Reputation: 1694
The data protection operation was unsuccessful
I'm trying to get the sample MVC application from Kentor AuthServices deployed to Azure and using Okta as the IDP. I've jumped a few hurdles but have stumbled on the CryptographicException "The data protection operation was unsuccessful". I'm unsure how to resolve it.
When this occurs the URL in the browser is https://mysite.azurewebsites.net/AuthServices/Acs
Any assistance is appreciated, thanks.
Below is the kentor section of my web.config. I don't have an identity server so removed all the federation config..
<kentor.authServices entityId="https://mysite.azurewebsites.net/AuthServices"
returnUrl="https://mysite.azurewebsites.net/"
authenticateRequestSigningBehavior="Never">
<identityProviders>
<add entityId="http://www.okta.com/1111111"
allowUnsolicitedAuthnResponse="true" binding="HttpRedirect"
metadataLocation="https://dev-11111.oktapreview.com/app/1111111/sso/saml/metadata"
loadMetadata="true">
<signingCertificate fileName="~/App_Data/okta.cert" />
</add>
</identityProviders>
Let me know if I can provide any further info to assist you in assisting me!
Upvotes: 3
Views: 1811
Answers (2)
Reputation: 1694
It was actually an Azure issue as Anders points out. The fix was to add the following to web.config:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
Upvotes: 2
Reputation: 69280
Looks like a bug in Kentor.AuthServices. I've recently done some rewriting which makes use of data protection API so something might be wrong there. Please file an issue at the github site and include the stack trace of the exception as well as information on what API module you are using (MVC, HttpModule or OWIN).
Upvotes: 1
Related Questions
- Can AWS SSO generate a "friendly" issuer URL for SAML federation?
- How do I hand RelayState correctly to Okta's ACS URLs?
- IDP initiated SSO fails with OKTA as an IDP in Azure
- Kentor AuthServices/Owin - handling the response from the identity provider
- Kentor AuthServices with ADFS
- IdP initiated flow - Identify okta account
- Okta Kentor.AuthServices IdentityServer3 IDP-initiated SSO is triggering SP-initiated SSO - error or design?
- How to correctly configure SAML 2.0 SP