The IgnoreAuthenticationContextInResponse compatibility flag not available in version 2.2.0

[ashishgamit]

Nuget Packages in use:

• Microsoft.AspNetCore.App - 2.1.1
• Microsoft.NETCore.App - 2.1.0
• Sustainsys.Saml2.AspNetCore2 - 2.2.0

Dotnet Core version: 2.1.302

The IDP incorrectly sets the value of element to an invalid URI. Due to this following error is generated on SP side while parsing the authentication response:

error: "IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri' at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value) at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'."

The documentation here suggests that Compatibility.IgnoreAuthenticationContextInResponse can be set to true to ignore the <AuthnContextDeclRef> element, however, while initiating SPOptions this flag is not available under Compatibility settings.

[rvandehei]

any update on this? I'm not using configuation by code, i'm trying to see the IgnoreAuthenticationContextInResponse attribute under the Compatability element and it does not seem to be valid. Looking that the Configuration class in the library, it doesn't seem to even be setting the IgnoreAuthenticationContextInResponse property? I'm running into the "must be an absolute URI" error and really need a solution to fixing it

[AndersAbel]

This setting has been lost in porting to .NET Core. If you need it and target the .NET Framework you can use 1.0.0 until this is fixed.

[erionalite]

I am having the same issue, I did use the IgnoreAuthenticationContextInResponse but I still get IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.UriFormatException'. Is there anyway to support IDP that are not static URI's format. We have customers who have given us entityID that are not URI's.

[AndersAbel]

@erionalite Please open a new issue with more information. I'm not sure that your issue is related to the Authentication Context.

[IncoFB]

Hello I am facing same problem. The IDP I am trying to reach sends me this value : (...)

secure/name/password/MDP-aa-extra-rec (...) It is obviously not a valid URI, and raises exception : IDX13300: '[PII is hidden]' must be an absolute Uri, was: '[PII is hidden]' as well as inner exception : IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.ArgumentException'.] The sustainsys saml documentation tells about the possible usage of attribute "IgnoreAuthenticationContextInResponse" to be declared inside " element. But this is still not a supported option. I tested version 1.0.0 through 2.8.0. (latest stable so far) with no success. Thus I am stuck as I have no chance to reach this IDP Please help !

[explunit]

This option was added in version 2.3.0.

I'm not sure if it's available as a web.config element, but it can be set on the SPOptions object, e.g.

            var serviceProviderOptions = new SPOptions
            {
// other properties
                Compatibility = new Compatibility
                {
                    IgnoreAuthenticationContextInResponse = true,
                }
            };

[IncoFB]

Thanks a lot for your anwser. I am newbie with your library and I set up an HttpModule application starting from your sample version. (It works find with your sample online IDP) But in my case, I have no idea/code sample about how to setup SPoptions. Somewhere in global.asax.cs ? Have you got a more complete sample ? (standard ASP.NET, not .net Core et not MVC)

[IncoFB]

Hi, finally came to terms I just had to add line beow in Application_Start event handler of my Global.ajax.cs :

Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule.Options.SPOptions.Compatibility.IgnoreAuthenticationContextInResponse = true;