ComponentSpace

Forums



Trying to debug a SAML SSO request


Trying to debug a SAML SSO request

Author
Message
Idayn
Idayn
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 13
I have a Service Provider set up to work with our corporate IdP. I had SSO working in our testing environment month ago, and now I need to revisit it before release.
Unfortunately, I can't see a SAML request anywhere, neither in SAMLTracer in the Browser, nor in Wireshark. The logs I get from IIS state that the config and certificates have been loaded correctly, and it also shows the message it is sending.

04/8: 04.01.2021 10:30:45: Request sent over HTTP POST.
804/8: 04.01.2021 10:30:45: SAML message sent: partner=urn:federation:WISAG-IdP, message=<samlp:AuthnRequest ID="_a4c14638-fbc5-4735-ad9b-bb677f23dd26" Version="2.0" IssueInstant="2021-01-04T09:30:45.387Z" Destination="https://auth.identity.wisag.de/login/remussttstest" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://tts.2comtest.wisag.de/loginsaml/auth.aspx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://tts.2comtest.wisag.de/loginsaml/</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_a4c14638-fbc5-4735-ad9b-bb677f23dd26"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>fh/SQBtYWIOdZnH4kvaCfWLvvi7yY8CSMyY/1A0fJzE=</DigestValue></Reference></SignedInfo><SignatureValue>VV4BzicmQWXr2msRfIeyJr3fcvT88hez0sbrBbbAVioucU2gEpYGAod3p/VzaDN6WkjGuTwUYv8P4sgGxivTXumTMA9/PmST5Lf3UM4ZhjfNbwGDkAuX2BOpN0ysqLYXdCrmyY3TbD5vJzoghuBjyYGWrB/tFsNAusjpfwAP7EC0Ec91qoVj4aE+pum3F76yiAQunk4+1hoIFYhabew+mCv+nRFs6b/EHzEhzdAwLiyXVYGcF5rB28bZisNHgCCbf4restz9VD3pNx33v9ICGl2ceEub0e0qqLcn6IwtskrFV9T0bc0Cb/e1nWSXTvPET5lX+0tyyK6evUZErfj7Iw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICxTCCAa2gAwIBAgIIau3DWAp5xo0wDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPUmVtdXNzIFRUUyBUZXN0MB4XDTIwMDgyNjA0MjkzOFoXDTIxMDgyNjA0MjkzOFowGjEYMBYGA1UEAxMPUmVtdXNzIFRUUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnkxjdJB/j7AKg92Nv8UkOFBvLSXo+O2CzEBafwbG00x62EuHU6ArQH+1HXFPvLpT9wvwTIZu9VFO6oXAJPJZBxLVwvnsiwYrIQUzhiiv29opL9MuiHItf9mSlI22N0yXZnq1Egbmcph0TumahEBpRoxmiunQ9bzO9DNsemeWbD/jbXYWGawwOLkTE0VokjPvQWKDVseiUPnsZcRa7ZAWQ9QRUcWPC2qJUZVAynZawRXSOvDIwcWi+4l0oV52FtKCRAntmzeOd6flBOWZPxdNzGc1cco9MXiYQ/mK778jUynIcRHgv2WbXdNAEq6rGAb6J1EU030Dd7DuP+D2dZZFjwIDAQABow8wDTALBgNVHQ8EBAMCBLAwDQYJKoZIhvcNAQELBQADggEBAD+DsbLCRftCO8AI0QPTaznKVbeE4YsVjmxrXzO3zOaYq0X8SiwEQYOV8nk/n5+W2hGgUxKmAIgDAWMBZR0tr1txaAjDZHCqlnqvn84TjhJYAHjvcUxMTbaNSWi6ng5sbIG9SAlZviLpALnNb2KT9/3Gjmif8PbvalbPRvo/4Rb3SqN5Nyq4yzR4aaD8TJFN2f8lnaTAK0jd36FOJggYku1Pk3N6aptG8+CiXiOq0UOovgz0aMruBJxk9YaOFKeXSid2O5Zq/yBRMR7u2zTiXfeaXWCMB/YRCfoRoZTCkzNR/tlimREHiLcWHKnR4BJvOnWdp/1ixC9mKUuIot45oZY=</X509Certificate></X509Data></KeyInfo></Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>, relay state=/login.aspx, destination URL=https://auth.identity.wisag.de/login/remussttstest
804/8: 04.01.2021 10:30:45: Service provider session (7b65a687-1569-444c-bb08-abdee488034c) state:
Pending response state:
Action: ReceiveSamlResponse
Partner name: urn:federation:WISAG-IdP
Relay state:
In response to: _a4c14638-fbc5-4735-ad9b-bb677f23dd26

804/8: 04.01.2021 10:30:45: Initiation of SSO to the partner identity provider urn:federation:WISAG-IdP has completed successfully.

I have confirmed so far that no changes were made on the IdP side of things, and on my side there were also no changes. It seems like the POST just vanishes into thin air.
Is there any way to get more information out of this ? I have a feeling that this might be a network issue, but I can't find an error message anywhere

Current trace config:

<system.diagnostics>
  <trace autoflush="true">
  <listeners>
   <add name="CyclicTextWriter"/>
  </listeners>
  </trace>
  <sources>
  <source name="ComponentSpace.SAML2" switchValue="Verbose">
   <listeners>
    <add name="CyclicTextWriter"/>
   </listeners>
  </source>
  </sources>

  <sharedListeners>
  <!-- Ensure IIS has create/write file permissions for the log folder. -->
  <add
   name="CyclicTextWriter"
   type="ComponentSpace.SAML2.Utility.CyclicTraceListener,ComponentSpace.SAML2"
   initializeData="logs"/>
  </sharedListeners>
</system.diagnostics>





ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Our log indicates a SAML authn request is being sent via the HTTP-Post binding to the IdP. I suggest using the browser developer tools (F12) to capture the network traffic. You should see an HTTP response containing an HTML form with a SAMLRequest form variable being returned to the browser. There'll also be some JavaScript that automatically submits the form to the IdP. The next item in the network trace should be the HTTP Post of the SAMLRequest to the IdP.

If you don't see this, please check your application code to ensure you're not overwriting the HTTP response. If this is the case, the HTTP response you see should give you a clue as to its origin.

If you do see the SAML request and the destination URL looks correct but the request isn't being received at the IdP, this sounds like a network issue.

Regards
ComponentSpace Development
Idayn
Idayn
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 13
ComponentSpace - 1/4/2021
Our log indicates a SAML authn request is being sent via the HTTP-Post binding to the IdP. I suggest using the browser developer tools (F12) to capture the network traffic. You should see an HTTP response containing an HTML form with a SAMLRequest form variable being returned to the browser. There'll also be some JavaScript that automatically submits the form to the IdP. The next item in the network trace should be the HTTP Post of the SAMLRequest to the IdP.

If you don't see this, please check your application code to ensure you're not overwriting the HTTP response. If this is the case, the HTTP response you see should give you a clue as to its origin.

If you do see the SAML request and the destination URL looks correct but the request isn't being received at the IdP, this sounds like a network issue.

I think I found the problem. The button used to be on a different position before, and moving it inside of a Telerik RadAjaxPanel cause the problem. I can debug it in the code behind, and SAMLServiceProvider.InitiateSSO is called without causing any Exceptions, but after that nothing happened. On the old position everything works again. This might be cause by a weird JS interaction between Ajax and the SAML Form POST, I'm not exactly sure.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the update. The network trace in the browser might provide more clues.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search