ITfoxtec Identity Saml2 adds SAML-P support for both Identity Provider (IdP) and Relying Party (RP) on top of the SAML 2.0 functionality implemented in the .NET framework.
Home Page: https://itfoxtec.com/IdentitySaml2
License: BSD 3-Clause "New" or "Revised" License
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Hello
I am having an error, and I think I have located the bug..
When I call: saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: ClaimsTransform.Transform)
I get the error: ArgumentOutOfRangeException: The UTC time represented when the offset is applied must be between year 0 and 10,000
Which is coming from "saml2AuthnResponse.SecurityTokenValidFrom" in the CreateSession-function.
I can see that the type of saml2AuthnResponse.SecurityTokenValidFrom has been changed from DateTime to DateTimeOffset, and the service I call is not defining a "ValidFrom", and therefore the value is never set.
DateTimeOffset does not work with DateTime.MinValue
My work-around is this: (ITfoxtec.Identity.Saml2.Saml2AuthnResponse)
public DateTimeOffset SecurityTokenValidFrom { get { return Saml2SecurityToken.ValidFrom > DateTime.MinValue ? Saml2SecurityToken.ValidFrom : DateTime.UtcNow; } }
Then the system works, even if the assertion does not come with a ValidFrom-value
Best regards, and thanks for a great framework :)
Christian
A signed AuthnResponse that fails (e.g. because we've picked an incompatible NameId Policy...), and thus has no Assertions, fails when unbinding.
ITfoxtec.Identity.Saml2.Saml2AuthnResponse.GetAssertionElement()
ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature()
ITfoxtec.Identity.Saml2.Saml2Request.Read(xml, validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2Response.Read(xml, validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(xml, validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(request, saml2RequestResponse, messageName, validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(request, saml2RequestResponse, messageName)
ITfoxtec.Identity.Saml2.Saml2Binding<ITfoxtec.Identity.Saml2.Saml2PostBinding>.Unbind(request, saml2Response)
<samlp:Response ID="_ee14ca84-f39a-4527-a144-714d457a30a4" Version="2.0" IssueInstant="2018-03-27T16:27:31.041Z" Destination="https://localhost:44354/SAML2SP/AssertionConsumerService" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_a204b2c1-11ec-4d32-a9b7-bd949bb17d3d" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://10.10.60.180/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_ee14ca84-f39a-4527-a144-714d457a30a4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>1mjyJS3Ryww6mg5+9jHDoJ0vvdg3uY21Iv2SI+l+If8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VuwG00yj1why5OZ8TCDznt3rHkqde4J9TzQgylyKXJvAGZz1zWHZIKDcSO1BZUwC0NQxLeimL9Ktt8fCPzo5TFbyD0pcM5GSzQ9dyBVEcKPre/TSPqrHeeiJCZxJSe8zov7Ektd9clKC6ds/C3yoA6snRg5mG/wrWPgN98eQc+SneROSrfDmZ9489qLZxKCDQH9yPe/xPUpF25nCPnP5UFiKP97Ki4xXcSzD0qlEVEjLxHD3Rai/WLAzXEVqY0rFZCMjPdgaKQojwgq9iAhRj7PmKCmWLIxDhbj++HscOAdxEelbolC5KHsRr8kIy0s5H19qqWQYBuHSF4Ju4Y4Mlw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7zCCAdegAwIBAgIQa6FUlGnG/K1PgpbfGXk+5DANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9YWVogQWR2aXNlciBMTEMwHhcNMTcwOTA0MTYxNjEwWhcNMjIwOTA1MTYxNjA4WjAaMRgwFgYDVQQDDA9YWVogQWR2aXNlciBMTEMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH+TKHIDUblpKMtuJko97ca5MP9tG9n5AihGVjT1G+OTOt+kpFMy6gzvE1oJ1HTDInjjrN/KmhSxVnXMEf0cwtlJWPUnEPD6mtuzVj/gLyNOvhOeKlvii9qkAO0jjwY2+mt5gZRXhZSqW1Nv9ubHpFJsY9iGPIffavyeRn2fSVakVEuV2lHDzRakWAfd59CGb2snACrYQrNczLl9vNDa4w3Ho63vwukROoOsw8ggola62NymDLTQ7C6XSqzkfwrjBlp9kBXdxO5P+yfdK7lfyxtvKb4hWt5IeUGPtvg+i3ts2BxVMdRxP/9Nzfms3laxtUTOkNdivevmGg33KBfkKhAgMBAAGjMTAvMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUMgM8KFEqGQe5lhrfzPG8tTlbfW4wDQYJKoZIhvcNAQELBQADggEBAAcx992F+KeGgJ6YEBeJstEWklJpGK1WAEQ10pjLNX/LJBZ8RGeSkifpcALWXBkAAQNNCSCSzW1mMOW3OnOIF4AaqY/TOHjEwZjPFuKi6f1t08FnHCoCfxEiPinyEhG7fnxHaSVauG/0ERVdW6Qez5OauuGoB1Djj3SdyHcd41y8DRrS/kEmuPcCFSXvZTaqXnk2JnpEKazvQvbxw5ZNIeg53hGR3Ke0SxQuvUmtd74pPRxHkTFLLez6+iGlMJU/u2Xp9Kk+HtN6G/9pR5Q1eLjF9jd3iHovr7CMFg0dBJNWbmPiwk/8hLj8hA4Nhs3S35hcS3+AzujWLi/rpHpP/Qo=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
No matter what I do, the library is not able to validate an ADFS SAML2 assertion signature. Changing the algorithm to sha1 did not help. Are there any known issues?
I'm getting this error on various environments using the NUGET package. Any ideas without debugging this?
Exception: ITfoxtec.Identity.Saml2.Saml2RequestException: There is not exactly one Assertion element. at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.GetAssertionElement() in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 230 at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature() in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 214 at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 198 at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 53 at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 210 at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 107 at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 102 at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 73 at
You use crypto stuff from many .Net Framework-only libraries. MS may port them in a year or two^).
Can you switch cryptography/encoding related things to another crypto library with .Net Standard support and issue .Net standard package?
Is the .pfx file needed? I have done other implementations in Python where you do not need this file. Just the .cer file. Can you give some insights as to what this file does/is used for?
Thanks!
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
This is an XML parsing bug more than a SAML2-specific bug, and I'd hope that the .NET parser is doing The Right Thing(TM), but it's probably worth checking. Especially because there was a recent patch to change the way we're validating Assertion elements due to canonicalization weirdnesses in some IdP implementations.
Do we have any existing unit tests we can update to prove that we're OK?
Hi guys,
I came accross this amazing library last week since I had to support a legacy integration using SAML for PingFederated for one of our customers.
So on the one hand, I want to congratulate you guys because of the excellent job you've done. On the other, I would like to contribute somehow.
I am a software engineer, sometimes architect, sometimes tech lead, sometimes developer, and sometimes just a simple learner.
So I can even contribute translating the site to Spanish, as I am argentinian and a native spanish speaker.
Hello,
I'm trying to send a AuthnRequest to an Idp with a redirect binding (not using .NET MVC here) and the HTTP request parameters look like they're not being encoded by Uri.EscapeDataString. e.g. I get some "/" instead of "%2F" inside my SAMLRequest and signature.
I ended up looking at line 39 of ITfoxtec.Identity.Saml2.Saml2RedirectBinding where requestQueryString still contains the correctly encoded strings.
After the call to new Uri(...), escaped characters are reverted back to their original state ("%2F" -> "/") in RedirectLocation.
Can you do anything to fix this ? Everything else seems ok but we might have to (reluctantly) switch to a closed source library if i can't convince my boss quickly enough that your library is what we need :(
Regards
Hi, I'm trying to implement SAML2, but I encountered this error:
XmlException: For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
in line:
entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
Actually I don't know how to handle this, because I think it's library side error.
Thanks in advance.
I want to add RSA-SHA1 certificate to sign AutnNRequest but I got this error when I try to login:
{
"errors": [
{
"message": "Object reference not set to an instance of an object.",
"type": "System.NullReferenceException",
"raw": "System.NullReferenceException: Object reference not set to an instance of an object.\r\n at ITfoxtec.Identity.Saml2.Cryptography.Saml2Signer.GetSignatureDescription()\r\n at ITfoxtec.Identity.Saml2.Cryptography.Saml2Signer.CreateFormatter()\r\n at ITfoxtec.Identity.Saml2.Cryptography.Saml2SignedText.SignData(Byte[] input)\r\n at ITfoxtec.Identity.Saml2.Saml2RedirectBinding.SigneQueryString(String queryString, X509Certificate2 signingCertificate)\r\n
at ITfoxtec.Identity.Saml2.Saml2RedirectBinding.BindInternal(Saml2Request saml2RequestResponse, String messageName)\r\n at ITfoxtec.Identity.Saml2.Saml2Binding`1.Bind(Saml2Request saml2Request)\r\n at AFD.BackOffice.Controllers.Saml2AuthController.Login(String returnUrl) in C:\Dev\socle-angular\afd-socle-angular-back\AfdBackOffice\Controllers\Saml2AuthtController.cs:line 49\r\n at lambda_method(Closure , Object , Object[] )\r\n at Microsoft.Extensions.Internal.ObjectMethodExecutor.Execute(Object target, Object[] parameters)\r\n at
Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)\r\n at
Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Logged|17_1(ResourceInvoker invoker)\r\n at Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)\r\n at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)\r\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\r\n at Hellang.Middleware.ProblemDetails.ProblemDetailsMiddleware.Invoke(HttpContext context)",
Hi to all,
today i tried to add by NuGet the ITFoxtec.Identity.Saml2 and the ITFoxtec.Identity.Saml2.MvcCore (both on version 2.0.0) to my web app project (target framework .NET Core 2.0).
This operation failed and visual studio says this:
Error NU1202. Package ITfoxtec.Identity.Saml2 2.0.0 is not compatible with netcoreapp2.0 (.NETCoreApp,Version=v2.0). Package ITfoxtec.Identity.Saml2 2.0.0 supports: net462 (.NETFramework,Version=v4.6.2)
But from the offical site (http://www.itfoxtec.com/IdentitySaml2) i read this:
Version: 2.0.0 - Supporting .NET 4.6.2 and Core 2.0.
I have wrong something or it's a bug?
Thanks,
dongigi92
Hi.
I'm trying to specify custom validator on .net 4.8 by following code:
Saml2Configuration.CertificateValidationMode = X509CertificateValidationMode.Custom;
Saml2Configuration.CustomCertificateValidator = new MetadataCertificateValidator(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
Configuration created successfully, but error occurs when trying to initiate request.
The library throws from the following code:
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Configuration/Saml2IdentityConfiguration.cs#L41
Exception Error Message:
ID4280: The X509CertificateValidationMode is set to Custom but the CertificateValidator property has not been set. You must set the CertificateValidator property to use a custom validator.
Call Stack of Exception:
System.IdentityModel.dll!System.IdentityModel.Configuration.IdentityConfiguration.Initialize() Line 338 C#
ITfoxtec.Identity.Saml2.dll!ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetIdentityConfiguration(ITfoxtec.Identity.Saml2.Saml2Configuration config) Line 30 C#
ITfoxtec.Identity.Saml2.dll!ITfoxtec.Identity.Saml2.Saml2Request.Saml2Request(ITfoxtec.Identity.Saml2.Saml2Configuration config) Line 67 C#
ITfoxtec.Identity.Saml2.dll!ITfoxtec.Identity.Saml2.Saml2AuthnRequest.Saml2AuthnRequest(ITfoxtec.Identity.Saml2.Saml2Configuration config) Line 34 C#
I think the issue is about order of execution. In Saml2IdentityConfiguration.cs Saml2IdentityConfiguration.SetCustomCertificateValidator(configuration, config); should be called before configuration.Initialize();
To set both technical, support and administrative contact in metadata.
Some background: Our SAML service provides us
a user name along with other attributes of the user when authentication is successful. When we assign claims (in your example code, this is done in the ClaimsTransform class) and create a claim of ClaimType.Name with the user's real name, we expected to see this reflected in views when we use User.Identity.Name.
Instead, it looks as though this package hard-codes the Identity NameClaimType to ClaimType.NameIdentifier, which is typically a GUID or other unique identifier. As a result, that ID is provided when using User.Identity.Name, instead of the default behaviour of using the value of a claim of type ClaimType.Name.
This hard-coding happens here:
Would there be any side effects to allowing this to be configurable? I don't see any other reference to Identity.Name within this package that rely on it returning NameIdentifier (as opposed to Name).
When reading in the IdP metadata (IdPSsoDescriptor), the signing/encryption certificates are missed if the use attribute is missing from the KeyDescriptor element.
As per https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd (and https://wiki.shibboleth.net/confluence/display/CONCEPT/SAMLKeysAndCertificates) the KeyDescriptor/@use XML attribute is an optional attribute.
Could I suggest, as per the shibboleth wiki, that a KeyDescriptor with no use attribute should be considered as containing keys for both signing and encryption?
i.e. update the Read() method of ITfoxtec.Identity.Saml2.Schemas.Metadata.IdPSsoDescriptor to read and add certificates with no use attribute into both the SigningCertificates and EncryptionCertificates properties.
Thanks!
I'm setting up a service provider I and are using this SAML library. My request looks like this
<saml2p:AuthnRequest
Destination="https://qa.connector.eidas.swedenconnect.se/idp/profile/SAML2/POST/SSO"
ForceAuthn="true" ID="_64ef67e7-1cd8-4f68-9bf7-a2d5d8fd8856" IsPassive="false"
IssueInstant="2018-07-05T11:54:39.3284774+02:00" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
saml2:Issuerhttps://eunode.eidastest.se/con-sp/metadata</saml2:Issuer>
</saml2p:AuthnRequest>
but it should look like this
โฌโน<saml2p:AuthnRequest
Destination="https://qa.connector.eidas.swedenconnect.se/idp/profile/SAML2/POST/SSO"
ForceAuthn="true" ID="_ed56499e69da8bdd1d479ef96807e57c" IsPassive="false"
IssueInstant="2018-07-05T09:53:37.226Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://eunode.eidastest.se/con-sp/metadata</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_ed56499e69da8bdd1d479ef96807e57c">
ds:Transforms
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
ds:DigestValueVXceOb2vz5OAJPWUH+0G58x1VsEJ6lQl6ErnFf+22AQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue
Mo0+sHd/1SUfQs17lBcfYKSNgmbAjptiNc1l9ZLCeF0nCrYBRw7t2fngLR8t9NAXNwdezTnkXV/N
FOSBPZiWy8BwzUD7+yW+hTfnU+1DRCfpeJgub7TgJd0BG1AvR3QCcFfOtOtExnZqoYo1f5lFlbqO
I0r6MCuoBMRGSy7kusjBpxYvsNBYUopTv2DEvC2jtQFu4CDj8RkQGXzCXx2nyf6rluOkOwxnNqi2
bMjJqxgWP4s19wIKgq7+vesvS2nLUwoPeGYw0G5y4DP010SYvNTRFWgGMRZfWxKr1Je/WsQI6d6V
8g6Y8v92sR/zRJimhi6CA7EJROubbubB3fa1LQ==
</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIDIzCCAgsCBgFgtkRcgjANBgkqhkiG9w0BAQ0FADBVMR0wGwYDVQQDExRTRSBDb25uZWN0b3IgRGVtbyBTUDEnMCUGA1UEChMeU3dlZGlzaCBFLUlkZW50aWZpY2F0aW9uIEJvYXJkMQswCQYDVQQGEwJTRTAeFw0xODAxMDIwNzQ3MDFaFw0yMzAxMDIwOTQ3MDFaMFUxHTAbBgNVBAMTFFNFIENvbm5lY3RvciBEZW1vIFNQMScwJQYDVQQKEx5Td2VkaXNoIEUtSWRlbnRpZmljYXRpb24gQm9hcmQxCzAJBgNVBAYTAlNFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT0borSI1StrlVaeDjJJdp4gSxiVud1J1n7+mX6W5C5/nKLLUY4kNHu7lpMCAV9bi0/er++3bwtpPcyKhSvjA3szTo8QMpBknL0Au2FgYL+Eqk/S+R2r9KBtVUoq/j/jAvZM9vkRNclM3rLovbm2FLS8Z+CJ56wDa6q1f99VzdmsPydvLeaRuxIEmjRzcq/zI1uiP7aVtAGXo5kbI+IpRHziV5kQ6R7e5v26nwOUeKidUQZGxElPmez/xRkpX0aqt/XEV6SG+dehsvPHVTzpp0Yj9rIuokFKUh7vq87roUJHircl7KHVaupyyWkhiwCbMncJszG6YwoW6Ecm2XDEOQIDAQABMA0GCSqGSIb3DQEBDQUAA4IBAQCKFZffnIDECp3/A40UURFwaBXo3rIlcRrO9DUVALsG7fg3079FH5TmC+xPKf2tMgIZjAglWeVa7XFf0Lm1Qpk0eNhraAXBmDYXiyHCk1ndTHZhHwPX0rKk74dUXvp8FauNnL5yZK9dD6GlsTSRdR5L6HMjtD1leYr3siAmxya3f6Mc5i28LmttZj9ZAipskDsipIQmlVY/tNxQV5bO7vcByBA6b/sL+Wh9oApsYc+0El/6uDhVuIho1aWVRB7ZDuOS+NJ3TTFgx6B3oeGXygi/UqcSC/nkKH6yzSo3O9jNERnVaQcl9RHJba7QRimfvvRFwHs++DeI//ya4wMTOnAA</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><saml2p:NameIDPolicy AllowCreate="true"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://id.elegnamnden.se/loa/1.0/eidas-sub</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
I have set up a RegisterIdentity method but can't see my certificate
`public ActionResult Login(string returnUrl = null)
{
var binding = new Saml2RedirectBinding();
//var binding = new Saml2PostBinding();
binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl ?? Url.Content("~/") } });
var saml2Configuration = RegisterIdentity();
XmlDocument xD = new XmlDocument();
var saml2AuthnRequest = new Saml2AuthnRequest(saml2Configuration);
var hej = new Saml2AuthnRequest(saml2Configuration);
var test = binding.Bind(new Saml2AuthnRequest(saml2Configuration)
{
Destination = new Uri(ConfigurationManager.AppSettings["Saml2:Destination"]),
ForceAuthn = true,
//Set automatic
IsPassive = false,
IssueInstant = DateTime.Now,
//Protocolbinding
Version = "2.0",
//Issuer = new Uri("https://eunode.eidastest.se/con-sp/metadata"),
}).ToActionResult();
//return ITfoxtec.Identity.Saml2.Mvc.Saml2BindingExtensions.ToActionResult(returnUrl2);
return test;
}
public Saml2Configuration RegisterIdentity()
{
//var x509cert = new X509Certificate2(ConfigurationManager.AppSettings["x509:CertificatePathAndName"]);
var saml2Configuration = new Saml2Configuration();
var path = ConfigurationManager.AppSettings["x509:CertificatePathAndName"];
saml2Configuration.SigningCertificate = CertificateUtil.Load(ConfigurationManager.AppSettings["x509:CertificatePathAndName"], "test");
saml2Configuration.SignatureAlgorithm = ConfigurationManager.AppSettings["Saml2:SignatureAlgorithm"];
saml2Configuration.Issuer = new Uri(ConfigurationManager.AppSettings["Saml2:Issuer"]);
return saml2Configuration;
}`
When I'm debugging the code, the signing certificate and signature algorithm are set
While running on w2012 under IIS, got the exception trying to load certificate from the file. I use in-process hosting with ApplicationPoolIdentity
fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
An unhandled exception has occurred while executing the request.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at ITfoxtec.Identity.Saml2.Util.CertificateUtil.Load(String path, String password)
here is my code fragment
public void ConfigureServices(IServiceCollection services)
{
CultureInfo.CurrentCulture = new CultureInfo(Configuration.GetValue<string>("DefaultCulture"));
services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
services.Configure<Saml2Configuration>(saml2Configuration =>
{
saml2Configuration.SignAuthnRequest = true;
saml2Configuration.SigningCertificate = CertificateUtil.Load(
Configuration["Saml2:SigningCertificateFile"], Configuration["Saml2:SigningCertificatePassword"]);The file is in place, I tried both absolute and relative paths. It works if I use dotnet run under MacOS.
Stumbled across the following discussion https://github.com/dotnet/corefx/issues/14745 and this one https://github.com/dotnet/corefx/issues/23780 I hope it might be helpful to troubleshoot/fix
ASP.NET core create session related error.
The ClaimsTransform is newer called in the CreateSession to transform the claims. If exists, it should be called before creating a ClaimsPrincipal.
Hi,
When unbinding a valid signed SAML Response with the canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#WithComments:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>VrztqVTjmfENj/VkwUEpVEl9R5UhS7xEL1p7I/nXbpo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>FR4fISV9sYhOJ3475amBkW1WapUhkmKraVrigXQPXgKCuvhGhew34bzV33CxBDMEfNtfg5CIFeVQ0OJybqlmWJvjRKRoUcev9zhc5IwTWhmVF8r9bw7ymwKo0Uj6Vqji3WeMdaHdD9fB/MGJ6YwCn0i0g8Lisy6vqyBx1Y0cDr0+sdupqokDOe0aJ6OVsH4tty05F+98GoRbF7UXYIMyoVwRfp5vDKdoitEEOE+QIJmZrAt9evdLKxslrrroTUlJyxOX2zeovzq4JPDDvZUFYluYrz4UPxV/Ai+rJCcKNmQCWs6Zd0poWaZWB0LvwrXUjcSnSMVY+Q0b6GimFfB3tA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDKjCCAhICCQCrM73GThlsczANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJESzEQMA4GA1UEBwwHRGVubWFyazERMA8GA1UECgwISVRmb3h0ZWMxGjAYBgNVBAMMEXJvb3QuaXRmb3h0ZWMuY29tMB4XDTE2MDYxNjA3MzM1MFoXDTI2MDYxNDA3MzM1MFowYDELMAkGA1UEBhMCREsxEDAOBgNVBAcMB0Rlbm1hcmsxETAPBgNVBAoMCElUZm94dGVjMSwwKgYDVQQDDCNpdGZveHRlYy5pZGVudGl0eS5zYW1sMi50ZXN0aWRwY29yZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8Ul5qUBZLLuHE9KN1bBvbHoFzHNm2sWQiZuR8CDaxinL4qFeeYOm7hKk0InDNsrwYJH0tmozSngwTR4MH5vibWxsFH2Izr7s18Wi7cM72BOi8FxR4odZ5qvrZfezoxRlSD8fPSGR92iALhuHRhczQ4BbqG6ig2MaUWxI1LptdaVKhCPJjhJLmTex0A9JEZunYwQC2HgZS59SRFwwOS98D7/bBPqMaeieTULrQCmPDyLsrozAE5e2Dc4tx/r9BeevQCCL7nl3yTc3bZ3/Dpp8odeOATeVtlp2V4iq0gim57dt6z4skXitiNx3OuIA/ghvcNcH/4yMudtXQlSZ+ONS8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAqw9aJgjSTTcB7By5EGFD/4dKeDDAv21pVu3blih+AQdiTntNevY/MQ/CJnRGvm/5knwCegeB9d5Ksg3ASVDkOJXPhrG/23kur1b0L4yk2m22B8RQz64G2VjuzVL/PPi0sJucIK1Mt6XviTKpIeT6KPJDj59G9N0ip2MqfvR/lgVUHqIzvPBo9k8rF5ndIVELr/khyH1dXbxsq5kDqAv8CJaOmFKVhRcp9KBxKG1RkcTnVl6m4CObVvC/+OwJ29L6eZwf/N7ZzpUUxw5XtvxiJWlh4zmVzPNupmnd7IE+5aQ/Gpqh8ZQsPu5mjQiRRr0w0h20RhloETWlLINBSPArTQ==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
<saml:Subject>
<saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
I get the error below:
ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException
HResult=0x80131500
Message=Signature is invalid.
Source=ITfoxtec.Identity.Saml2
StackTrace:
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
when my acs get the SMAL Response, I must get the IDP SignatureAlgorithm by issuer,but i only get the issuer after ReadSamlResponse,so,I can`t set the SignatureAlgorithm .so, what should I do?
Stacktrace is the following:
Parameter name: certificate
System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPublicKey(X509Certificate2 certificate)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse..ctor(Saml2Configuration config)
Looks like a bug in following code:
config.EncryptionCertificate.GetRSAPublicKey().Issue was found during integration with ADFS SSO.
I'm no SAML expert, but I think that the use of XmlDsigExcC14NTransformUrl when computing the signature and again when checking the signature makes your library vulnerable to improper authentication as described by Duo Security.
I think you should be using XmlDsigCanonicalizationWithCommentsUrl instead.
When using Claims-based authorization you will get redirected to /Account/AccessDenied
Checking the source code, it seems quite trivial to add:
in src/ITfoxtec.Identity.Saml2.MvcCore/Configuration/Saml2ServiceCollectionExtensions.cs just add another parameter to AddSaml2 and o.AccessDeniedPath = "/Login/Denied"; to the AddCookie scheme.
If it is this simple, i can add an pull-request with this change.
Hi.
How can I run the sample projects, and what are the basic steps to use your library?
Thanks.
Hi,
Metadata for IdP generated does not validate against XSD schema.
I have found that the IEnumerable returned by GetXContent returned the sequence for the XML document in wrong order (as far as I Know). It returned SingleSignOnServices, SingleLogoutServices and NameIDFormats, but the correct sequence should be SingleLogoutServices , NameIDFormats, SingleSignOnServices.
I have found that, meanwhile validating against https://www.samltool.com/validate_xml.php, and if I change the order in the output xml, it validates.
Maybe I am doing somethig wrong, but nor the samltool neither other systems could validate metadata in the order obtained.
Any Clue or work arraound without edit your code?
This error occurs when AuthnContextDeclRef is in the response.
Related errors in other projects:
Sustainsys/Saml2#249
Complete stacktrace:
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenException: IDX13001: A SAML2 assertion that specifies an AuthenticationContext DeclarationReference is not supported.To handle DeclarationReference, extend the Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity identity, String issuer)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ProcessStatements(ICollection`1 statements, ClaimsIdentity identity, String issuer)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreateClaimsIdentity(Saml2SecurityToken samlToken, String issuer, TokenValidationParameters validationParameters)
at ITfoxtec.Identity.Saml2.Tokens.Saml2ResponseSecurityTokenHandler.ValidateToken(SecurityToken token, String tokenString, Saml2Response saml2Response)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadClaimsIdentity(String tokenString)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
at Example.Controllers.AuthController.AssertionConsumerService() in C:\Users\heno\source\repos\Example\Controllers\AuthController.cs:line 65
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
Where row 65 is binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse); in:
[Route("AssertionConsumerService")]
public async Task<IActionResult> AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(config);
binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
{
throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
}
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
var relayStateQuery = binding.GetRelayStateQuery();
var returnUrl = relayStateQuery.ContainsKey(relayStateReturnUrl) ? relayStateQuery[relayStateReturnUrl] : Url.Content("~/");
For simplicity the project is this repo and the error:
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCoreFramework/Controllers/AuthController.cs
Would it be possible to support using multiple IDPs with this plugin? I am unable to find any documentation. The use case here is supporting Federations like eduGAIN.
After migrating from @huan086 fork with CNG support I get CryptographicException with message that roughly translates to English like "Invalid provider type" with stack like this
in System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
in System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
in System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
in System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
in System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
in ITfoxtec.Identity.Saml2.Saml2Binding`1.BindInternal(Saml2Request saml2RequestResponse) in C:\Users\baraboshkin_nd\Documents\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 50
in ITfoxtec.Identity.Saml2.Saml2RedirectBinding.BindInternal(Saml2Request saml2RequestResponse, String messageName) in C:\Users\baraboshkin_nd\Documents\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2RedirectBinding.cs:line 25
in ITfoxtec.Identity.Saml2.Saml2Binding`1.Bind(Saml2Request saml2Request) in C:\Users\baraboshkin_nd\Documents\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 32
Does this mean it is really somehow related to CNG? If so, do you plan to add support for CNG?
Hi. The documentation says that .net classic 4.6.2+ and dotnet core are supported. But in the examples the Identity Provider is always on .net core.
There are no limitation to implement Idp on .net classic?
Hi,
Just general question, has someone implemented this library or has example with identity server 3, or with owin middleware?
Thanks
In Saml2LogoutRequest.cs line 86, an empty NameId.Format results in an ArgumentNullException
As per SAML2 3.4.1.1 name id format is optional
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Not sure how to handle this currently; our ADFS returns an empty NameIdFormat so we must return the same for SLO.
Hi, I'm trying to connect to a client IdP and I need to send a signed AuthnRequest (with ds:Signature elements) with the cert value so I can successfully log in the IdP with my Sp.
I am using a Service Fabric Application (hosted in Azure) with .net Core.
I couldn't find anything on how to create this elements with this solution.
Thanks in advance.
I reviewed the code in Saml2ResponseSecurityTokenHandler.cs although there is a DetectReplayedTokens config setting that gets into the TokenValidationParametes, the default behavior for token replay validation is to bypass the validation if there are no validators and no token replay cache is set.
However there is no way the code lets you set those values, they are not exposed anywhere.
if (TokenValidationParameters.ValidateTokenReplay)
{
ValidateTokenReplay(saml2SecurityToken.Assertion.Conditions.NotBefore, tokenString, TokenValidationParameters);
}
There is no way I could set the Replay cache or validator in the TokenValidationParameters as it is not exposed anywhere. So, the DetectReplayedTokens setting is of not much help.
This method in SAML2Request.cs needs an update?
public static Saml2IdentityConfiguration GetIdentityConfiguration(Saml2Configuration config)
Thanks for your work on the library and any insight into this issue.
Hi.
Is it possible to add dynamic configuration at runtime with AuthenticationHandler?
for example https://github.com/dotnet/aspnetcore/tree/master/src/Security/samples/DynamicSchemes
and example di registration for OpenIdConnect
https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectExtensions.cs
Hi
When we read AssertionConsumerServiceUrl in Saml2AuthnRequest it read from xml element
In result AssertionConsumerServiceUrl is always null because AssertionConsumerServiceUrl is an attribute in AuthNRequest
Thanks,
Eugene
When a thumbnail find is done on certificate store it errors out with "Invalid find value" error,
certificate.GetCertHash() needs to be replaced with certificate.GetCertHashString()
File : Saml2CertificateValidator.cs
Method: ValidatePeerTrust
I am actually seeking some guidance here. So, I appreciate if you can give me some points to follow. I am using WebAPIs and so using JWT tokens.
Now I want to support SAML SSO (IdP or SP initiated). Confused about the authentication flow. What I feel will work is below;
Am I thinking right about the flow?
Using Vs 2017 I created a simple .net core website using the template but I can't seem to install this.
PM> Install-Package ITfoxtec.Identity.Saml2.MvcCore
Restoring packages for Y:\code\CoreWeb\CoreWeb\CoreWeb\CoreWeb.csproj...
GET https://api.nuget.org/v3-flatcontainer/itfoxtec.identity.saml2.mvccore/index.json
OK https://api.nuget.org/v3-flatcontainer/itfoxtec.identity.saml2.mvccore/index.json 446ms
GET https://api.nuget.org/v3-flatcontainer/itfoxtec.identity.saml2.mvccore/1.1.1/itfoxtec.identity.saml2.mvccore.1.1.1.nupkg
OK https://api.nuget.org/v3-flatcontainer/itfoxtec.identity.saml2.mvccore/1.1.1/itfoxtec.identity.saml2.mvccore.1.1.1.nupkg 179ms
Installing ITfoxtec.Identity.Saml2.MvcCore 1.1.1.
Install-Package : Package ITfoxtec.Identity.Saml2.MvcCore 1.1.1 is not compatible with netcoreapp1.1 (.NETCoreApp,Version=v1.1). Package ITfoxtec.Identity.Saml2.MvcCore 1.1.1 supports: net45 (.NETFramework,Version=v4.5)
At line:1 char:1
+ Install-Package ITfoxtec.Identity.Saml2.MvcCore
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-Package], Exception
+ FullyQualifiedErrorId : NuGetCmdletUnhandledException,NuGet.PackageManagement.PowerShellCmdlets.InstallPackageCommand
Install-Package : One or more packages are incompatible with .NETCoreApp,Version=v1.1.
At line:1 char:1
+ Install-Package ITfoxtec.Identity.Saml2.MvcCore
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-Package], Exception
+ FullyQualifiedErrorId : NuGetCmdletUnhandledException,NuGet.PackageManagement.PowerShellCmdlets.InstallPackageCommand
Install-Package : Package restore failed. Rolling back package changes for 'CoreWeb'.
At line:1 char:1
+ Install-Package ITfoxtec.Identity.Saml2.MvcCore
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-Package], Exception
+ FullyQualifiedErrorId : NuGetCmdletUnhandledException,NuGet.PackageManagement.PowerShellCmdlets.InstallPackageCommand
Hello All,
I have implemented saml Authentication in c# MVC.
When i am redirecting from signin method to ADFS, it is giving error message rather than promt user Name , password popup.
Hello All,
I have implement saml authentication in ADFS.
it is redirecting to ADFS and after login it call the AssertionConsumerService.
but in AssertionConsumerService it is giving error
There is not exactly one Assertion element.
Below is my saml response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fdf3be69-187c-4906-ba6f-4e2cd8f0cac6" Version="2.0" IssueInstant="2017-11-01T10:34:25.3123813Z" Destination="https://fs.timesgroup.com/adfs/ls/">saml2:Issuerhttps://azeatoiwebapp1s.azurewebsites.net</saml2:Issuer>saml2p:Status<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status></saml2p:Response>
Also Please suggest the steps for ADFS configuration and default sp xml to load in ADFS.
please help me..
Thanks & Regards
Hello
I have tried your nuget package of ITfoxtec.Identity.Saml2 and ITfoxtec.Identity.Saml2.Mvc and I found an issue.
Your CheckSignature function in ITfoxtec.Identity.Saml2.Cryptography.Saml2SignedXml always returns false.
If I use SignedXml directly it returns true.
I found that the 2 first lines in the function is causing the error:
SignedInfo.CanonicalizationMethod = XmlDsigExcC14NTransformUrl;
SignedInfo.SignatureMethod = Saml2Signer.SignatureAlgorithm;
The values before and after the equal-char is the same, so the lines doesn't change anything, but the "change" does something to the SignedXml-object that makes the function return false.
If I comment those two lines out, the function returns true.
I want to use your nuget instead of a local-copy.
I hope you can help to resolve this issue ๐
Best regards
Hi!
I tried to validate the SAML Response and exception thrown:
Message = Signature is invalid.
StackTrace = at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature() in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 226
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 198
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 53
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 210
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 107
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 102
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 73
at Sso.Web.Controllers.Mvc.Saml2Controller.<Consume>d__9.MoveNext() in C:\Projects\backend\Sso.Web\Controllers\Mvc\Saml2Controller.cs:line 164
Code:
var saml2Configuration = new Saml2Configuration
{
CertificateValidationMode = X509CertificateValidationMode.None,
SignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
Issuer = new Uri("https://lastpass.com/saml/idp"),
SingleSignOnDestination = new Uri("https://lastpass.com/saml/login/8891192/be56"),
};
saml2Configuration.AllowedAudienceUris.AddRange(Uri("https://dev.findo.io"));
byte[] signatureValidationCertificateBytes = Convert.FromBase64String("MIIDZTCCAk2gAwIBAgIJANsL5+qkMHjmMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wIBcNMTcwNTE1MTIxNTU4WhgPMzAxNjA5MTUxMjE1NThaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jXMqw9iLGBSX0DhKlPO8qx3srgAEiOw4PMOxMGNJUBOsRnvYp95Zf+YW7Qlq/1gBn1co+zBayMV9kpvPomUeOvatKzsC9A7R4Q1V1MSG4uBcaWmTjYo24bCrHAeX/A38m5bceDmYmlqNpt5Pmg5A4Dce6q9oL942H5kZYsV2o2PF9DmgENTabsL3r7NuFfcsrQXGPnKUk9Z4xFLU8FsFH13M9Lh3SMMu8c8p9IbfCcCUQekj537fPpFki/1rSBlTtfNNLrE3om/EcRDMzdPYnkaDsnFeNoXjLwjJZ06SQixTkArG/SL8ePmBId1Zi9ekgRJhogKftlsI8z7xbrY/AgMBAAGjUDBOMB0GA1UdDgQWBBSP1nSgrO/+ysfTPtaXE9yifbDXoTAfBgNVHSMEGDAWgBSP1nSgrO/+ysfTPtaXE9yifbDXoTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASfx3UbkinTplQC76Y3aUalRWJF+XzbZ188GRcZDtAF4E5XGkkfgXqtu8/49HLksMtPWatIMBxumD9D4JI4K68wFsafYQe1ZPT/eX6uxZL0K+exjzqP9BNVRlGeLvkEtIcjAzuTtMerNPYmIuFpZZzfS+nPAYZli9EFQDmSU3iW3aWKmQ+mEaikGj3EwuS3nxskaNdziMJ4LQAApqFW8cOHBfOV7hSC6MvWlgDOhfznUcYaqtDI4CnD3pyXb6zZfqjnqK+jO+r84H5PmopMUGM34jY7KUPkpvtZH0HRZr2niBysOpBVuflpUCFWYl1VJLTlHUUG66nGQq3hlW+BB+q");
saml2Configuration.SignatureValidationCertificates.Add(new X509Certificate2(signatureValidationCertificateBytes));
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(saml2Configuration);
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJwZnhmNDkzZTE5Ni05MTE2LTZmZGYtNjYxNC1iZDMzMzQ3MmM3YTkiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE3LTA1LTE3VDE0OjMwOjU1WiIgRGVzdGluYXRpb249Imh0dHBzOi8vZTI3NTdjYmYubmdyb2suaW8vU2FtbDIvQ29uc3VtZSIgSW5SZXNwb25zZVRvPSJfMWJjODU5ODMtZWE0Mi00NTE1LTgwYmEtOWRlNTg0MDExOGI2Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9sYXN0cGFzcy5jb20vc2FtbC9pZHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhmNDkzZTE5Ni05MTE2LTZmZGYtNjYxNC1iZDMzMzQ3MmM3YTkiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjJldG9pRE5pU09kOUVyYy85YVdGSkJKTW9Rbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cWVOTnI5NTUyS21BUjRZcUxWWVVwYm5wL0wwZ2xkZkxaM29SdnhsWkNWcVJWdVR3WWZQWEc3MnlKVkx0RFQvZlN4dm15UGlxaGMwcElYYjBJQUlMdU9HUmt6MVBtR0d0MkVYL2xCaE1PajUzWmN3eTdCQ29vaDhvK2wzZGxpSGtpZkpTeXAxYlhTMUdJR3FzM2ZPc25tY0x3bERMKzZzTlhsUTAyVnU5eXptUWplQnZaNzNjQS9sdHBJSU03V3cybUxkZE1CaGFkbHc3U3lwWXZ4UUtzRDlVeXU5b2xKZnBQYnhPeVBMbnZPK0ZrVjlsaGpBOG53cnFtZkdUZmMyRzlyYWRTTjEwV3FmUCt6NUFJck9WcmpseGkyUE9qUnZYekFFY0ZKaFhqUzBjTTM2VnN6TXlKUkRDekYwUmltUzZZbkdEanJYVXRPRHpBQU5FZ1BaYjFBPT08L2RzOlNpZ25hdHVyZVZhbHVlPgo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEWlRDQ0FrMmdBd0lCQWdJSkFOc0w1K3FrTUhqbU1BMEdDU3FHU0liM0RRRUJDd1VBTUVneEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbmFXNXBZVEVQTUEwR0ExVUVCd3dHVm1sbGJtNWhNUlV3RXdZRFZRUUREQXhNWVhOMFVHRnpjeTVqYjIwd0lCY05NVGN3TlRFMU1USXhOVFU0V2hnUE16QXhOakE1TVRVeE1qRTFOVGhhTUVneEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbmFXNXBZVEVQTUEwR0ExVUVCd3dHVm1sbGJtNWhNUlV3RXdZRFZRUUREQXhNWVhOMFVHRnpjeTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2alhNcXc5aUxHQlNYMERoS2xQTzhxeDNzcmdBRWlPdzRQTU94TUdOSlVCT3NSbnZZcDk1WmYrWVc3UWxxLzFnQm4xY28rekJheU1WOWtwdlBvbVVlT3ZhdEt6c0M5QTdSNFExVjFNU0c0dUJjYVdtVGpZbzI0YkNySEFlWC9BMzhtNWJjZURtWW1scU5wdDVQbWc1QTREY2U2cTlvTDk0Mkg1a1pZc1YybzJQRjlEbWdFTlRhYnNMM3I3TnVGZmNzclFYR1BuS1VrOVo0eEZMVThGc0ZIMTNNOUxoM1NNTXU4YzhwOUliZkNjQ1VRZWtqNTM3ZlBwRmtpLzFyU0JsVHRmTk5MckUzb20vRWNSRE16ZFBZbmthRHNuRmVOb1hqTHdqSlowNlNRaXhUa0FyRy9TTDhlUG1CSWQxWmk5ZWtnUkpob2dLZnRsc0k4ejd4YnJZL0FnTUJBQUdqVURCT01CMEdBMVVkRGdRV0JCU1AxblNnck8vK3lzZlRQdGFYRTl5aWZiRFhvVEFmQmdOVkhTTUVHREFXZ0JTUDFuU2dyTy8reXNmVFB0YVhFOXlpZmJEWG9UQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU2Z4M1Via2luVHBsUUM3NlkzYVVhbFJXSkYrWHpiWjE4OEdSY1pEdEFGNEU1WEdra2ZnWHF0dTgvNDlITGtzTXRQV2F0SU1CeHVtRDlENEpJNEs2OHdGc2FmWVFlMVpQVC9lWDZ1eFpMMEsrZXhqenFQOUJOVlJsR2VMdmtFdEljakF6dVR0TWVyTlBZbUl1RnBaWnpmUytuUEFZWmxpOUVGUURtU1UzaVczYVdLbVErbUVhaWtHajNFd3VTM254c2thTmR6aU1KNExRQUFwcUZXOGNPSEJmT1Y3aFNDNk12V2xnRE9oZnpuVWNZYXF0REk0Q25EM3B5WGI2elpmcWpucUsrak8rcjg0SDVQbW9wTVVHTTM0alk3S1VQa3B2dFpIMEhSWnIybmlCeXNPcEJWdWZscFVDRldZbDFWSkxUbEhVVUc2Nm5HUXEzaGxXK0JCK3E8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBJRD0icGZ4MDRjMDY1MGEtM2I4ZS0yYTBhLTc3NTQtYTgxN2I4ODU2OGUwIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0wNS0xN1QxNDozMDo1NVoiPjxzYW1sOklzc3Vlcj5odHRwczovL2xhc3RwYXNzLmNvbS9zYW1sL2lkcDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0YzA2NTBhLTNiOGUtMmEwYS03NzU0LWE4MTdiODg1NjhlMCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+Z2NkaEY4aVJiK09VQ3RubFFYL3ByVVM0Nk5ZPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5EaksxVGM1dG01L2tVMDMrWDJlRFJReFJqa1g0QldPSWJlWWFxcTJDSm9KTDZ4YXYxVTR4VW1qMkZnTEF4bU8wOGN1d05pem85aWFodFBHZ2t5UktBU3NhTEhZVTUyUU9kQk8rV01pL2xWWmlPYmtJZU1CemJuUHorSmFUU2Q3NnJVeHkvalpDTmNIaEFJd204djdvNWNMaEdIeFlCOHd3TDZYaUdsbEVCaFZWWlpOTk80enBZSFl0VHFRVmdUQnJLVytjQTZ2KzZ6aFhSRXZDU3k2N2xHWWNXdmZkMGFKeUpYOWtTSzArb1p1Vi9rK0N0WlpmeG9qT2Y4RlZRRjhYUlp1WDZBZ3l2dlVyN1VzMnJKRFNiSDdXOFpKR1RBSnBIakpFTWZpYThjR0wzOTNCaEFLNkJxdlFxSkwyOTNXczUrZk5vMEVSSHI0d3F0bHdGUy9MZnc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURaVENDQWsyZ0F3SUJBZ0lKQU5zTDUrcWtNSGptTUEwR0NTcUdTSWIzRFFFQkN3VUFNRWd4Q3pBSkJnTlZCQVlUQWxWVE1SRXdEd1lEVlFRSURBaFdhWEpuYVc1cFlURVBNQTBHQTFVRUJ3d0dWbWxsYm01aE1SVXdFd1lEVlFRRERBeE1ZWE4wVUdGemN5NWpiMjB3SUJjTk1UY3dOVEUxTVRJeE5UVTRXaGdQTXpBeE5qQTVNVFV4TWpFMU5UaGFNRWd4Q3pBSkJnTlZCQVlUQWxWVE1SRXdEd1lEVlFRSURBaFdhWEpuYVc1cFlURVBNQTBHQTFVRUJ3d0dWbWxsYm01aE1SVXdFd1lEVlFRRERBeE1ZWE4wVUdGemN5NWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzZqWE1xdzlpTEdCU1gwRGhLbFBPOHF4M3NyZ0FFaU93NFBNT3hNR05KVUJPc1JudllwOTVaZitZVzdRbHEvMWdCbjFjbyt6QmF5TVY5a3B2UG9tVWVPdmF0S3pzQzlBN1I0UTFWMU1TRzR1QmNhV21UallvMjRiQ3JIQWVYL0EzOG01YmNlRG1ZbWxxTnB0NVBtZzVBNERjZTZxOW9MOTQySDVrWllzVjJvMlBGOURtZ0VOVGFic0wzcjdOdUZmY3NyUVhHUG5LVWs5WjR4RkxVOEZzRkgxM005TGgzU01NdThjOHA5SWJmQ2NDVVFla2o1MzdmUHBGa2kvMXJTQmxUdGZOTkxyRTNvbS9FY1JETXpkUFlua2FEc25GZU5vWGpMd2pKWjA2U1FpeFRrQXJHL1NMOGVQbUJJZDFaaTlla2dSSmhvZ0tmdGxzSTh6N3hiclkvQWdNQkFBR2pVREJPTUIwR0ExVWREZ1FXQkJTUDFuU2dyTy8reXNmVFB0YVhFOXlpZmJEWG9UQWZCZ05WSFNNRUdEQVdnQlNQMW5TZ3JPLyt5c2ZUUHRhWEU5eWlmYkRYb1RBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFTZngzVWJraW5UcGxRQzc2WTNhVWFsUldKRitYemJaMTg4R1JjWkR0QUY0RTVYR2trZmdYcXR1OC80OUhMa3NNdFBXYXRJTUJ4dW1EOUQ0Skk0SzY4d0ZzYWZZUWUxWlBUL2VYNnV4WkwwSytleGp6cVA5Qk5WUmxHZUx2a0V0SWNqQXp1VHRNZXJOUFltSXVGcFpaemZTK25QQVlabGk5RUZRRG1TVTNpVzNhV0ttUSttRWFpa0dqM0V3dVMzbnhza2FOZHppTUo0TFFBQXBxRlc4Y09IQmZPVjdoU0M2TXZXbGdET2hmem5VY1lhcXRESTRDbkQzcHlYYjZ6WmZxam5xSytqTytyODRINVBtb3BNVUdNMzRqWTdLVVBrcHZ0WkgwSFJacjJuaUJ5c09wQlZ1ZmxwVUNGV1lsMVZKTFRsSFVVRzY2bkdRcTNobFcrQkIrcTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9kZXYuZmluZG8uaW8iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj52aWN0b3JrQGZpbmRvLmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QxNDozNTo1NVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9lMjc1N2NiZi5uZ3Jvay5pby9TYW1sMi9Db25zdW1lIiBJblJlc3BvbnNlVG89Il8xYmM4NTk4My1lYTQyLTQ1MTUtODBiYS05ZGU1ODQwMTE4YjYiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0wNS0xN1QxNDozMDoyNVoiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QxNDozNTo1NVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9kZXYuZmluZG8uaW88L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE3LTA1LTE3VDE0OjI4OjU0WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QyMjozMDo1NVoiIFNlc3Npb25JbmRleD0iX2FkNzUxMGNjN2RkNDRhM2MyYjllODlhOWUxYzNlOGEyMmRiOTlhZjk0MSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj52aWN0b3JrQGZpbmRvLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
IdP EntityId: https://lastpass.com/saml/idp
SP EntityId: https://dev.findo.io
SP Consume Service Endpoint: https://e2757cbf.ngrok.io/Saml2/Consume
IdP X.509 certificate:
MIIDZTCCAk2gAwIBAgIJANsL5+qkMHjmMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wIBcNMTcwNTE1MTIxNTU4WhgPMzAxNjA5MTUxMjE1NThaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jXMqw9iLGBSX0DhKlPO8qx3srgAEiOw4PMOxMGNJUBOsRnvYp95Zf+YW7Qlq/1gBn1co+zBayMV9kpvPomUeOvatKzsC9A7R4Q1V1MSG4uBcaWmTjYo24bCrHAeX/A38m5bceDmYmlqNpt5Pmg5A4Dce6q9oL942H5kZYsV2o2PF9DmgENTabsL3r7NuFfcsrQXGPnKUk9Z4xFLU8FsFH13M9Lh3SMMu8c8p9IbfCcCUQekj537fPpFki/1rSBlTtfNNLrE3om/EcRDMzdPYnkaDsnFeNoXjLwjJZ06SQixTkArG/SL8ePmBId1Zi9ekgRJhogKftlsI8z7xbrY/AgMBAAGjUDBOMB0GA1UdDgQWBBSP1nSgrO/+ysfTPtaXE9yifbDXoTAfBgNVHSMEGDAWgBSP1nSgrO/+ysfTPtaXE9yifbDXoTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASfx3UbkinTplQC76Y3aUalRWJF+XzbZ188GRcZDtAF4E5XGkkfgXqtu8/49HLksMtPWatIMBxumD9D4JI4K68wFsafYQe1ZPT/eX6uxZL0K+exjzqP9BNVRlGeLvkEtIcjAzuTtMerNPYmIuFpZZzfS+nPAYZli9EFQDmSU3iW3aWKmQ+mEaikGj3EwuS3nxskaNdziMJ4LQAApqFW8cOHBfOV7hSC6MvWlgDOhfznUcYaqtDI4CnD3pyXb6zZfqjnqK+jO+r84H5PmopMUGM34jY7KUPkpvtZH0HRZr2niBysOpBVuflpUCFWYl1VJLTlHUUG66nGQq3hlW+BB+q
Thanks in advance!
The library seems great, but we would need support for Artifact Bindings in addition to Redirect.
We would be open to provide a PR for it, be I would like a few more details before starting working on it.
We only need the "Resolve an Artifact" part of the binding (i.e., we receive a SAML Artifact and need to contact the other side in order to get its content).
Is it something you would be open to add to the library?
What scope would be acceptable for you? Is resolving only OK or would you insist on supporting creation as well?
Resolving an artifact should be easy enough to do. It's just a POST binding with an additional step.
Once coded, integrating it to the various IdP/SP handlers shouldn't be too hard either.
Creating an artifact might be more complex and would require some form of transient storage/repository.
I was thinking a simple Repository interface (Store(Key,Artifact)/FetchAndRemove(Key)) along with a simple In-Memory storage would cover the most simple cases easily (single webserver). Allowing the user to specify their own implementation of the Repository would make it easy to adapt to any complex setup (load-balancing, farm, cloud, etc.) without assuming the user's infra.
As mentioned, if the feature is interesting to you and we can agree on a scope and direction we are open to working toward a PR.
On the main docs page its says
The code shown is only a selection of the example code in GitHub.
What example code on GitHub? Can you link it?
Heya!
File ITfoxtec.Identity.Saml2/src/ITfoxtec.Identity.Saml2/Util/GenericTypeConverter.cs contains this piece of code when converting the 'NameIdPolicy'-Xml-element:
return GenericConvertValue<T, NameIdPolicy>(new NameIdPolicy
{
AllowCreate = GenericConvertValue<bool, string>(xmlNode.Attributes[Schemas.Saml2Constants.Message.AllowCreate]?.Value),
Format = xmlNode.Attributes[Schemas.Saml2Constants.Message.Format]?.Value,
SPNameQualifier = xmlNode.Attributes[Schemas.Saml2Constants.Message.SpNameQualifier]?.Value
});
We find that when a SAML-request contains the element 'NameIdPolicy' (triggering above code) but not 'AllowCreate', a type-cast exception is thrown:
System.InvalidCastException: Null object cannot be converted to a value type.
at System.Convert.ChangeType(Object value, Type conversionType, IFormatProvider provider)
at ITfoxtec.Identity.Saml2.Util.GenericTypeConverter.GenericConvertValue[T,U](U value)
at ITfoxtec.Identity.Saml2.Util.GenericTypeConverter.ConvertElement[T](XmlNode xmlNode)
at ITfoxtec.Identity.Saml2.XmlElementExtensions.GetElementOrNull[T](XmlElement xmlElement)
at ITfoxtec.Identity.Saml2.Saml2AuthnRequest.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2RedirectBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2RedirectBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Request saml2Request)
We suspect AllowCreate = GenericConvertValue<bool, string> breaks if the bool is null.
Cheers.
hello!
I can't run test project on Ubuntu 18.04, could you help me about that?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.