Closed myaesubi closed 7 years ago
AndersAbel
commented
7 years ago MetadataLocation property was previously called MetadataUrl. If you find issues, please edit the file and submit a pull request (you can do it online).
myaesubi
commented
7 years ago Hi @AndersAbel,
Thanks for the response. Surely, I will submit a PR to update the documentation when I get the integration working with changes applied.
I have enabled the logs and the following is the result;partially obfuscated!. I've highlighted the areas of importance that the success and failure happens.
I appreciate if you could take a look and provide any hint possible to guide me to go further on this issue.
Here is the code segment I created according to the setup documentation:
public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false)
{
SPOptions = new SPOptions
{
AuthenticateRequestSigningBehavior = SigningBehavior.Never, // or add a signing certificate
EntityId = new EntityId("https://idp.security.domain.com/identity/AuthServices") // from (B) above
,
ReturnUrl = new Uri("https://portal.security.domain.com")
},
SignInAsAuthenticationType = signInAsType,
AuthenticationType = "okta",
Caption = "Okta",
};
authServicesOptions.IdentityProviders.Add(new Kentor.AuthServices.IdentityProvider(
new EntityId("http://www.okta.com/exkbi9j77tgmcPFCQ0h7"), authServicesOptions.SPOptions) // from (F) above
{
LoadMetadata = true,
MetadataLocation = "~/Okta/OktaUATOutboundMetadata.xml" // see Metadata note above
,
AllowUnsolicitedAuthnResponse = true //Add to allow users click on domain in OKta to take them to domainPortal.
});
app.UseKentorAuthServicesAuthentication(authServicesOptions);
}
2017-08-09 18:45:39.589 +00:00 [Information] Initiating login to http://www.okta.com/exkbi9j77tgmcPFCQ03h7
2017-08-09 18:46:30.968 +00:00 [Information] Loading metadata for idp http://www.okta.com/exkbi9j77tgmcPFCQ03h7
2017-08-09 18:46:32.472 +00:00 [Information] Loading metadata for idp http://www.okta.com/exkbi9j77tgmcPFCQ03h7
2017-08-09 18:46:41.902 +00:00 [Information] CORS request made for path: "/AuthServices/Acs" from origin: "https://dev-38383.oktapreview.com" but rejected because invalid CORS path
> 2017-08-09 18:46:42.074 +00:00 [Information] Successfully processed SAML response id79417755194515931454204638 and authenticated myaesubi@domain.com
2017-08-09 18:46:42.168 +00:00 [Debug] HTTP Request
{
"Method": "GET",
"Url": "https://idp.security.domain.com/core/callback",
"Headers": {
"Cache-Control": [
"max-age=0"
],
"Connection": [
"Keep-Alive"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
],
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"en-US,fa-IR;q=0.8,fa;q=0.6,en;q=0.4"
],
"Cookie": [
"SignInMessage.96eecc43b491e521a80624c59b60a142=QH-1Kix9NQ9rYQ-16hNPrCZreGlyh1Q7h1By_Wnzy3UMk_Khhl1gtq6cBq1xg2VDPr3vlIiYdtm-MyTZTuha9eTIMaflILB-WXwaysu4-0eOCGKo-Cd2LHxoDLOMbLQjIQq-cdTdLlNe32XB7xNdkeG1N9lun_1YwAsSgIgpUB_syqLCKeIR-kn6O7g96t5Gw34eIxYnpAzCc5lnHsFwER5eXLsFyFWfcvo59DNir0krMVP8fbQM0A6oq2V5PWZEYKzNWSfzrZ51_TnryvxEmwBA5IS762tIMwOY3kFiUxTz1YUW9ZYYiHmHR3I5Y0o-AN89ZaWt-2hONQpKeVI5ewccatlqBYBnrWL7lQwTuk-N2N-RbgjKVFHR0bOuv_yXYCNDMFXaTxK10AzHnx1knXvcCaFTiFRvR9n4SGDu-_FTahs6t9zJ2YgsG-gjjW42e6gWECcU1Xupc-bK7AD0R1DoL3VqVTd2P-43j9tMdCPBaIFogOWXxyB8N5NGE8RE4EGopOF6tlVjT5Pn02OpBg; idsrv.xsrf=6T6DPUZXJKCoxKWb0sLOCuHAFLRRx-ArMaDay5WKPvX47U0Vwo1sCnHHmKdM1L2jix6bmcpo7AgL5G1NJu5XUvLAmIaxr1D90Wz3Miglyzo; ARRAffinity=317be31cb04e137ad518d76c134b8d5cef4589c62dfecc7c4e0861a199d16068"
],
"Host": [
"idp.security.domain.com"
],
"Max-Forwards": [
"10"
],
"Referer": [
"https://dev-388383.oktapreview.com/app/domaindev184673_domain_1/exkbi9j77tgmcPFCQ0h7/sso/saml?SAMLRequest=hZFBT8JAEIXvJvyHZu90W1rcsgGSBmJCgomCevBCdrcTWGl3684W8d9bCka56PXNfG%2Fy3oxRVOWg5nnjd2YF7w2gD45VaZCfJxPSOMOtQI3ciAqQe8XX%2Bf2SD8KI1856q2xJfjN%2FIwIRnNfWkGAxnxBdqAJkHA8zOZSQCsZkouQglUwUSSzTJCXBCzhsgQlp%2BZZCbGBh0AvjWymKWT%2FK%2BtHoKc54OuTJ6JUE8zaGNsJ31M77GjmlBRz6cZbesiS0ey9qBwcNH6GyFRV1TR2UdquP7dZ5adN4XeoDbGIKx73UozfG%2FLZSD3ezx2jHKKKlp7wkyL8jzazBpgK3BnfQCp5Xy5%2FruqhDBNU47T%2FDi3V3W1kH9NT%2FhUKaKyTT3k0QjLs%2BeZfYTf910gUY34pXbmN6ZdK7uQjXP59%2BAQ%3D%3D&RelayState=weLqzSdcZkCOmyhvnt5NIloWZRZSc-aJNqgb9ACn9EpRihaoleLMYw1r&fromLoginToken=CiMziv7wPUFZTK90dgcuvgay4yUSwYMJ-qNz9pnU20sKrDBrpM8SfVevcnwVbIzlIyklp014WLzSc25IeO_SHkmW39-pEzhz9uR4XOdhIkEzbsa6Gd_y5wcsK7ZOTZnpVq4Jwao2aI09v8Gs2AKJCyDX7Yr9Zi1k_GY4flb4xKcakIqFXA9MBn0fJsoFbcXo-JdVIAdtyX2r-02wDwLP_l3S8Oc4tuXnUmNo4w7O-S1jjg2JMoxPVGQwin-qT_ZY4aehMBQokfqtY6HIV6QBkwsdsacaObzQYRqN-defXuwXcRqH_jqCeNHSRHDb4y72VE2C24nicdW6NjX1x5KERA"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
],
"Upgrade-Insecure-Requests": [
"1"
],
"X-LiveUpgrade": [
"1"
],
"X-WAWS-Unencoded-URL": [
"/core/callback"
],
"X-Original-URL": [
"/core/callback"
],
"X-ARR-LOG-ID": [
"53e5b88e-5adc-49e1-b688-2f5aeed7972c"
],
"DISGUISED-HOST": [
"idp.security.domain.com"
],
"X-SITE-DEPLOYMENT-ID": [
"security-idp-domain"
],
"WAS-DEFAULT-HOSTNAME": [
"security-idp-domain.azurewebsites.net"
],
"X-Forwarded-For": [
"99.229.83.20:1834"
],
"X-ARR-SSL": [
"2048|256|C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3|CN=idp.security.domain.com"
]
},
"Body": ""
}
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Request received, Method=GET, Url=https://idp.security.domain.com/core/callback, Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='https://idp.security.domain.com/core/callback'
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=Begin, Category='System.Web.Http.MessageHandlers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=DependencyScopeHandler.SendAsync
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=Begin, Category='System.Web.Http.MessageHandlers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=PassiveAuthenticationMessageHandler.SendAsync
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=Begin, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Route='MS_SubRoutes:System.Web.Http.Routing.IHttpRouteData[]'', Operation=DefaultHttpControllerSelector.SelectController
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=End, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Authentication', Operation=DefaultHttpControllerSelector.SelectController
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=Begin, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=HttpControllerDescriptor.CreateController
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=Begin, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=DefaultHttpControllerActivator.Create
2017-08-09 18:46:42.168 +00:00 [Debug] [2017-08-09T18:46:42.1685545Z] Level=Info, Kind=End, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='IdentityServer3.Core.Endpoints.AuthenticationController', Operation=DefaultHttpControllerActivator.Create
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=End, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='IdentityServer3.Core.Endpoints.AuthenticationController', Operation=HttpControllerDescriptor.CreateController
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.Controllers', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=AuthenticationController.ExecuteAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.Action', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=ApiControllerActionSelector.SelectAction
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=End, Category='System.Web.Http.Action', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Selected action 'LoginExternalCallback(String error)'', Operation=ApiControllerActionSelector.SelectAction
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=HostAuthenticationAttribute.AuthenticateAsync
> 2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='The authentication filter did not encounter an error or set a principal.',
Operation=HostAuthenticationAttribute.AuthenticateAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=HostAuthenticationAttribute.ChallengeAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=HostAuthenticationAttribute.ChallengeAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=PreventUnsupportedRequestMediaTypesAttribute.OnAuthorizationAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=PreventUnsupportedRequestMediaTypesAttribute.OnAuthorizationAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.ModelBinding', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=HttpActionBinding.ExecuteBindingAsync
2017-08-09 18:46:42.184 +00:00 [Debug] [2017-08-09T18:46:42.1841601Z] Level=Info, Kind=Begin, Category='System.Web.Http.ModelBinding', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Binding parameter 'error'', Operation=ModelBinderParameterBinding.ExecuteBindingAsync
> 2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=End, Category='System.Web.Http.ModelBinding', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Parameter 'error' bound to the value 'null'',
Operation=ModelBinderParameterBinding.ExecuteBindingAsync
2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=End, Category='System.Web.Http.ModelBinding', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Model state is valid. Values: error=null', Operation=HttpActionBinding.ExecuteBindingAsync
2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Action filter for 'LoginExternalCallback(String error)'', Operation=NoCacheAttribute.OnActionExecutingAsync
2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=NoCacheAttribute.OnActionExecutingAsync
> 2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Action filter for 'LoginExternalCallback(String error)'',
Operation=SecurityHeadersAttribute.OnActionExecutingAsync
2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Operation=SecurityHeadersAttribute.OnActionExecutingAsync
2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=Begin, Category='System.Web.Http.Action', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Action='LoginExternalCallback(error=null)'', Operation=ApiControllerActionInvoker.InvokeActionAsync
2017-08-09 18:46:42.199 +00:00 [Debug] [2017-08-09T18:46:42.1997851Z] Level=Info, Kind=Begin, Category='System.Web.Http.Action', Id=2b7a9d86-caa3-4353-9a40-c8cb362ac54c, Message='Invoking action 'LoginExternalCallback(error=null)'', Operation=ReflectedHttpActionDescriptor.ExecuteAsync
2017-08-09 18:46:42.246 +00:00 [Information] Callback invoked from external identity provider
2017-08-09 18:46:42.246 +00:00 [Information] No signin id passedHi, I'm using AspNetIdentityUserService implementation of IdentityServer3 which uses ASP.NET Identity database as identity provider.
I've narrowed down to the location in the 'IdentityServer3' source code that the SignInId is checked.
'AuthenticationController.cs'
Line: 348 which checks for 'GetSignInIdFromExternalProvider()
var signInId = await context.GetSignInIdFromExternalProvider();
if (signInId.IsMissing())
{
Logger.Info("No signin id passed");
return HandleNoSignin();
}The code internals will do a call to
var result = await context.GetAuthenticationFrom(Constants.ExternalAuthenticationType);
Which is looking for idsrv.external literal string and return type is AuthenticationResult that would expected to contain signinid value.
The callback from Okta to IdentityServer3 contains the following log which the Cookie contains the SignInId.message entry.
. . .
2017-08-14 21:57:41.088 +00:00 [Verbose] Signature validation passed for Saml Response id83852326850881431552995113
2017-08-14 21:57:41.388 +00:00 [Verbose] Extracted SAML assertion id8385232685116982152681110
2017-08-14 21:57:41.513 +00:00 [Verbose] Validated conditions for SAML2 Response id83852326850881431552995113
2017-08-14 21:57:41.556 +00:00 [Information] Successfully processed SAML response id83852326850881431552995113 and authenticated myaesubi@relogix.com
2017-08-14 21:57:41.713 +00:00 [Debug] HTTP Request
{
"Method": "GET",
"Url": "https://idp.security.utilive.com/core/callback",
"Headers": {
"Cache-Control": [
"max-age=0"
],
"Connection": [
"Keep-Alive"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
],
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"en-US,fa-IR;q=0.8,fa;q=0.6,en;q=0.4"
],
"Cookie": [
"SignInMessage.680fb93d6fa8f433ca8333d0e55a9467=WrdtI_Hjtn7GCvfihnsoaFT4lWRK9fKkSQDwHtn3xwd-s4896kFyABVzutAPX6zKb08IVcAomc2yg4xruE0W4gDhkUHxenO0L3BE3azpA8cqAOG4eQxYRQEYKiq1HlRQSrjcUhVrzoBbWIqszP1t1oRLMnXS7_rFwzbaEx3T2td_yoQ1RkalR16vel5G7dzAc66pCYmjx_qH7O3Vm5EiVmoCcu6MVhlUdGfeBpd-RDhGtDaYVG5t8eDi50aMK7REq1Q_mxzXWeqnn2uFE2jAdsBM3v12vDndr_vOhVgfLa-BncvO-79VAlV-po_Et_PCcMKFrrr_edIqUDiydRQojGpJsDEJpPK-as7ixmNRLBDIXTpQSkid5MeYoCw8jvNirMW0HVa1XRAwATYN7YIZqkXk8hW5zmF2piCozqaNmTQjFfHEgeXYTEjXp4kiEWBo-nBQXHF_9HgEkhRAB3gqjF7WC8wG9qa0dlEs6EJxpa8keprCH--4qNQ7D9_n3_uaDo5fO00wjHhXC3VuT7jSqA; idsrv.xsrf=F9uAq49FI4eTQWmN68ENlbDqjqSgR8J_7dp8pROwh3pH3RGQIDNZWBY29E_obF1EZ7Ub_WMYbg1Wf9Aer6ChIsJiGuydN_8184RlKFXQ31A; ARRAffinity=317be31cb04e137ad518d76c134b8d5cef4589c62dfecc7c4e0861a199d16068"
],
"Host": [
"idp.security.utilive.com"
],
"Max-Forwards": [
"10"
],
"Referer": [
"https://dev-184673.oktapreview.com/app/relogixdev184673_utilive_1/exkbi9j77tgmcPFCQ0h7/sso/saml?SAMLRequest=hZFBT8JAEIXvJPyHZu90u21p6wZIGogJCSYq6sELWbcjrLS7dWdb8d9bCka56PXNfG%2Fy3kxQVGVY87xxO30P7w2g8w5VqZGfJlPSWM2NQIVciwqQO8nX%2Bc2Kh37Aa2uckaYkv5m%2FEYEI1imjibdcTIkqMmAykQF7jdIwTrIoyyCElLEkkXE2FpJ4T2CxA6ak4zsKsYGlRie066SApaMgG7H4IWR8nPIoeibeoouhtHA9tXOuRk5pAe2IZXGSRr7ZO1FbaBV8%2BNJUVNQ1tVCarTp0W6elTeNUqVrYMAqH%2FYu6ektTt63k7fX8LtilFNHQY17i5d%2BR5kZjU4Fdg22VhMf71c91VdQ%2Bgmyscp%2F%2B2bq%2FLY0Feuz%2FTCHNJZLZcOB5k75P3ie2s3%2BdVAHadeKF24RemAwHZ%2BHy57Mv&RelayState=aIS_WVtLlP880Jz_2BI1-adVnbgkl5saaN0WqXPgWbXDNrV1b0yN08RF&fromLoginToken=6yJDggVdh7_1r3xiGMrnTZXAwJNJ8GfNcuCoIG-wueqT82JIW1dMrchE1Xripn-nHog_bBC8gdWlJgtsg69iUSLPUq2tlTUL0p7nfpngAdVxwEuDzTFw8eziGkF9zC3wfO5GGfs3cUELzDv0tMfo8XXdRz5xWBb-fLpojP6ZGAGMmp4uK0_d6pe04YZKY4F8J4svsYC6l6VDmeyIM60HF_4J67FCmcT9yqo_UGACTunj384fSjtAXEdu7es_HzKFDd8hg7gC0_34gh7TEhJF1RI0sdLDPAkl-xKN4iZ5Aai8I5FwumxKzFpYzhQiOYq4NrmFYArqMJwtogXRSvDsew"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
],
"Upgrade-Insecure-Requests": [
"1"
],
"X-LiveUpgrade": [
"1"
],
"X-WAWS-Unencoded-URL": [
"/core/callback"
],
"X-Original-URL": [
"/core/callback"
],
"X-ARR-LOG-ID": [
"e4d18801-97ea-4e0a-b389-9694a2bc699b"
],
"DISGUISED-HOST": [
"idp.security.utilive.com"
],
"X-SITE-DEPLOYMENT-ID": [
"security-idp-utilive"
],
"WAS-DEFAULT-HOSTNAME": [
"security-idp-utilive.azurewebsites.net"
],
"X-Forwarded-For": [
"99.229.83.20:31367"
],
"X-ARR-SSL": [
"2048|256|C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3|CN=idp.security.utilive.com"
]
},
"Body": ""
}
2017-08-14 21:57:41.713 +00:00 [Debug] [2017-08-14T21:57:41.7131309Z] Request received, Method=GET, Url=https://idp.security.utilive.com/core/callback, Id=20bcd6f1-db79-4a74-8b55-26c9e9204c5a, Message='https://idp.security.utilive.com/core/callback'
@brockallen : appreciate any insights to what would be the gap here.
Thanks, Mamrez
myaesubi
commented
7 years ago Hi again, @albinsunnanbo , @AndersAbel, @dahlsailrunner I appreciate if you could advise on this issue:
I highly suspect the issue I'm facing is the certificate handshake, since the communication is caught off after successful sign in by Okta which as the logs show, AuthServices also states successful authentication.
I did dig deeper in the AuthServices source code and SampleIdentityServer3.
One thing that stands out is the addition of the SP certificate.
options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Kentor.AuthServices.Tests.pfx"));
When setting up Okta, in the metadata the certificate comes as .cer/.cert and it's the public key only. I'm not sure how this could be addressed in the above code.
I did convert to pfx, but usually .pfx has the private key embedded in it. The deployment complains about unavailability of the private key.
Could you please advise what I possibly miss?
Thanks, Mamrez
dahlsailrunner
commented
7 years ago If you're still having trouble, can you provide a screenshot of the setup you've done in Okta for this?
myaesubi
commented
7 years ago The issue was the endpoint connection setting which I learned digging through the logs and the AuthServices test and source code.
The other issue was that IdentityServer3 AspNetIdentity setup assumes that if authenticated external provider's user does not exist in the Idsrv3 identity Store, first create it, I did override the function and all is good.
Thanks, Mamrez
dahlsailrunner
commented
7 years ago Glad you got it resolved! What was the final version of your endpoint connection setting (can you include the code)?
daluas
commented
6 years ago Hello @myaesubi ,
I'm facing the same issue you had from Google. Is not always reproducible. From time to time, this issue with occurs:
w3wp.exe Information: 0 : 2018-02-10 09:01:44.200 +01:00 [Information] Callback invoked from external identity provider w3wp.exe Information: 0 : 2018-02-10 09:01:44.200 +01:00 [Information] No signin id passed
Could you please tell me what was the endpoint connection setting problem? Was the certificate?
TIA
Hi, I wonder whether the setup document for integration of IdentityServer3 and Okta is up-to-date.
I followed all the steps of the document, for example there is no MetadataUrl rather MetadataLocation when installing the NuGet packages.
Reason for this question is that I've setup as indicated and connected to my IdentityServer3 instance which supports ASP.NET Identity.
Upon sign in to Okta with Okta user who has access to the Okta application (which I setup as per document), I get the following error in the IdentityServer3 log file.
2017-08-05 04:34:49.943 +00:00 [Information] rendering login page 2017-08-05 04:34:52.541 +00:00 [Information] External login requested for provider: "okta" 2017-08-05 04:34:52.560 +00:00 [Information] Triggering challenge for external identity provider 2017-08-05 04:35:12.361 +00:00 [Information] CORS request made for path: "/AuthServices/Acs" from origin: "https://dev-184673.oktapreview.com" but rejected because invalid CORS path 2017-08-05 04:35:12.673 +00:00 [Information] Callback invoked from external identity provider 2017-08-05 04:35:12.673 +00:00 [Information] No signin id passed
Thanks for the help. Mamrez