What is the discovery service?

[togakangaroo]

Maybe I'm missing something, but I'm trying to use the example app to wire up to the OneLogin identity provider. I am very confused what the discovery service url is supposed to be in an actual situation. Having it seems to prevent the idp from being used (it just redirects to a page that targets the kentor stub idp). Removing it seems to hit the idp, but the callback is called with no information whatsoever. I'm very confused about what this concept even is as its not mentioned anywhere else that I've looked.

If I can get understanding around this I will gladly write it up into additional docs and give yall a PR.

[AndersAbel]

The discovery service is an advanced concept that is only used if you load a federation metadata file with multiple identity providers listed. You shouldn't use it with a single idp.

I assume you're usint the "plain" SampleApplication that uses the http module? What callback is it that is called without info? When debugging SAML flows using the chrome SAML dev tools plugin is extremely helpful to see the decoded SAML messages of the exchange.

[togakangaroo]

Thank you for responding Anders!

So I'm running SampleOwinApplication from this repo which I have modified to point to onelogin, to use my certificate, and commetned out DiscoverServiceUrl (see below).

I put a breakpoint into ExternalLoginCallback and it does get triggered when I log in. I read all headers and the body and see absolutely nothing there though...

    private static KentorAuthServicesAuthenticationOptions CreateAuthServicesOptions() {
      var spOptions = CreateSPOptions();
      var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false) {
        SPOptions = spOptions
      };

      var idp = new IdentityProvider(new EntityId("https://app.onelogin.com/saml/metadata/652919"), spOptions) {
        AllowUnsolicitedAuthnResponse = true,
        Binding = Saml2BindingType.HttpRedirect,
        SingleSignOnServiceUrl = new Uri("https://surge.onelogin.com/trust/saml2/http-post/sso/652919"),
        SingleLogoutServiceUrl = new Uri("https://surge.onelogin.com/trust/saml2/http-redirect/slo/652919"),
      };

      idp.SigningKeys.AddConfiguredKey(new X509Certificate2("C:/Users/gmaue/certificate.pem"));

      authServicesOptions.IdentityProviders.Add(idp);

      // It's enough to just create the federation and associate it
      // with the options. The federation will load the metadata and
      // update the options with any identity providers found.
      new Federation("http://localhost:52071/Federation", true, authServicesOptions);

      return authServicesOptions;
    }

    private static SPOptions CreateSPOptions() {
      var swedish = CultureInfo.GetCultureInfo("sv-se");

      var organization = new Organization();
      organization.Names.Add(new LocalizedName("Kentor", swedish));
      organization.DisplayNames.Add(new LocalizedName("Kentor IT AB", swedish));
      organization.Urls.Add(new LocalizedUri(new Uri("http://www.kentor.se"), swedish));

      var spOptions = new SPOptions {
        EntityId = new EntityId("http://localhost:57294/flibbidygoobedygoo"),
        ReturnUrl = new Uri("http://localhost:57294/Account/ExternalLoginCallback"),
        //DiscoveryServiceUrl = new Uri("http://localhost:52071/DiscoveryService"),
        Organization = organization
      };

      var techContact = new ContactPerson {
        Type = ContactType.Technical
      };
      techContact.EmailAddresses.Add("authservices@example.com");
      spOptions.Contacts.Add(techContact);

      var supportContact = new ContactPerson {
        Type = ContactType.Support
      };
      supportContact.EmailAddresses.Add("support@example.com");
      spOptions.Contacts.Add(supportContact);

      var attributeConsumingService = new AttributeConsumingService("AuthServices") {
        IsDefault = true,
      };

      attributeConsumingService.RequestedAttributes.Add(
          new RequestedAttribute("urn:someName") {
            FriendlyName = "Some Name",
            IsRequired = true,
            NameFormat = RequestedAttribute.AttributeNameFormatUri
          });

      attributeConsumingService.RequestedAttributes.Add(
          new RequestedAttribute("Minimal"));

      spOptions.AttributeConsumingServices.Add(attributeConsumingService);

      spOptions.ServiceCertificates.Add(new X509Certificate2(
          AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Kentor.AuthServices.Tests.pfx"));

      return spOptions;
    }

[AndersAbel]

When you hit ExternalLoginCallback the onelogin identity should be present in the loginInfo retreived by await AuthenticationManager.GetExternalLoginInfoAsync(). If not, use the browser dev tools and check that a cookie for the external identity is set when hitting ~/AuthServices/Acs (it responds with a redirect to ExternalLoginCallback).

[togakangaroo]

Ok, yes, that's exactly the issue

Request URL:  http://localhost:57294/AuthServices/Acs
Request Method:  POST

and the SAML tab contains all my claims that I'd expect to see from OneLogin.

However the response is

Location:  /Account/ExternalLoginCallback?error=access_denied

with no cookies set.

As you indicated, GetExternalLoginInfoAsync() returns null. So what is the issue here?

[AndersAbel]

The owin middleware writes log output indicating error. The default owin logger is enabled in the SampleOwinApp and writes to the debug window if you run in Visual Studio.

[togakangaroo]

Oh!

{"The signing algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 is weaker than the minimum accepted http://www.w3.org/2001/04/xmldsig-more#rsa-sha256."}

What to do here? Is this something the Identity Provider controls or did I misconfigure things?

[AndersAbel]

The default is to require sha256. There's a config option you can set to accept sha1.

[togakangaroo]

oh crap, does our identity provider really do only sha1? that makes me angry...

[AndersAbel]

Looks like this is solved, closing.

[nitanandsinghupw]

• Hello Guys,
• I am facing a similar issue. After redirect to https://localhost:5476/Saml2/Acs, getting ERR_CONNECTION_REFUSED error. Can you please help. @AndersAbel @togakangaroo