A SAML message cannot be received as the HTTP request is unrecognized.

We are migrating our portal to Angular + .NET Core Web API from ASP.NET MVC. We are performing SSO to third party provider where they enroll user into different plan and those enrollment details are being sent back to us with help of SAMLResponse. In MVC .NET we were using ServiceProvider.ReceiveSAMLResponseByHTTPPost() method for reading SAML sent back by provider which is working fine in MVC.

In .NET Core, I am using var result = await _samlServiceProvider.ReceiveSsoAsync(); method at .NET API controller level. I am getting below error while reading response.

2021-05-27 16:05:26.136 +05:30 [ERR] Receiving an SSO response from a partner identity provider has failed.
ComponentSpace.Saml2.Exceptions.SamlBindingException: A SAML message cannot be received as the HTTP request is unrecognized.
at ComponentSpace.Saml2.SamlProvider.ReceiveMessageAsync()
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

I have added SeriLog logs to debug this issue. Log details are added in LogDetails.txt file.

I configured LocalServiceProvider and PartnerIdentityProvider as shown in attached file “Provider Configuration.txt”. These configurations are updated runtime before reading response.

I tried disabling checks, setting resolvetoHTTPS to false, posting request from postman, posting request from online sites. I am still getting an error. I am able to see response in HttpContext.Request.Form[“SAMLResponse”] but ReceiveSsoAsync not able to read it.

I need your help to know what’s missing in code so that error can be resolved. Thank you!

Thanks for including the log.

It looks like Postman rather than the third party identity provider is being used to send an HTTP Post to your application. Is that correct?

We rejected this HTTP request as the Content-Type and content are incorrect. It is possible to setup Postman to send the appropriate HTTP Post containing a SAML response. However, you’ll then run into other issues that our library will detect (eg replay attacks, expired SAML assertions etc). It’s far easier to test against a real identity provider.