search

i8beef / SAML2

Other
88 stars 43 forks source link

SAMLSignOn Error #64

Closed nreddipalle closed 3 years ago

nreddipalle commented 3 years ago

@i8beef I am receiving this error and unable to figure out the issue..

image

i8beef commented 3 years ago

It looks like its failing here: https://github.com/i8beef/SAML2/blob/master/src/SAML2/State/SessionStateService.cs#L41

Note thats in the Session based state storage, which I moved away from some time ago as default. The CacheStateService ended up being more reliable once some of the extra Cookie security options got turned on in browsers by default. Or are you running an old version?

nreddipalle commented 3 years ago

Do you want me to try with the new version? the same dll is working fine with other URL like 

<saml2>
        <allowedAudienceUris>
            <audience uri="https://URL1/" />
        </allowedAudienceUris>
        <serviceProvider id="https://URL1/" server="https://URL1/">
            <signingCertificate findValue="0A6157784F3DD0157475C5CE09CEB98534739338" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint" />
            <endpoints>
                <endpoint index="0" localPath="/SAML/Login.ashx" redirectUrl="/login" type="SignOn" />
                <endpoint index="1" localPath="/SAML/Metadata.ashx" type="Metadata" />
            </endpoints>
        </serviceProvider>
        <identityProviders metadata="D:\home\site\wwwroot\saml_metadata">
            <add allowUnsolicitedResponses="true" default="true" id="http://idp.com/adfs/services/trust" omitAssertionSignatureCheck="true">
                <certificateValidations>
                    <add type="SAML2.Specification.SelfIssuedCertificateSpecification, SAML2" />
                </certificateValidations>
            </add>
        </identityProviders>
        <actions>
            <clear />
            <action name="SetSamlPrincipal" type="SAML2.Actions.SamlPrincipalAction, SAML2" />
            <action name="FormsAuthentication" type="Klick.Intranet.Web.SAMLFormsAuthenticationHandler, Klick.Intranet.Web" />
            <action name="Redirect" type="SAML2.Actions.RedirectAction, SAML2" />
        </actions>
    </saml2>

but not with another URL 

<saml2>
        <allowedAudienceUris>
            <audience uri="https://dryrun.URL1.com/" />
        </allowedAudienceUris>
        <serviceProvider id="https://dryrun.URL1.com/" server="https://dryrun.URL1.com/">
            <signingCertificate findValue="0A6157784F3DD0157475C5CE09CEB98534739338" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint" />
            <endpoints>
                <endpoint index="0" localPath="/SAML/Login.ashx" redirectUrl="/login" type="SignOn" />
                <endpoint index="1" localPath="/SAML/Metadata.ashx" type="Metadata" />
            </endpoints>
        </serviceProvider>
        <identityProviders metadata="D:\home\site\wwwroot\saml_metadata">
            <add allowUnsolicitedResponses="true" default="true" id="http://idp.com/adfs/services/trust" omitAssertionSignatureCheck="true">
                <certificateValidations>
                    <add type="SAML2.Specification.SelfIssuedCertificateSpecification, SAML2" />
                </certificateValidations>
            </add>
        </identityProviders>
        <actions>
            <clear />
            <action name="SetSamlPrincipal" type="SAML2.Actions.SamlPrincipalAction, SAML2" />
            <action name="FormsAuthentication" type="Klick.Intranet.Web.SAMLFormsAuthenticationHandler, Klick.Intranet.Web" />
            <action name="Redirect" type="SAML2.Actions.RedirectAction, SAML2" />
        </actions>
    </saml2>

I am using the same federation metadata.xml file.. trying to understand what part is lacking which is causing an object reference exception. I see that ReturnURL is coming fine as part of SAML/Login.ashx API request.

nreddipalle commented 3 years ago

I think I overcome this error after using the latest dll file..

i8beef commented 3 years ago

Glad to hear it. It may have indeed been that cookie issue that the new version switches to using cache instead of session then. A few months back the rules for how cookies get sent changed so that they don't get sent anymore if the referring site wasn't the same... which is kinda how SAML works with a POST binding. The new version allowed us to use our own cookie instead of relying on the session cookie that no longer comes through.

This old sessionState approach was left in for people who still wanted to use the old way by changing their global site session cookie settings.

nreddipalle commented 3 years ago

@i8beef I see this error now post login with the latest dll image

i8beef commented 3 years ago

The error code is actually confusing there as it isn't logging the actual status VALUE, but basically the response from your IDP for the initial auth request is telling you something failed. You'll have to debug into this / look at your IDP logs to see what it doesn't like.