paulkeefe
|
|
Group: Forum Members
Posts: 16,
Visits: 49
|
+xI suggest checking the network traffic first just in case the issue is at your end. The issue is that they expect to get the request as a POST with params in the body, but it is being sent as a GET with params in the query string. I don't see any way to change SAMLServiceProvider.InitiateSSO to accommodate this. Is there a setting to send as a POST?
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
By default, we send the SAML authn request using the HTTP-Redirect binding (transport) which results in an HTTP Get to the identity provider. There is also the option to send it using the HTTP-Post binding. To do so, specify SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your SAML configuration. For example:
Regards ComponentSpace Development
|
|
|
paulkeefe
|
|
Group: Forum Members
Posts: 16,
Visits: 49
|
+xBy default, we send the SAML authn request using the HTTP-Redirect binding (transport) which results in an HTTP Get to the identity provider. There is also the option to send it using the HTTP-Post binding. To do so, specify SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your SAML configuration. For example: Thanks for the POST config, but I now get a different error. I noted in your example you also have the partner's cert, is that needed? They have my key and I have my cert, but nothing of theirs. Here's the exception I am getting: [CryptographicException: Cannot find the requested object. ] IdpName.Applications.OurName.Portal.Authentication.SAML2IDP.SingleSignonService.ProcessRequest(HttpContext context) +441 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +790 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +88
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
You should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.
I suggest emailing us the SAML log file if you need assistance debugging the current issue.
Regards ComponentSpace Development
|
|
|
paulkeefe
|
|
Group: Forum Members
Posts: 16,
Visits: 49
|
+xYou should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider. I suggest emailing us the SAML log file if you need assistance debugging the current issue. Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. Is this normal behavior? Should I send you the log file or does this point to a configuration issue?
|
|
|
paulkeefe
|
|
Group: Forum Members
Posts: 16,
Visits: 49
|
+x+xYou should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider. I suggest emailing us the SAML log file if you need assistance debugging the current issue. Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. Is this normal behavior? Should I send you the log file or does this point to a configuration issue? Also, the IdP has their certificate exposed in their metadata endpoint like so: <md:KeyDescriptor> <KeyInfo xmlns=" http://www.w3.org/2000/09/xmldsig#"><X509Data> <X509Certificate>base64String</X509Certificate> </X509Data> </KeyInfo> </md:KeyDescriptor> Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?
|
|
|
paulkeefe
|
|
Group: Forum Members
Posts: 16,
Visits: 49
|
+x+x+xYou should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider. I suggest emailing us the SAML log file if you need assistance debugging the current issue. Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. Is this normal behavior? Should I send you the log file or does this point to a configuration issue? Also, the IdP has their certificate exposed in their metadata endpoint like so: <md:KeyDescriptor> <KeyInfo xmlns=" http://www.w3.org/2000/09/xmldsig#"><X509Data> <X509Certificate>base64String</X509Certificate> </X509Data> </KeyInfo> </md:KeyDescriptor> Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder? Hi again! We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier). I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully. But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file? Thanks again for all your help!
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
+x+xYou should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider. I suggest emailing us the SAML log file if you need assistance debugging the current issue. Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. Is this normal behavior? Should I send you the log file or does this point to a configuration issue? An HTML form is returned in the HTTP response to the browser. Some JavaScript automatically submits the form which results in an HTTP Post to the identity provider. This is perfectly normal and how the SAML HTTP-Post binding is supposed to work. The identity provider won't see the HTML form. They'll receive an HTTP Post with the SAML response as post data. If you use the browser developer tools to take a look at the network traffic you'll see what I mean.
Regards ComponentSpace Development
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
+x+x+xYou should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider. I suggest emailing us the SAML log file if you need assistance debugging the current issue. Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. Is this normal behavior? Should I send you the log file or does this point to a configuration issue? Also, the IdP has their certificate exposed in their metadata endpoint like so: <md:KeyDescriptor> <KeyInfo xmlns=" http://www.w3.org/2000/09/xmldsig#"><X509Data> <X509Certificate>base64String</X509Certificate> </X509Data> </KeyInfo> </md:KeyDescriptor> Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder? The base-64 encoded X.509 certificate string can be copied to a .CER text file and this file specified as the partner identity provider's certificate.
Regards ComponentSpace Development
|
|
|
ComponentSpace
|
|
ComponentSpace Development
Group: Administrators
Posts: 3.2K,
Visits: 11K
|
+x+x+x+xYou should have the partner identity provider's certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider. I suggest emailing us the SAML log file if you need assistance debugging the current issue. Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user. Is this normal behavior? Should I send you the log file or does this point to a configuration issue? Also, the IdP has their certificate exposed in their metadata endpoint like so: <md:KeyDescriptor> <KeyInfo xmlns=" http://www.w3.org/2000/09/xmldsig#"><X509Data> <X509Certificate>base64String</X509Certificate> </X509Data> </KeyInfo> </md:KeyDescriptor> Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder? Hi again! We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier). I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully. But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file? Thanks again for all your help! That sounds like a configuration issue rather than a certificate issue. You should have a <PartnerIdentityProvider> entry with a Name of "xxx". You're welcome to send the SAML log file as an email attachment to [email protected] if you'd like us to take a look.
Regards ComponentSpace Development
|
|
|