Closed Hubcrawler closed 2 years ago
I am working on a similar project with the HttpModule and a WebForms application along with the new version of the application in AspNetCore.
Anyway, is the cert from the production IdP vendor in the metadata like it is in the Okta metadata? If not, you would need to physically add it to the IdP with the line (from AspNetCore but you can translate to web.config):
idp.SigningKeys.AddConfiguredKey(new X509Certificate2("[name of okta cert].cert"));
Thanks for the heads up.
Aye it is and using the library in my MVC app the pertinent parts of the web.config are:
If there is a service certificate configured with usage signing and authenticateRequestSigningBehavior is set to Always it will sign.
The code might be a bit confusing because the signing is done by the binding, not by the SignInCommand. The reason is that for messages sent over POST a normal XML signature is used, but for Http Redirect, the signature is done in the query string.
Hey there and thank you for the follow up. I totally missed the fact that the signing defaults to HTTPRedirect when a "binding" is not specified in the web.config (and therefore the signing was in fact in the URL) and apologize for that.
I'm trying to test it via POST (as the IDP has an issue with the redirect binding) and I believe I have the correct configuration and show the pertinent pieces below:
If you load Metadata (and by specificying metadataLocation that happens, even if loadMetadata=false), the Metadata options take precedence over anything configured.
Nuget Package: Sustainsys.Saml2.Mvc V2.8.0
Excellent lib and made development very quick. I have successfully used this for SSO and SLO against OKTA. Now I'm trying to use it against our production IDP vendor but they require signing of AuthN requests. I have tried setting authenticateRequestSigningBehavior="Always" in the Sustainsys.Saml2 web.config element but inspection of the outgoing AuthN requests shows that no signing information is present. I have tried adding wantAuthnRequestsSigned="true" to the IdentiyProvider but still not seeing a signing of the AuthN request. I have a self-signed certificate (public/private keys) referenced in the serviceCertificates and this works when testing against OKTA (which does not require AuthN requests to be signed but does use it for SLO).
Wondering what I'm missing to get the signature/algorithm to appear in the outbound AuthN request?
Additional info