Strange behavior with OKTA Metadata with the HTTPModule

[mjorrens1]

I am working with a recent copy of the Sustainsys.Saml2 solution.

I have the following configured for the SampleAspNetCore2 example and it works fine:

    services.AddAuthentication()
            .AddSaml2(options => 
            {
                options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2"); // MSJ - Change to the current URL (proper port) -https://localhost:44312/Saml2
                options.SPOptions.ReturnUrl = new Uri("/", UriKind.Relative);
                IdentityProvider idp = new IdentityProvider(new EntityId("http://www.okta.com/exk2hguaa7b7E44hZ5d7"), options.SPOptions)
                {
                    MetadataLocation = "https://dev-60124262.okta.com/app/exk2hguaa7b7E44hZ5d7/sso/saml/metadata",
                    LoadMetadata = true,
                    AllowUnsolicitedAuthnResponse = true, // Need this for IdP initiated login
                };
                idp.SigningKeys.AddConfiguredKey(new X509Certificate2("okta.cert"));
                options.IdentityProviders.Add(idp);
            });

Now, in the SampleHttpModuleApplication, I have the same general configuration with two providers now.

<sustainsys.saml2 entityId="https://localhost:44301/SamplePath/Saml2" returnUrl="https://localhost:44301/SamplePath/" discoveryServiceUrl="https://localhost:44300/DiscoveryService" authenticateRequestSigningBehavior="Never">
    <nameIdPolicy allowCreate="true" format="Persistent"/>
    <identityProviders>
      <add entityId="https://stubidp.sustainsys.com/Metadata"  metadataLocation="https://stubidp.sustainsys.com/Metadata" signOnUrl="https://stubidp.sustainsys.com/" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
        <signingCertificate fileName="~/App_Data/stubidp.sustainsys.com.cer"/>
      </add>
      <add entityId="http://www.okta.com/exk2heu5ncFkQedHp5d7"  metadataLocation="https://dev-60124262.okta.com/app/exk2heu5ncFkQedHp5d7/sso/saml/metadata" signOnUrl="https://dev-60124262.okta.com/app/dev-60124262_httpmodule_1/exk2heu5ncFkQedHp5d7/sso/saml" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
        <signingCertificate fileName="~/App_Data/okta.cert"/>
      </add>
    </identityProviders>
  </sustainsys.saml2>

The application loads the metadata properly in method private static MetadataBase Load via the line using (var stream = client.OpenRead(metadataLocation)) for the first IdP (https://stubidp.sustainsys.com)

On loading the metadata for 2nd identity provider (http://www.okta.com/exk2heu5ncFkQedHp5d7) the line using (var stream = client.OpenRead(metadataLocation)) crashes with the error:

**InnerException: {"Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host."}
Message: "The underlying connection was closed: An unexpected error occurred on a send."**

So the questions/comments are:

• The SampleAspNetCore2 application works fine and loads the same metadata fine with the same code module of MetadataLoader.cs.
• TheSampleHttpModule application works fine with the first identity ID metadata
• TheSampleHttpModule crashes on trying to load the OKTA metadata.
• I have changed web.config for the HttpModule example to just have the OKTA IdP and see the same problem.
• The question is, why does the metadata load work properly for the AspNetCore example vs the HttpModule example.

I am implementing Saml2 for a legacy WebForms application and the new version based upon Blazor so I need to get both the HttpModule and AspNetCore modules to work the same way.

[mjorrens1]

The solution to this problem turned out to be a security protocol issue.

In web.config for the SampleHttpModuleApplication, there is this line:

  <system.web>
    <httpRuntime targetFramework="4.5"/>

When using any framework less than or equal to 4.5, the System.Net.ServicePointManager.SecurityProtocol is set to SSL3 or TLS. Communicating with the OKTA metadata requires a minimum of TLS1.2 which was causing the failure when reading data from the WebClient. To correct the problem, you can set the protocol by doing this:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Or, you can simply target a framework > 4.5 in web.config which will target all of the available TLS protocols:

  <system.web>
    <httpRuntime targetFramework="4.6"/>

[Mateusz19021996]

Hi @mjorrens1 , Could I have mail / discord / whatever contact with You? I'm trying to integrate OKTA and SAML by sustainsys but I'm totally new in that and don't understand some things.. It will be very helpful for me.. is there possibility for that?