UriFormatException on response when kentor.authServices.entityId is not an URI

[cloutierjo]

Hello,

We have a case where the SP built with Kentor authservices is configured with an entityId that is not an URI. But when the SAMLResponse come back from the IDP there is an "UriFormatException: Invalid URI: The format of the URI could not be determined" that is thrown from Kentor.AuthServices.Saml2P.Saml2PSecurityTokenHandler..ctor(EntityId spEntityId). I suppose the audienceRestriction shouldn't rely on the entityId being an URI.

The doc specifically state:

The entityId should typically be the URL where the metadata is presented

which also mean that it's not required to be an URL

I suppose that a work around would be to set it as an URL be our IDP behave strangely in the past when it's own entityID was an URL, so we couldn't used it. This is why we didn't use URL in the SP entityId either.

Here is the full stack trace:

[UriFormatException: Invalid URI: The format of the URI could not be determined.] System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +8890818 Kentor.AuthServices.Saml2P.Saml2PSecurityTokenHandler..ctor(EntityId spEntityId) +95 Kentor.AuthServices.Configuration.KentorAuthServicesSection.<.ctor>b__0() +81 System.Lazy1.CreateValue() +455 Kentor.AuthServices.Configuration.KentorAuthServicesSection.get_Saml2PSecurityTokenHandler() +139 Kentor.AuthServices.Saml2P.<CreateClaims>d__5.MoveNext() +377 System.Collections.Generic.List1..ctor(IEnumerable1 collection) +536 System.Linq.Enumerable.ToList(IEnumerable1 source) +80 Kentor.AuthServices.Saml2P.Saml2Response.GetClaims(IOptions options) +245 Kentor.AuthServices.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse) +31 Kentor.AuthServices.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +243

[BadFormatSamlResponseException: The SAML Response did not contain valid BASE64 encoded data.] Kentor.AuthServices.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +503 Kentor.AuthServices.Mvc.AuthServicesController.Acs() +214 lambda_method(Closure , ControllerBase , Object[] ) +79

[AndersAbel]

As far as I can tell, the Entity ID is required to be an absolute URI (but not necessarily a URL).

The entity id used in the <issuer> element is mentioned in the SAML Core spec in section 2.2.5. It references section 8.3.6:

The syntax of such an identifier is a URI of not more than 1024 characters in length. It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself

In section 1.3.2. it is defined that URIs must be absolute:

Unless otherwise indicated in this specification, all URI reference values used within SAML-defined elements or attributes MUST consist of at least one non-whitespace character, and are REQUIRED to be absolute [RFC 2396].

In section 2.2.5 mentioned above, there is something that might be a loop-hole allowing another format to be specified. However, looking that the Metadata spec section 2.2.1 the requirement for a URI is strict:

The simple type entityIDType restricts the XML schema data type anyURI to a maximum length of 1024 characters. entityIDType is used as a unique identifier for SAML entities. See also Section 8.3.6 of [SAMLCore]. An identifier of this type MUST be unique across all entities that interact within a given deployment. The use of a URI and holding to the rule that a single URI MUST NOT refer to different entities satisfies this requirement.

So, as far as I can tell, the entity id is REQUIRED to be an absolute URI, while the practice of using a URL pointing to the metadata is RECOMMENDED.

[cloutierjo]

I didn't know that part of the spec. Maybe the kentor doc should be more precise about the entityId value so we don't have to dig into the saml spec to know what should be set on this field. And the error "The SAML Response did not contain valid BASE64 encoded data" is a bit confusing although we can sort it out with the inner exception.

Thank for your answer, I can also confirm that setting an URL did work (didn't try with another kind of absolute URI)

[AndersAbel]

I've improved the documentation, but am leaving this open as a future improvement for fixing the exception message.

[cloutierjo]

That's great for me, thank you.