search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
940 stars 606 forks source link

Sustainsys.saml2: IDX10214: Audience validation failed. Did not match: validationParameters.ValidAudience #1443

Closed frankus1972 closed 3 months ago

frankus1972 commented 4 months ago

I am implementing sustainsys.saml2, working with Framework 4.7.2, to connect to a client identity provider in Azure Ad.

My versions are: Sustainsys.Saml2-2.9.2 Sustainsys.Saml2.HttpModule-2.9.2

I was able to connect fine with the IdP throw a valid user, and when I get the response at "/Saml2/Acs" I get the error:

"IDX10214: Audience validation failed. Audiences: 'spn:'. Did not match: validationParameters.ValidAudience: '' or validationParameters.ValidAudiences: 'null'."

[SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'spn:'. Did not match: validationParameters.ValidAudience: '' or validationParameters.ValidAudiences: 'null'.] Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) +723 Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) +369 Sustainsys.Saml2.Saml2P.Saml2PSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) +57 Sustainsys.Saml2.Saml2P.d__66.MoveNext() +785 System.Collections.Generic.List1..ctor(IEnumerable1 collection) +453 System.Linq.Enumerable.ToList(IEnumerable1 source) +69 Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData) +242 Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState) +98 Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +968 Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs e) +407 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +223 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +220 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +94

I have tried fixed with this lines at global.asax - 

protected void Application_BeginRequest(object sender, EventArgs e)
{
    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII.ToString());
    Microsoft.IdentityModel.Tokens.TokenValidationParameters parameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters();
    parameters.ValidAudiences = new string[] { "<My entityId>" };
    ...
}
AndersAbel commented 4 months ago

The validation parameters, including the audience restriction should be set automatically by the library.

There is a notification that allows you to inspect the actual token validation parameters: Unsafe.TokenValidationParametersCreated . Could you please hook that and inspect the validation parameters that are actually used?

frankus1972 commented 4 months ago

Ok, but, where I have to hook it? Sorry for my ignorance...

I have a web.config with sustainsys parameters. 

<sustainsys.saml2 entityId="myEntityId" returnUrl="https://myWeb/Login.aspx" authenticateRequestSigningBehavior="Never">
  <identityProviders>
    <add entityId="https://sts.windows.net/myEntityId/" 
    metadataLocation="https://login.microsoftonline.com/myEntityId/federationmetadata/2007-06/federationmetadata.xml?appid=myEntityId" loadMetadata="true" allowUnsolicitedAuthnResponse="true" />
  </identityProviders>
</sustainsys.saml2>

I launch the log with my IdP, I logged well, but in "myreply/Saml2/Acs" I get the error.

In framework 4.7.2, I don't have a Startup.cs. I can only use the global.asax file.

frankus1972 commented 4 months ago

Hi, only for add information:

Before I get this error, I got this:

IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'.

I added the line:

Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

frankus1972 commented 4 months ago

I found this:

Like the Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Microsoft Entra ID. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:.

So, is the spn prefix my problem?

I'm stuck

AndersAbel commented 3 months ago

@frankus1972 That explains what's happening. The EntityId you set up in web.config myEntityId should be a valid URI. myEntityId is not. It appears that Entra ID is adding spn: as a scheme identifier for anything that is not a URI.

You have two options on how to solve it:

  1. Change your config to use a valid absolute URI as your entity ID (recommended)
  2. Hook the Unsafe.TokenValidationParametersCreated notifications and update the ValidAudience property.