search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
940 stars 606 forks source link

NullReferenceException AuthServices/Acs #1427

Closed joerglang closed 5 months ago

joerglang commented 6 months ago

We have used the Kentor library in our solution and wanted finally update to Sustainsys. We thought that would be not a big deal. But however we are stuck.

When we receive the Callback to AuthServices/Acs we get a NullReferenceException that. The code then never reaches our wired up AcsCommandResultCreated method.

In the log I see 2024-01-07 16:11:31.119 +01:00 [Error] Saml2 Authentication failed. The received SAML data is plus the SAML that was received that looks good to me. It is the same SAML that works when using the Kentor library.

The SAML response is added below (sensitive information removed). The response comes from our own mock, that returns results identical to the real IdP that we cannot install localy as this is a government internal solution.

<Response Destination="http://localhost:53334/AuthServices/Acs" ID="xxxxxxxxxxx" Version="2.0" IssueInstant="2024-01-07T15:11:25Z" InResponseTo="idfde4726461b24ce3a2a5dab1082c6f2d" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://xxx.xxx.ch/eiammock/f22102a1-dd43-40f7-9e44-4a198ccd785b/Metadata</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#xxxxxxxxxx">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>xxxxxxxxxx</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>xxxxxxx</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>xxxxxxxx</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_85d5ae09-51dc-42a9-9233-a03b1779e419" IssueInstant="2024-01-07T15:11:25Z">
        <saml2:Issuer>https://xxxx.xxxx.ch/eiammock/f22102a1-dd43-40f7-9e44-4a198ccd785b/Metadata</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xxxx@xxxx.ch</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2024-01-07T15:13:25Z" InResponseTo="idfde4726461b24ce3a2a5dab1082c6f2d" Recipient="http://localhost:53334/AuthServices/Acs"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotOnOrAfter="2024-01-07T15:13:25Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>https://xxxx.xxxx.ch/eiammock/f22102a1-dd43-40f7-9e44-4a198ccd785b/Metadata</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2024-01-07T15:11:25Z" SessionIndex="42">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <saml2:AttributeValue>xxxx</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <saml2:AttributeValue>xxxx</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <saml2:AttributeValue>xxxx@xxxx.ch</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/displayName">
                <saml2:AttributeValue>xxxx xxxx</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/language">
                <saml2:AttributeValue>DE</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/userExtId">
                <saml2:AttributeValue>S51943653</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/loginId">
                <saml2:AttributeValue>CHA1002973</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/clientExtId">
                <saml2:AttributeValue>5300</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/clientName">
                <saml2:AttributeValue>XX-LOGIN</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/unitExtId">
                <saml2:AttributeValue>5300.selfreg</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/unitName">
                <saml2:AttributeValue>SelfReg</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/distinguishedName">
                <saml2:AttributeValue>uid=S31830065,ou=5300.selfreg,ou=5300.extern,o=5300,o=XXX,o=XXX,c=CH</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/fp/homeName">
                <saml2:AttributeValue>XXXXX</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/fp/homeRealm">
                <saml2:AttributeValue>urn:XXXX</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/fp/federated">
                <saml2:AttributeValue>true</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant">
                <saml2:AttributeValue>11/27/2017 11:03:15</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/e-id/profile/role">
                <saml2:AttributeValue>XXXX</saml2:AttributeValue>
                <saml2:AttributeValue>XXXX</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xxxx.xxxx.ch/ws/2013/12/identity/claims/role">
                <saml2:AttributeValue>XXXX</saml2:AttributeValue>
                <saml2:AttributeValue>XXXX</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationmethod">
                <saml2:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</Response>

Can you point me in the direction I need to look? Any help is appreciated.

AndersAbel commented 6 months ago

What version are you updating to? The 1.0.3 is essentially just a rename of the Kentor library and should work. The 2.9.2 has more changes.

joerglang commented 6 months ago

We are updating from Kentor 0.21.2 to Sustainsys.Saml2 version 2.9.2

AndersAbel commented 6 months ago

If you just want to get up to a supported version, I would recommend going to 1.0.3 instead. It is still supported and has much less changes than the 2.x line.

joerglang commented 6 months ago

After changing back to 1.0.3 I get at least another error...

Sustainsys.Saml2.Exceptions.UnexpectedInResponseToException: Received message contains unexpected InResponseTo "id45527d80b3f44c9f82271f9bfd12f69d". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.

I assume that this has to do with the app.UseKentorOwinCookieSaver(); that no longer exists. I tried with asolutions for the problem I found in the internet (CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())) but this doesn't seem to solve the problem.

AndersAbel commented 5 months ago

Yes, that issue could be caused by a lost correlation cookie yes.

If you want more hands on help on the upgrade, I do offer remote consulting services as part of the support package for Sustainsys.Saml2. Please reach out to support@sustainsys.com for more information.