search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

"no signin id passed" error with Kentor.AuthServices plug-in #2051

Closed akiander closed 9 years ago

akiander commented 9 years ago

I am using the latest version of IdentityServer3 (version 2). I have two Identity Providers configured:

  1. WsFederation with ADFS (works fine)
  2. Kentor.AuthServices.Owin plug-in against a SAML endpoint (not working)

The error I get is this one:

There is an error determining which application you are signing into. Return to the application and try again

Under the covers, I can see that the entire process worked, the Kentor component correctly received an Identity with all of the claims and we are just calling back into Identity Server via a callback URL.

But I see this in the logs:

2015-10-21 11:53:53,316 INFO - Callback invoked from external identity provider 2015-10-21 11:53:53,323 INFO - No signin id passed

I can see there are multiple issues opened that discuss this error and suggest missing cookies but I have confirmed that the cookies are there. Specifically, these:

idsrv.xsrf idsrv.external SignInMessage.long_number_here

I don't know where to go to further debug this. Any advice?

brockallen commented 9 years ago

Is the SAML provider round tripping the state from Katana (and SAML uses the relay state param I think)?

I was just doing this yesterday with Okta as a test and it seemed to be working. Perhaps use this as a test to ensure Kentor is working: https://github.com/KentorIT/authservices/blob/master/doc/IdentityServer3Okta.md

akiander commented 9 years ago

Thanks -I'm trying this now and will report back.

akiander commented 9 years ago

Okay, I set up Okta and the SAML authentication is working perfectly. As a test, that suggests that the Kentor component is working fine.

Now I have to figure out why the original SAML provider gives me the "no signin id passed" error.

I downloaded the Kentor source code ran it through a debugger and can see that I'm getting a vaild Identity back as a result of the authentication, although I do see that this property is empty: 

 Kentor.AuthServices.WebSso.CommandResult.RelayData

In the Okta example, that contains the signinid... but in my example, it's missing.

How do I fix that?

leastprivilege commented 9 years ago

That has to be fixed by the SAML IdP.

akiander commented 9 years ago

We want to fix it but we're not sure how the RelayState passed back and forth. I've been studying the HTTP traffic in Fiddler and I don't see any RelayState in either case... both in the Okta case where we are successful and in the original SAML endpoint that is failing.

Can you tell me how this is typically passed because I don't see it in the Form Post or anywhere in the URL, headers or content.

akiander commented 9 years ago

Never mind... I'm digging into the Kentor component and discovered that it keeps a collection of PendingAuthnRequests and it appears to depend on the InResponseTo attribute being present on the authentication response so it can look up the signinid and related data. Of course, if that attribute is missing, then we get this error.

As I'm discovering, this entire Issue probably belongs on the Kentor plug-in github repo and not here.

brockallen commented 9 years ago

Thanks for the update. Keep us posted.

akiander commented 9 years ago

Once the IdP was updated so that each response contains the InResponseTo attribute (which points to the ID of the authorization request), then everything works perfectly. Case closed.