Azure - The reply URL specified in the request does not match the reply URLs configured for the application

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET

Other

959 stars 602 forks source link

Azure - The reply URL specified in the request does not match the reply URLs configured for the application #1335

Closed AlexAlexGoTO closed 2 years ago

AlexAlexGoTO commented 2 years ago

Hi,

I'm using Sustainsys.Saml2.Owin 2.9.0

I created application in azure and now I'm trying to login with your library but I'm getting error

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'https://my-site/saml2'.

Here is my configuration

When it's make request to Azure sign-in I don't see any redirect url in request string so I can't even understand what should I add to azure reply URLs.

I decided that it should be Assertion endpoint so I'm using 'https://my-site/saml2/Acs' but it doesn't work

Cas someone help me to understand what reply URL should I use or where can I check it ?

I found similar issue here https://github.com/Sustainsys/Saml2/issues/1264

AndersAbel commented 2 years ago

The path is case sensitive, the correct one is https://my-site/Saml2/Acs.

AlexAlexGoTO commented 2 years ago

Thanks, I'll try tomorrow and give you feedback :)

AlexAlexGoTO commented 2 years ago

My Azure

My .NET

My .NET Controller

My error

Still the same error :(

AlexAlexGoTO commented 2 years ago

Looks like azure see Acs as http when I make an request... So maybe something wrong with configuration. Continue investigating it

AlexAlexGoTO commented 2 years ago

I removed RedirectUri and ReturnUrl, change Acs url to right one in Azure and now I don't have that error. But now I have another one from library: No Idp with entity id "https://sts.windows.net/xxxxxxxxxxxx/" found

This exception was originally thrown at this call stack: System.ThrowHelper.ThrowKeyNotFoundException() Sustainsys.Saml2.Configuration.IdentityProviderDictionary.this[Sustainsys.Saml2.Metadata.EntityId].get(Sustainsys.Saml2.Metadata.EntityId)

AlexAlexGoTO commented 2 years ago

If I'm trying to set LoadMetadata = true - I'm getting Unexpected entity id "https://sts.windows.net/xxxxxxx-xxxxx-xxxxx-xxxx-xxxxx/" found when loading metadata for "https://login.microsoftonline.com/xxxxxxx-xxxxx-xxxxx-xxxx-xxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxxx-xxxxx-xxxxx-xxxx-xxxxx".

AndersAbel commented 2 years ago

The Idp EntityId you've configured is obviously wrong. The one from the logs is the one received in metadata and in actual SAML2 message. I really hope that those have the same value - if not, you're configuration is really messed up.

AlexAlexGoTO commented 2 years ago

Thanks, I'll continue investigation and write something later here, when understand what is going on...

AlexAlexGoTO commented 2 years ago

I reconfigured my Idp to

So now It's okay. But I got another error :D

Sustainsys.Saml2.Exceptions.UnexpectedInResponseToException: 'Received message _a9f67e1a-e36a-21db-983a-fe3158a68bb7 contains unexpected InResponseTo "id65d1afd2c4c8475dad418fa990dbe254". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.'

AndersAbel commented 2 years ago

Please keep each issue to one subject, I'm closing this.

You might want to look at #666.