Closed frankus1972 closed 3 months ago
The validation parameters, including the audience restriction should be set automatically by the library.
There is a notification that allows you to inspect the actual token validation parameters: Unsafe.TokenValidationParametersCreated
. Could you please hook that and inspect the validation parameters that are actually used?
Ok, but, where I have to hook it? Sorry for my ignorance...
I have a web.config with sustainsys parameters.
<sustainsys.saml2 entityId="myEntityId" returnUrl="https://myWeb/Login.aspx" authenticateRequestSigningBehavior="Never">
<identityProviders>
<add entityId="https://sts.windows.net/myEntityId/"
metadataLocation="https://login.microsoftonline.com/myEntityId/federationmetadata/2007-06/federationmetadata.xml?appid=myEntityId" loadMetadata="true" allowUnsolicitedAuthnResponse="true" />
</identityProviders>
</sustainsys.saml2>
I launch the log with my IdP, I logged well, but in "myreply/Saml2/Acs" I get the error.
In framework 4.7.2, I don't have a Startup.cs. I can only use the global.asax file.
Hi, only for add information:
Before I get this error, I got this:
IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'.
I added the line:
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
I found this:
Like the Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Microsoft Entra ID. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:.
So, is the spn prefix my problem?
I'm stuck
@frankus1972 That explains what's happening. The EntityId you set up in web.config myEntityId
should be a valid URI. myEntityId
is not. It appears that Entra ID is adding spn:
as a scheme identifier for anything that is not a URI.
You have two options on how to solve it:
Unsafe.TokenValidationParametersCreated
notifications and update the ValidAudience
property.
I am implementing sustainsys.saml2, working with Framework 4.7.2, to connect to a client identity provider in Azure Ad.
My versions are: Sustainsys.Saml2-2.9.2 Sustainsys.Saml2.HttpModule-2.9.2
I was able to connect fine with the IdP throw a valid user, and when I get the response at "/Saml2/Acs" I get the error:
"IDX10214: Audience validation failed. Audiences: 'spn:'. Did not match: validationParameters.ValidAudience: '' or validationParameters.ValidAudiences: 'null'."
[SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'spn:'. Did not match: validationParameters.ValidAudience: '' or validationParameters.ValidAudiences: 'null'.] Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) +723 Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) +369 Sustainsys.Saml2.Saml2P.Saml2PSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) +57 Sustainsys.Saml2.Saml2P.d__66.MoveNext() +785 System.Collections.Generic.List1..ctor(IEnumerable1 collection) +453 System.Linq.Enumerable.ToList(IEnumerable1 source) +69 Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData) +242 Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState) +98 Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +968 Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs e) +407 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +223 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +220 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +94
I have tried fixed with this lines at global.asax -