search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
945 stars 605 forks source link

Target different version of `Microsoft.IdentityModel.Tokens.Saml` in web application #1397

Closed l3ender closed 1 year ago

l3ender commented 1 year ago

We are trying to use the latest v2 version of the library (2.9.1) but are seeing issues when integrating into our web application.

We are using a vendor provided website for which we need to copy our extension DLLs into the website's bin directory. However, once doing so (also copying Sustain.Saml2.xxx files), we see startup issues for the website:

Could not load file or assembly 'Microsoft.IdentityModel.Tokens.Saml, Version=5.2.4.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

Stacktrace: [FileLoadException: Could not load file or assembly 'Microsoft.IdentityModel.Tokens.Saml, Version=5.2.4.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)] Sustainsys.Saml2.Configuration.SPOptions.set_EntityId(EntityId value) +0

We see that our web application already uses Microsoft.IdentityModel.Tokens.Saml and the existing DLL version is 5.3.0.51005. So we understand there is a version mismatch between what the application already has (5.3.0) versus what it is trying to find (5.2.4). However, because the 5.2.4 version is referenced from this library, we aren't sure how to resolve.

https://github.com/Sustainsys/Saml2/blob/329306180c708fa60428e424aa3a69c149166917/Sustainsys.Saml2/Sustainsys.Saml2.csproj#L46-L48

Can you please share any detail on how we can get past this issue? Thank you very much!

l3ender commented 1 year ago

We were able to accomplish it with bindingRedirect entries in web.config:

<dependentAssembly>
  <assemblyIdentity name="Microsoft.IdentityModel.Tokens" publicKeyToken="31bf3856ad364e35" culture="neutral" />
  <bindingRedirect oldVersion="0.0.0.0-5.2.4.0" newVersion="5.3.0.0" />
</dependentAssembly>
<dependentAssembly>
  <assemblyIdentity name="Microsoft.IdentityModel.Tokens.Saml" publicKeyToken="31bf3856ad364e35" culture="neutral" />
  <bindingRedirect oldVersion="0.0.0.0-5.2.4.0" newVersion="5.3.0.0" />
</dependentAssembly>
<dependentAssembly>
  <assemblyIdentity name="Microsoft.IdentityModel.Xml" publicKeyToken="31bf3856ad364e35" culture="neutral" />
  <bindingRedirect oldVersion="0.0.0.0-5.2.4.0" newVersion="5.3.0.0" />
</dependentAssembly>
AndersAbel commented 1 year ago

Great to hear that it is solved. This is the normal way to handle this - either via binding redirects, or by letting the hosting application reference explicit versions which will override any transitive dependencies. It would be impossible to release new versions every time there's a new version of a dependency.