search

digst / OIOSAML.Net

40 stars 21 forks source link

Demo service provider certificate appears to fail revocation check #70

Open ronnieholm opened 1 year ago

ronnieholm commented 1 year ago

Repro steps:

  1. Follow the steps in readme.md to setup IdentityProviderDemo and WebsiteDemo.
  2. Launch IdentityProviderDemo and WebsiteDemo from Visual Studio.
  3. Attempt to login on IdentityProviderDemo from WebsiteDemo.

Login fails to complete on the IdP side:

[Exception: Could not encrypt. No valid certificates found.]
   IdentityProviderDemo.SignonForm.CreateAssertionResponse(User user) in C:\Users\rh\source\repos\OIOSAML.Net\src\dk.nita.saml20\IdentityProviderDemo\SignonForm.aspx.cs:236
   IdentityProviderDemo.SignonForm.OnInit(EventArgs e) in C:\Users\rh\source\repos\OIOSAML.Net\src\dk.nita.saml20\IdentityProviderDemo\SignonForm.aspx.cs:74
   System.Web.UI.Control.InitRecursive(Control namingContainer) +454
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1714

due to

Validating chain with online revocation check failed for certificate 'A402BB172929AE0D0ADA62F6864329C35DC29483': System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate SERIALNUMBER=CVR:34051178-FID:80719473 + CN=SP and WSC (Oiosaml-net.dk TEST) (funktionscertifikat), O=Digitaliseringsstyrelsen // CVR:34051178, C=DK chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

The IdP cannot verify the service provider's certificate and thus cannot sign the response to the SP.

ronnieholm commented 1 year ago

Problem is that setup_prerequisites.ps1 installs the root certificate in the wrong location.

TRUST2408 Systemtest VII Primary CA ends up in Intermediate Certification Authorities when it must be in Trusted Root Certification Authorities.

In Certificate Manager, clicking TRUST2408 Systemtest VII Primary CA, the UI reports:

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

For now, to resolve the issue, drag and drop TRUST2408 Systemtest VII Primary CA into Trusted Root Certification Authorities.

cemerson commented 1 year ago

For now, to resolve the issue, drag and drop TRUST2408 Systemtest VII Primary CA into Trusted Root Certification Authorities.

This resolved the issue for me (I think) - though now I have a different error (below) which I think is unrelated. Anyhow - thanks for the certificate fix.

"The user doesn't have a session in context of a cookie ... which is required at this point in the pipeline. Plausible reason is that OIOSAML.Net is not running under https. The session cookie is marked with 'secure only'."

ronnieholm commented 1 year ago

Yes. The user doesn't have a session in context of a cookie is unrelated. You may be running an out of date version of ASP.NET. One without the third-party cookie patch. This ASP.NET behavior changed 2-3 years ago, forced by Google, affecting not only NemLog-in.

Let's not mix issues.