid redirect_uri: http://localhost:7000/signin-oidc
{
"ClientId": "mvc",
"ClientName": "MVC Client",
"AllowedRedirectUris": [
"http://localhost:5001/signin-oidc"
],
"SubjectId": "anonymous",
"RequestedScopes": "",
"Raw": {
"client_id": "mvc",
"redirect_uri": "http://localhost:7000/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile",
"response_mode": "form_post",
"nonce": "636703668912386576.MjNhODAxMmEtZDMzZS00ODFlLWJlNmMtMmQwODEwOTczOTIwM2VjZDE3NzMtZWY0OC00ZmUwLTk4YWMtOTc2OWU4MTM5ZWU3",
"state": "CfDJ8IwNdcCHadNNga7v1HYQ8uVdzW4PxgMRT-Sz6hktJlP47BVoAzfJHGRiMqXkiCmcvNwefKmVGjFcVn2QyFRY04nHk0OBB_n7-JQ6QcEluUldNSHN-TnD4yCYrLbM_hrP89qZdclxIwrjVry9cgoRI_XEYqoiTK4XvTn8MlgeGevDs4i2q3HSN1CtddLm0OSMQ7-rnLe1DXT9gxydgKJbBLNbkMLXTkn6g7cSlk2cBM-oak3Pv5DQpcZYdN-waoZLVmbJX4RCLh9j3zQLYMnBuAvZAlXiVTFFCekfSTK6LWmSF9kOUlOIZrqQq8DxUPOVrw",
"x-client-SKU": "ID_NETSTANDARD1_4",
"x-client-ver": "5.2.0.0"
}
}
ASP.NET Core MVC client is configured as:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "http://localhost:5001";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ResponseType = "code id_token";
options.ClientSecret = "49C1A7E1-0C79-4A89-A3D6-A37998FB86B0";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
//options.SaveTokens = true;
//options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role",
};
})
And SP and IDP are as provided on this repo. Please help.
I hosted the saml2p SP application in azure with out any dns binding but, the requests comes from the azure gateway with sub domain to SP.while SP application trying to navigate to the IDP for Authentication it is showing as "Invalid ACS URL" error.
The Idp has two SP's configured as below one with subdomain & other with default azure url
gateway request URL : spagw.test.com (this is not working)
below are 2 SPs configured at SAML2p IDP server
new ServiceProvider
{
EntityId = "https://spagw.test.com/saml",
AssertionConsumerServices =
{new Service(SamlConstants.BindingTypes.HttpRedirect, "https://spagw.test.com/signin-saml")},
SigningCertificates = {new X509Certificate2("myCert2020.cer") }
}
new ServiceProvider
{
EntityId = "https://test-sp-portal-web.azurewebsites.net/saml",
AssertionConsumerServices =
{new Service(SamlConstants.BindingTypes.HttpPost, "https://test-sp-portal-web.azurewebsites.net/signin-saml")},
SigningCertificates = {new X509Certificate2("myCert2020.cer") }
}
IDP configuration at SP portal
IDP1
.AddSaml2p("idp1", options => {
options.Licensee = "TEST";
options.LicenseKey = "LicenseKey";
options.IdentityProviderOptions = new IdpOptions
{
EntityId = ssoSettings.SamlSSO,
SigningCertificates = new List<X509Certificate2> { new X509Certificate2(Convert.FromBase64String(@"MIIGSzCCBTOgAwIBAgIJAJbzTeuezhBtMA0GCSqGSIb3DQEBCwUAMIG0MQswCQ")) },
SingleSignOnEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpPost),
SingleLogoutEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpPost),
};
options.ServiceProviderOptions = new SpOptions
{
EntityId = "https://test-sp-portal-web.azurewebsites.net/saml",
MetadataPath = "/saml/metadata",
SignAuthenticationRequests = true,
SigningCertificate = new X509Certificate2("myCert2020.pfx", "pfxpassword@123")
};
options.NameIdClaimType = "sub";
options.CallbackPath = "/signin-saml";
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// IdP-Initiated SSO
options.AllowIdpInitiatedSso = true;
options.IdPInitiatedSsoCompletionPath = "/";
})
IDP2
.AddSaml2p("idp2", options => {
options.Licensee = "TEST";
options.LicenseKey = "LicenseKey";
options.IdentityProviderOptions = new IdpOptions
{
EntityId = ssoSettings.SamlSSO,
SigningCertificates = new List<X509Certificate2> { new X509Certificate2(Convert.FromBase64String(@"MIIGSzCCBTOgAwIBAgIJAJbzTeuezhBtMA0GCSqGSIb3DQEBCwUAMIG0MQswCQ")) },
SingleSignOnEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpRedirect),
SingleLogoutEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpRedirect),
};
options.ServiceProviderOptions = new SpOptions
{
EntityId = "https://spagw.test.com/saml",
MetadataPath = "/saml/metadata",
SignAuthenticationRequests = true,
SigningCertificate = new X509Certificate2("myCert2020.pfx", "pfxpassword@123")
};
options.NameIdClaimType = "sub";
options.CallbackPath = "/signin-saml";
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// IdP-Initiated SSO
options.AllowIdpInitiatedSso = true;
options.IdPInitiatedSsoCompletionPath = "/";
})
Above both SP requests goes to the same IDP but as a different clients
how to resolve the subdomain requests with out binding it to host? which is not originally binded to application
### SAML is generated like below
<EntityDescriptor ID="_cc5d1b6f-4ff3-43d6-9b6b-fce2682418ce" entityID="https://idp.myidpserver.com/saml"
p1:saml2="urn:oasis:names:tc:SAML:2.0:assertion" cacheDuration="PT1H" xmlns:p1="xmlns" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test-sp-portal-web.azurewebsites.net/" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://test-sp-portal-web.azurewebsites.net/" />
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://test-sp-portal-web.azurewebsites.net/signin-saml" index="1" />
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://test-sp-portal-web.azurewebsites.net/signin-saml" index="2" />
</SPSSODescriptor>
</EntityDescriptor>
but the url's in SAML should be **https://idp.myidpserver.com** instead of **https://test-sp-portal-web.azurewebsites.net**
Hi,
We have 2 pages for user registration in our IdentityServer4 IDP application and sometimes if user takes more than 2 minutes to fill the form, we are getting the following error.
I noticed this timespan property "RequestTrustLength" in SamlIdpOptions.
If I set some value for this property, will it fix my issue?
If so, what would be the maximum value I can go for it?
Does it cause any security issues if I bump the value to say 20 minutes?
I wonder what would be optimum way to fix this issue.
2019-04-30 12:12:46.000 -05:00 [SSOIDP] [ERROR] IdentityServer4.Saml.Validation.Saml2SingleSignOnRequestValidator [0HLMDHH7MSK5M:00000004] - SAMLRequest IssueInstant too old to trust
{
"SubjectId": "a484f725-fb3d-4690-ab67-8f759b2fa5e1",
"BindingType": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"RelayState": "c1c2b43d-f9c5-4313-a477-4ea3f1b45dfb",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
}
Hi guys,
I recently got demo license to test SAML2P integration with IdentityServer4. I got it working with IdP and SP. My goal is to create SSO functionality with a single IdP for API, SPA, MVC applications. This IdP should also have the functionality to issue JWT using PKCE or client credentials authorization flow.
So, I want to continue investigating it for authentication for REST APIs. I found it one issue from 2018 that @scottbrady91 has commented that SAML authentication for REST APIs is not possible. If not, is it possible to use some combination between SAML and OAuth and OIDC? Do I need to save the JWT token in the SAML cookie? Are there some best practices?
Looking forward to get a feedback from you.
Hello,
I'm trying to setup dynamically registered external SAML IdPs into IdentityServer4. I've opened a question on stackoverflow.
I suppose I'm missing some service registered in the DI container, but i could not find anything on it.
I can provide any additional info if required.
Our Identity server is updated with SAML2p and the existing client is updated as below SAML CLIENT
// SAML client
new Client
{
ClientId = "http://localhost:7002/saml",
ClientName = "RSK SAML2P Test Client",
ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
AllowedScopes = new List()
{
"api-auth",
"api-provider",
"api-documents",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.OfflineAccess
},
AlwaysIncludeUserClaimsInIdToken = true,
AllowAccessTokensViaBrowser = true,
//Access token life time is 86400 seconds (24 hour)
AccessTokenLifetime = (configuration.AccessTokenLifetime == 0) ? 86400 : configuration.AccessTokenLifetime,
//Identity token life time is 86400 seconds (24 hour)
IdentityTokenLifetime = (configuration.IdentityTokenLifetime == 0) ? 86400 : configuration.IdentityTokenLifetime,
},
// SP
new ServiceProvider
{
EntityId = "http://localhost:7002/saml",
AssertionConsumerServices =
{new Service(SamlConstants.BindingTypes.HttpPost, "http://localhost:7002/signin-saml")},
SigningCertificates = {new X509Certificate2("testclient.cer")},
ClaimsMapping = new Dictionary<string, string>
{
{ JwtClaimTypes.Name, "Name" },
{ JwtClaimTypes.GivenName, "GivenName" },
{ JwtClaimTypes.FamilyName, "FamilyName" },
{ JwtClaimTypes.Email, "Email" }
}
},
After successfully authentication with SP, but access_token is always null to pass the token for API authentication, can you suggest a way to achieve this.
FOR COMPONENT SUPPORT, PLEASE EMAIL [email protected]
When SamlSingleSignOnEndpoint URI contains a query with a question mark, the resulting challenge URI will be invalid.
For example, PingOne sign-in URL is constructed like this:
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<idpid>
In that case the resulting challege will be rejected by the IdP as invalid:
Samples indicate that multiple IDPs are supported. Is configuration for such scenarios done entirely in code? Are any other configuration modes supported?
Received this error when trying to run sample project, i.e. TestClient.
Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).
Happens on Startup.cs when trying to add the testclient.pfx certificate.
Line 26: AuthenticateRequestSigningBehavior = SigningBehavior.Always
Line 27: };
Line 28: spOptions.ServiceCertificates.Add(new X509Certificate2(HostingEnvironment.MapPath("~/testclient.pfx"), "test"));
Line 29:
Line 30: var options = new KentorAuthServicesAuthenticationOptions(false)
Tried the following
var cert = new X509Certificate2(HostingEnvironment.MapPath("~/testclient.pfx"), "test");
var serviceCertificate = new ServiceCertificate
{
Certificate = cert,
Use = CertificateUse.Signing
};
var spOptions = new SPOptions
{
EntityId = new EntityId("http://localhost:50155/AuthServices"),
AuthenticateRequestSigningBehavior = SigningBehavior.Always,
ServiceCertificates = { serviceCertificate }
};
//spOptions.ServiceCertificates.Add(new X509Certificate2(HostingEnvironment.MapPath("~/testclient.pfx"), "test"));
But that yields another error: CryptographicException: Invalid provider type specified.
Where can I get sample schema (or sql script) for saml plugin related tables?
The idpWithEf sample is using "UseInMemoryDatabase"
I find the ReadMe.md a bit lacking. Could you elaborate more?
What is IDP?
I understand the other option is IDP with Entity Framework.
What is SP? Is it service provider?
SP with IDP initiated .. what does that mean?
Why would you choose on project over another?
Hi,
I've integrated IdP & SP and successfully completed testing the SP-init-SSO.
I've enabled AllowIdpInitiatedSso
in AddSaml2p()
options from Startup.cs, but not sure what's the URL for IdP-init-SSO to test.
Please advice.
Thanks
Greetings,
I want to add one more attribute to SAMLRequest:
https://localhost:8080/samlsso?SAMLRequest=fJFPb8IwDMW%2FSpV727SlBSxAYuMwJKYh2u2wy5SmEURqnS5Oxz7%2Bwj9pXDjafj%2FrPXtGomvTHpaDO%2BBOfQ%2BKXPDbtUhwmczZYBGMIE2AolMETkK5fN1AGnHorXFGmpb9Zx4jgkhZpw2yYL2as6%2BimIzkJKvzUdGM8jqdJtM6S%2BRYjtVYyqxhwYey5PVz5nEPEQ1qjeQEOt%2FiKQ95FiZFxaeQJ8D5JwtWPoVG4c7UwbmeII6Px2OkRReRiE82iQwLljczzwZp6JQtlf3RUr3vNhfQc62Roj0YcpBzzmPSe9QYnlawYHvN%2F6Sx0bh%2FnLy%2BiAheqmobbt%2FKii1m54vBOZRd3Kz2VvnLNqHoe4qsarznWXynvJb3j1v8AQAA%2F%2F8DAA%3D%3D&RelayState=zF43mWwSY1nDuAl5LVpLJgsr&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=YHTen21lr3JFtIRp2YdXCDE6g6Q%2FnVnzc0m3UISxU%2FBSq%2B5nPRs6doGmRnKW33sLcZM6L2I34AWcoh4eD03jD%2BnITZzKaF0DOUeY8hRs7RiP4GG22OjGqJjz7CUO2q3WT8HfC709WAreTqdktu296haZZUp2tqOpNj0%2BpwxDFQs5oOMfJIEsbLavzuINfTgba04vQr1CkdMpQz2NFM9HONIZ8uSFhxWPiE6tqSBJqHodHpK2j9Sf5SJPGFHrQ3VA8XuWbNCZoxFlCJqmzpZj8lpIQIsiW1U8CY1MY3vzPQ3kkWpJvUqClA87aPNUOHfDE2%2FW9YaelRGjOO%2FwqXs4Sg%3D%3D
I want to add &lang=ar
to the above request.
I couldn't find anything that could help me to find a trace for this thing.
It happens right after calling this endpoint External/Challenge
If we allow service provider(s) to send unsigned request to IDP, what are the risks? please let me know your thoughts.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.