Reputation: 442
SAML2 with Owin - unable to authenticate
I have sample WebForms application with Owin. Tried to do SAML2 authentication with Azure AD IdP. It works fine, user is registered in application and authenticated.
Now I need to use other IdP. So I changed my application and nothing. Saml response contains success, so IdP authenticated me. But calling Context.GetOwinContext().Authentication.GetExternalLoginInfo() returns null.
I found some posts about "external cookie", but I don't think this is my problem, because Azure sample works fine. Switching to other IdP failed.
Only difference seems to be in SAML Xml format. Azure returns as
<samlp:Response Destination="https://localhost:44390/Saml2/Acs"
ID="_5eaccd77-fa78-4f59-86d9-67049ef074ce" InResponseTo="id73419322f1cc440184f456548cee7d09"
IssueInstant="2018-12-21T15:00:58.248Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
</samlp:Response>
but other IdP returns as
<saml2p:Response Destination="https://localhost:44390/Saml2/Acs"
ID="_9547020d571863ef02c1f6d3dc8d94d7" InResponseTo="id46574a117a254f06a272ec02769b1a3c"
IssueInstant="2018-12-21T14:31:54.505Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
</saml2p:Response>
But namespaces should be ok.
So it must be something in SAML response? How can I find problem?
private static Saml2AuthenticationOptions CreateSaml2Options()
{
var spOptions = CreateSpOptions();
var saml2Options = new Saml2AuthenticationOptions(false)
{
SPOptions = spOptions
};
var idp = new IdentityProvider(new EntityId("XXX"), spOptions)
{
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpPost,
SingleSignOnServiceUrl = new Uri("XXX")
};
saml2Options.IdentityProviders.Add(idp);
return saml2Options;
}
private static SPOptions CreateSpOptions()
{
const string language = "cs-cz";
var spOptions = new SPOptions
{
EntityId = new EntityId("app:vwg.skoda.nia"),
AuthenticateRequestSigningBehavior = SigningBehavior.Always,
ReturnUrl = new Uri("https://localhost:44390/Saml2/Acs")
};
var attributeConsumingService = new AttributeConsumingService
{
IsDefault = true,
ServiceNames = { new LocalizedName("Saml 2 Authentication", "en") }
};
attributeConsumingService.RequestedAttributes.Add(new RequestedAttribute("Minimal"));
spOptions.AttributeConsumingServices.Add(attributeConsumingService);
var certPath = AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/XXX.pfx";
var cert = new X509Certificate2(certPath, "XXX");
spOptions.ServiceCertificates.Add(cert);
return spOptions;
}
Upvotes: 0
Views: 1554
Answers (1)
Reputation: 69260
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
This means that the signature is correct, but that you have not configured the signing key as trusted.
You need to add a certificate with the idp's public key to the IdentityProvider.SigningKeys collection.
Upvotes: 1
Related Questions
- The Specifications of SAML2 AssertionConsumerService endpoint are not valid
- Issue logging out non-SAML authenticated user when sustainsys OWIN middleware enabled
- IdP Initiated Login with Sustainsys.SAML2 - AuthenticateResult Has No Information
- IdentityServer4 with Sustainsys.Saml2 to make OAuth SAML Assertion
- SustainSys-SAML2: claim transformation after sign-in
- SAML error "SignatureStatus: NOT_PRESENT"
- SSO Sustainsys.Saml2.Owin Request is not Authenticated - access_denied
- Send SignIn request to Idp- Sustainsys Saml2
- How to correctly configure SAML 2.0 SP in OWIN flow
- How to get SAML2 Bearer Assertion profile for OAuth within WSO2 API Manager to work?