Closed akiander closed 9 years ago
Is the SAML provider round tripping the state from Katana (and SAML uses the relay state param I think)?
I was just doing this yesterday with Okta as a test and it seemed to be working. Perhaps use this as a test to ensure Kentor is working: https://github.com/KentorIT/authservices/blob/master/doc/IdentityServer3Okta.md
Thanks -I'm trying this now and will report back.
Okay, I set up Okta and the SAML authentication is working perfectly. As a test, that suggests that the Kentor component is working fine.
Now I have to figure out why the original SAML provider gives me the "no signin id passed" error.
I downloaded the Kentor source code ran it through a debugger and can see that I'm getting a vaild Identity back as a result of the authentication, although I do see that this property is empty:
Kentor.AuthServices.WebSso.CommandResult.RelayData
In the Okta example, that contains the signinid... but in my example, it's missing.
How do I fix that?
That has to be fixed by the SAML IdP.
We want to fix it but we're not sure how the RelayState passed back and forth. I've been studying the HTTP traffic in Fiddler and I don't see any RelayState in either case... both in the Okta case where we are successful and in the original SAML endpoint that is failing.
Can you tell me how this is typically passed because I don't see it in the Form Post or anywhere in the URL, headers or content.
Never mind... I'm digging into the Kentor component and discovered that it keeps a collection of PendingAuthnRequests and it appears to depend on the InResponseTo attribute being present on the authentication response so it can look up the signinid and related data. Of course, if that attribute is missing, then we get this error.
As I'm discovering, this entire Issue probably belongs on the Kentor plug-in github repo and not here.
Thanks for the update. Keep us posted.
Once the IdP was updated so that each response contains the InResponseTo attribute (which points to the ID of the authorization request), then everything works perfectly. Case closed.
I am using the latest version of IdentityServer3 (version 2). I have two Identity Providers configured:
The error I get is this one:
Under the covers, I can see that the entire process worked, the Kentor component correctly received an Identity with all of the claims and we are just calling back into Identity Server via a callback URL.
But I see this in the logs:
2015-10-21 11:53:53,316 INFO - Callback invoked from external identity provider 2015-10-21 11:53:53,323 INFO - No signin id passed
I can see there are multiple issues opened that discuss this error and suggest missing cookies but I have confirmed that the cookies are there. Specifically, these:
I don't know where to go to further debug this. Any advice?