\n
\n[HttpGet, AllowAnonymous]\n public IActionResult Index(string returnUrl = null)\n {\n try\n {\n var config = GetSAMLConfig();\n var binding = new Saml2RedirectBinding();\n binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl ?? Url.Content("~/") } });\n var request = new Saml2AuthnRequest(config);\n return binding.Bind(request).ToActionResult();\n }\n catch (Exception e)\n {\n Console.WriteLine(e);\n throw;\n }\n }\n
\n\n private Saml2Configuration GetSAMLConfig()\n {\n var config = new Saml2Configuration();\n config.AllowedAudienceUris.Add("Okta_SAML_Example");\n config.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;\n config.RevocationMode = X509RevocationMode.NoCheck;\n\n var entityDescriptor = new EntityDescriptor();\n entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri("https://---------.okta.com/app/exk2b0b7dibno7rOB5d6/sso/saml/metadata"));\n if (entityDescriptor.IdPSsoDescriptor != null)\n {\n config.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;\n config.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);\n }\n else\n {\n throw new Exception("IdPSsoDescriptor not loaded from metadata.");\n }\n\n return config;\n }\n
\nActual exception
\nSystem.UriFormatException: Invalid URI: The format of the URI could not be determined.\n at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)\n at ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetAudienceRestriction(Boolean audienceRestricted, IEnumerable`1 allowedAudienceUris)\n at ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetIdentityConfiguration(Saml2Configuration config)\n at ITfoxtec.Identity.Saml2.Saml2Request..ctor(Saml2Configuration config)\n at ITfoxtec.Identity.Saml2.Saml2AuthnRequest..ctor(Saml2Configuration config)\n at SAMLNet461.Controllers.HomeController.Index(String returnUrl) in D:\\REPO\\PELICAN\\LOCAL\\SAML.RND - CompanyAcccounts adjustment\\SAML.Demo\\SAMLNet461\\Controllers\\HomeController.cs:line 69\n at lambda_method(Closure , Object , Object[] )\n at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeActionMethodAsync>d__12.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeNextActionFilterAsync>d__10.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeInnerFilterAsync>d__13.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeNextResourceFilter>d__23.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)\n at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeFilterPipelineAsync>d__18.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeAsync>d__16.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n at Microsoft.AspNetCore.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.<Invoke>d__7.MoveNext()\n--- End of stack trace from previous location where exception was thrown ---\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\n at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()\n
\n","author":{"@type":"Person","name":"Rod lauro Romarate"},"upvoteCount":2,"answerCount":2,"acceptedAnswer":{"@type":"Answer","text":"The code looks correct.
\nMaybe it is a TLS version issue.
\nAn alternative solution is to download the metadata in your code and add the metadata string to the ITfoxtec Identity SAML 2.0 library:
\nvar idPMetadataXml = "... downloaded metadata ...";\nvar entityDescriptor = new EntityDescriptor();\nentityDescriptorReadIdPSsoDescriptor(idPMetadataXml);\n...\n
\nUpdated:
\nThe error seams to be in relation to Audience Restriction:
\nconfig.AllowedAudienceUris.Add("Okta_SAML_Example"); \n
\nThe audience have to be a URI in a .NET Framework application. Plain text strings are only supported in .NET Core and .NET 5.0.
\n.NET Framework sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebApp
\n","author":{"@type":"Person","name":"Anders Revsgaard"},"upvoteCount":3}}}Reputation: 123
When i use <TargetFramework>net462</TargetFramework>
for my Okta SAML implementation this throw a Invalid URL when it this new Saml2AuthnRequest(config);
but on my first try using this code on netcoreapp3.1` this worked perfectly fine. Please let me know if i miss something thank you.
[HttpGet, AllowAnonymous]
public IActionResult Index(string returnUrl = null)
{
try
{
var config = GetSAMLConfig();
var binding = new Saml2RedirectBinding();
binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl ?? Url.Content("~/") } });
var request = new Saml2AuthnRequest(config);
return binding.Bind(request).ToActionResult();
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
private Saml2Configuration GetSAMLConfig()
{
var config = new Saml2Configuration();
config.AllowedAudienceUris.Add("Okta_SAML_Example");
config.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
config.RevocationMode = X509RevocationMode.NoCheck;
var entityDescriptor = new EntityDescriptor();
entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri("https://---------.okta.com/app/exk2b0b7dibno7rOB5d6/sso/saml/metadata"));
if (entityDescriptor.IdPSsoDescriptor != null)
{
config.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
config.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
}
else
{
throw new Exception("IdPSsoDescriptor not loaded from metadata.");
}
return config;
}
Actual exception
System.UriFormatException: Invalid URI: The format of the URI could not be determined.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetAudienceRestriction(Boolean audienceRestricted, IEnumerable`1 allowedAudienceUris)
at ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetIdentityConfiguration(Saml2Configuration config)
at ITfoxtec.Identity.Saml2.Saml2Request..ctor(Saml2Configuration config)
at ITfoxtec.Identity.Saml2.Saml2AuthnRequest..ctor(Saml2Configuration config)
at SAMLNet461.Controllers.HomeController.Index(String returnUrl) in D:\REPO\PELICAN\LOCAL\SAML.RND - CompanyAcccounts adjustment\SAML.Demo\SAMLNet461\Controllers\HomeController.cs:line 69
at lambda_method(Closure , Object , Object[] )
at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeActionMethodAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeNextActionFilterAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeInnerFilterAsync>d__13.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeNextResourceFilter>d__23.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeFilterPipelineAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()
Upvotes: 2
Views: 1538
Reputation: 11
I had the same issue and it was caused by "GetAudienceRestriction() method". Changing issuer name from "application-name" to "https://application-name" helped. Don't forget to change your name on your Identity Provider side (Okta, Ping Identity etc.) consistently. Now exception is not thrown anymore.
Upvotes: 1
Reputation: 4334
The code looks correct.
Maybe it is a TLS version issue.
An alternative solution is to download the metadata in your code and add the metadata string to the ITfoxtec Identity SAML 2.0 library:
var idPMetadataXml = "... downloaded metadata ...";
var entityDescriptor = new EntityDescriptor();
entityDescriptorReadIdPSsoDescriptor(idPMetadataXml);
...
Updated:
The error seams to be in relation to Audience Restriction:
config.AllowedAudienceUris.Add("Okta_SAML_Example");
The audience have to be a URI in a .NET Framework application. Plain text strings are only supported in .NET Core and .NET 5.0.
.NET Framework sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebApp
Upvotes: 3