CODEWITHSUNDEEP
ssladfsitfoxtec-identity-saml2adfs4.0
Page F.P.T
Page F.P.T

Reputation: 671

ITfoxtec - ADFS SAML2 The remote certificate is invalid according to the validation procedure

I am new to SAML2 authentication and have tried using ITfoxtec. Im getting this error when i run my app

AuthenticationException: The remote certificate is invalid according to the validation procedure. System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

HttpRequestException: The SSL connection could not be established, see inner exception. System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

WebException: The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure. System.Net.HttpWebRequest.GetResponse()

i am ussing a generated certificate using OpenSSL and installed the pfx cert in the Trusted Root CA store in MMC. im not sure why its still causing me errors. I have also added the app as a Relying trust party in my ADFS already.## Heading ##

this is the snippet of my StartUp.cs

  services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));

            services.Configure<Saml2Configuration>(saml2Configuration =>
            {

                //saml2Configuration.SignAuthnRequest = true;
                saml2Configuration.SigningCertificate = CertificateUtil.Load(Configuration["Saml2:SigningCertificateFile"], Configuration["Saml2:SigningCertificatePassword"]);
               //saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);



                var entityDescriptor = new EntityDescriptor();
                entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
                if (entityDescriptor.IdPSsoDescriptor != null)
                {
                    saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
                    saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                    saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
                    saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
                    if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
                    {
                        saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
                    }
                }
                else
                {
                    throw new Exception("IdPSsoDescriptor not loaded from metadata.");
                }
            });
            services.AddSaml2();

and this is my appsettings.json

  "Saml2": {
    "IdPMetadata": "adfs url/FederationMetadata/2007-06/FederationMetadata.xml",
    "Issuer": "saml_Example",
    "SingleSignOnDestination": "http://adfs url/adfs/ls/",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "SigningCertificateFile": "cert.pfx",
    "SigningCertificatePassword": "pw",
    "CertificateValidationMode": "None",
    "RevocationMode": "NoCheck"
  },

Upvotes: 2

Views: 750

Answers (1)

Anders Revsgaard
Anders Revsgaard

Reputation: 4334

According to the error your machine/server do not trust the AD FS SSL/TLS certificate.

You have configured "IdPMetadata": "adfs url/FederationMetadata/2007-06/FederationMetadata.xml". It should be a real URL like https://....

Upvotes: 1

Related Questions