After updating to latest, get SP-Init error

We recently updated from 3.5.0 to the latest version, and now are getting the following error:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException: An SP-initiated SAML response from [Redacted] was received unexpectedly.

Did I miss some change that happened to allow this to work?




Later releases include support for the SameSite changes made to Chrome and other browsers. For background information, please refer to:

https://www.componentspace.com/forums/10511/SAML-Cookie-SameSite-Mode-None

We use a SAML_SessionId cookie to maintain SAML session state in support of the SAML protocol. Typically, the error you’re seeing occurs if this cookie isn’t sent along with the SAML response by the browser. This could be related to SameSite or there might be some other issue that stops the cookie being sent.

I suggest using the browser developer tools to determine why the SAML_SessionId cookie isn’t being sent. Please refer to:

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies

Let me know what you find.

Thanks.

[quote]
ComponentSpace - 1/10/2022
Later releases include support for the SameSite changes made to Chrome and other browsers. For background information, please refer to:

https://www.componentspace.com/forums/10511/SAML-Cookie-SameSite-Mode-None

We use a SAML_SessionId cookie to maintain SAML session state in support of the SAML protocol. Typically, the error you're seeing occurs if this cookie isn't sent along with the SAML response by the browser. This could be related to SameSite or there might be some other issue that stops the cookie being sent.

I suggest using the browser developer tools to determine why the SAML_SessionId cookie isn't being sent. Please refer to:

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies

Let me know what you find.

Thanks.
[/quote]

I have already done all that. Using fiddler, I don't even see the set-cookie response.

Assuming you haven’t specified a custom SSO session store by setting the SAMLController.SSOSessionStore property, there should be an HTTP response with a set-cookie for the SAML_SessionId.

Try incognito mode.

[quote]
ComponentSpace - 1/10/2022
Assuming you haven't specified a custom SSO session store by setting the SAMLController.SSOSessionStore property, there should be an HTTP response with a set-cookie for the SAML_SessionId.

Try incognito mode.
[/quote]

That was it. In 3.5, I was able to create a fake one, returning the same ID every time and never returning an object. Not sure why it worked, but it did.

I updated my implementation to derive off of AbstractSSOSessionStore, and use a DB backend. We can't use yours because of how the connection strings are stored.

It is working now.

Thanks for the update.

[quote]
ComponentSpace - 1/11/2022
Thanks for the update.
[/quote]

Ok, there is still an issue, now that we are in production. We use ComponentSpace for federations, such as UK Federation and OpenAthens. The SP-Init for OpenAthens goes directly to them, but they then forward it to another Identity provider, and that is the provider that comes back to us.

We are getting the following exception:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML message issuer https://idp.law.ac.uk/openathens does not match the expected issuer https://idp.eduserv.org.uk/openathens.~ at Compo..

https://idp.eduserv.org.uk/openathens is the federation IdP, which through its process forwards it to https://idp.law.ac.uk/openathens, and that is what we get.

I hope that you can help us with this issue. We have currently rolled back our release that fixes the gsm certificate issues we also have.


If a SAML authn request is sent to the identity provider “<a href=“https://idp.eduserv.org.uk/openathens””>https://idp.eduserv.org.uk/openathens" we expect the SAML response to be issued by this same identity provider.

As a workaround, you can disable this check by setting DisableInResponseToCheck=“true” for the in your SAML configuration.

However, if the issuer of the SAML response is instead “<a href=“https://idp.law.ac.uk/openathens",">https://idp.law.ac.uk/openathens”, presumably it has also signed the SAML response or assertion.

That would mean the “<a href=“https://idp.law.ac.uk/openathens””>https://idp.law.ac.uk/openathens” certificate rather than the “<a href=“https://idp.eduserv.org.uk/openathens””>https://idp.eduserv.org.uk/openathens" would need to be configured.

It would be helpful if you could enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

I’d like to see the SAML response being received as well as your SAML configuration.

[quote]
ComponentSpace - 1/28/2022
If a SAML authn request is sent to the identity provider "https://idp.eduserv.org.uk/openathens" we expect the SAML response to be issued by this same identity provider.

As a workaround, you can disable this check by setting DisableInResponseToCheck="true" for the in your SAML configuration.

However, if the issuer of the SAML response is instead "https://idp.law.ac.uk/openathens", presumably it has also signed the SAML response or assertion.

That would mean the "https://idp.law.ac.uk/openathens" certificate rather than the "https://idp.eduserv.org.uk/openathens" would need to be configured.

It would be helpful if you could enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

I'd like to see the SAML response being received as well as your SAML configuration.
[/quote]

I don't think any of this is possible to give you, maybe using the SAML Trace plug-in in Chrome, for the following reasons:

1) We don't use your XML file format for configuration, everything is done programmatically. With federations (https://www.ukfederation.org.uk/ for example), the metadata has to be programmatically retrieved and updated daily, and we have 7 federations in our setup. The metadata from them has thousands of schools, though we only have contracts with a few, so we can't load it all.
2) We don't use any of the built-in tracing in ASP.NET, because it is too limiting. We have written our own classes to do logging that write directly to the file system, and connects to our alerting systems.

As for the certificates, we load all the certificates into memory for every school we support in the federation, and when you ask for them (via the ICertificateManager interface, which we implement), it must find them, as it is working correctly except for this.

I will try and get a SAML Trace from Chrome for you, though we have to wait until we get credentials from the schools IdP to be able to sign in and complete the flow.

Rather than the SAML trace from Chrome, please capture the network trace using Chrome’s developer tools and send the saved HAR file to support@componentspace.com. We would like to see both the SAML authn request that’s sent as well as the SAML response that’s returned.

It would really help if our SAML logging could be enabled. By default it writes to a timestamped log file in the logs sub-folder.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace