search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
956 stars 602 forks source link

Exception thrown while reading 'NameIDType' for Saml2SecurityToken #1421

Closed sindrebakk1 closed 9 months ago

sindrebakk1 commented 10 months ago

Sustainsys version: Sustainsys.Saml2.AspNetCore2 v2.9.2

I am getting an exeption thrown when processing login requests from a new integration I am setting up (error message and stack trace below). My guess is that there is some problem with parsing the Subject NameID element, but as far as i can tell, the SAML message looks valid.

Is there anything I am missing?

SAML Message:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    Destination="REDACTED" ID="_04bf6a767b4f97c6cc9d89711a66a98b"
    InResponseTo="id90b084e806d04a6a81da53dc254770cd" IssueInstant="2023-12-06T10:01:31Z"
    Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        REDACTED</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_04bf6a767b4f97c6cc9d89711a66a98b">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                            PrefixList="xs" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>ChyWcnURkWA+q+inC/rrOS1ZB2s=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            REDACTED
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    REDACTED
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="_2d8341962cba09bfabdca2a0e095d6c9" IssueInstant="2023-12-06T10:01:31Z" Version="2.0">
        <saml2:Issuer>REDACTED</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="id90b084e806d04a6a81da53dc254770cd"
                    NotOnOrAfter="2023-12-06T10:03:31Z"
                    Recipient="REDACTED" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2023-12-06T10:01:31Z" NotOnOrAfter="2023-12-06T10:03:31Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>REDACTED</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2023-12-06T10:01:31Z"
            SessionIndex="88152177-7c97-4dbc-ba93-9a71c14437db">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="http://sambi.se/attributes/1/employeeHsaId"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:type="xs:string">REDACTED</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Error:

Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'NameIDType' for Saml2SecurityToken. Inner exception: 'System.ArgumentNullException: IDX10000: The parameter 'value' cannot be a 'null' or an empty object.  (Parameter 'value')
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier.set_Value(String value)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)'.
 ---> System.ArgumentNullException: IDX10000: The parameter 'value' cannot be a 'null' or an empty object.  (Parameter 'value')
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier.set_Value(String value)
...

This is taken from our elastic logs, wich limits entries at 800 chars. If needed, I can try to produce a complete stack trace

AndersAbel commented 10 months ago

The NameId element has no contents.

Reading the SAML2 specification it is not clear to me if an empty NameId is allowed or not. The Microsoft Token handler obviously requires the NameId node to have a value. And the Sustainsys.Saml2 library in versions 1.x and 2.x requires the NameId to be present (v3 will be more tolerant).