An exception occured: No partner identity providers have been configured.

Hi,
Trying to help one customer to setup federated authentication using OKTA but getting this error in the service provider log:
10:07:28,306 LOGIN FEDERATED SECURITY ‘UseFederatedAuthentication’ setting is enabled. Automatically redirecting to configured identity provider. See saml configuration file for more information.
10:07:28,306 LOGOUT FEDERATED SECURITY An exception occured: No partner identity providers have been configured.

When we surf the site, it never redirects to Identity provider.

Any help would be appreciated.

Thanks.

The “No partner identity providers have been configured” error means there are no entries in your saml.config.
You’ll find information of integration with Okta at:
https://www.componentspace.com/Forums/5439/Okta-Integration
I’ve copied our example configuration below.
You need a similar configuration entry in your saml.config but specific to your environment.

<PartnerIdentityProvider Name=“<a href=“http://www.okta.com/exk89rwwiahjnDQiv0h7"”>http://www.okta.com/exk89rwwiahjnDQiv0h7”
Description=“Okta”
SignAuthnRequest=“true”
SignLogoutRequest=“true”
SignLogoutResponse=“true”
WantSAMLResponseSigned=“true”
WantLogoutRequestSigned=“true”
WantLogoutResponseSigned=“true”
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleSignOnServiceUrl=“<a href=“https://componentspace.oktapreview.com/app/componentspacedev527539_exampleserviceprovider_3/exk89rwwiahjnDQiv0h7/sso/saml””>https://componentspace.oktapreview.com/app/componentspacedev527539_exampleserviceprovider_3/exk89rwwiahjnDQiv0h7/sso/saml"
SingleLogoutServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleLogoutServiceUrl=“<a href=“https://componentspace.oktapreview.com/app/componentspacedev527539_exampleserviceprovider_3/exk89rwwiahjnDQiv0h7/slo/saml””>https://componentspace.oktapreview.com/app/componentspacedev527539_exampleserviceprovider_3/exk89rwwiahjnDQiv0h7/slo/saml"
PartnerCertificateFile=“Certificates\okta.cer”/>

Thanks for the answer. Now i am getting this error:
14:33:59,919 LOGIN FEDERATED SECURITY 'UseFederatedAuthentication' setting is enabled. Automatically redirecting to configured identity provider. See saml configuration file for more information.
14:33:59,919 LOGOUT FEDERATED SECURITY An exception occured: Failed to generate signature

It never shows me the OKTA login screen at all. I have verified that the NetWorkService (application pool user) has read access to the certificate in use.

Any thoughts on this ?

Thanks.

It looks like there’s an issue generating the signature for the SAML authn request being sent to Okta.
There are a number of possible reasons for the failure. A full log should provide more details.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Thanks for your reply.
Found the issue with the certificate (thanks to SAMLtrace) the CSP was different (Microsoft RSA SChannel Cryptographic Provider) than the supported ones. Followed the guide and associated the correct CSP to the cert.
Now, the next problem is, when surfing the site (service provider), it never redirects to the IdentityProvider in this case OKTA.

No more errors in the SAML trace

ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: Initiating SSO to the partner identity provider.
ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: Service provider session (xxxxxxxxxxxxxx) state:
ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: An assertion consumer service URL hasn't been configured and won't be included in the authn request.
ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: SAML message constructed: partner provider=http://www.okta.com/exk1z59kczQi8rC150i7, SAML message=https://oktsite/app/xxxx/exk1z59kczQi8rC150i7/sso/saml" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">https://site.com<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />.
ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: SAML message ready to send: partner provider=http://www.okta.com/exk1z59kczQi8rC150i7, SAML message=https://oktasite/app/xxxxx/exk1z59kczQi8rC150i7/sso/saml" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">https://site.com<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />, destination URL=https://oktasite.com/app/xxxxxxx/exk1z59kczQi8rC150i7/sso/saml.
ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: Retrieving the local service provider signature certificates for the default configuration and partner identity provider http://www.okta.com/exk1z59kczQi8rC150i7.
ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: The X.509 certificate with subject name CN=*.cert, OU=Domain Control Validated and serial number xxxxx has been retrieved from the cache.


Any thoughts on it +

Thanks

The log shows SSO is being initiated to Okta with a SAML authn request being sent.
If you’re not being redirected to Okta, I suspect either there’s some HTML markup or code in your application which is circumventing the sending of the authn request.
Please ensure you don’t perform any redirects etc in your code after calling SAMLServiceProvider.InitiateSSO.
If there’s still an issue, please include a section of your code where you call SAMLServiceProvider.InitiateSSO.

Thanks for your reply.
I don't see any issue within our code since the same code works for all other IDP's and even if I send the un-secure request by for setting following to false, we do see the okta login screen and it works:


http://www.okta.com/exk89rwwiahjnDQiv0h7"
SignAuthnRequest="false"
SignLogoutRequest="false"
SignLogoutResponse="false"

And one more thing, when I got the above error "An exception occurred : Failed to generate signature" then we saw the following in saml trace:

ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Initializing the SAML environment.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: The default SAML configuration has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: The local service provider is https://customersite.com.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: The partner identity provider is http://www.okta.com/exk1z59kczQi8rC150i7.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: The SAML environment has been successfuly initialized.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Initiating SSO to the partner identity provider.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Service provider session (y03noyqycovttto54bwxu5a4) state:
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: An assertion consumer service URL hasn't been configured and won't be included in the authn request.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: SAML message constructed: partner provider=http://www.okta.com/exk1z59kczQi8rC150i7, SAML message=https://xxxxxxxxx/exk1z59kczQi8rC150i7/sso/saml" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">https://customersite.com<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: SAML message ready to send: partner provider=http://www.okta.com/exk1z59kczQi8rC150i7, SAML message=https://xxxxxx/exk1z59kczQi8rC150i7/sso/saml" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">https://customersite.comk<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />, destination URL=https://xxxxxxxx/exk1z59kczQi8rC150i7/sso/saml.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Retrieving the local service provider signature certificates for the default configuration and partner identity provider http://www.okta.com/exk1z59kczQi8rC150i7.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Searching the X.509 store LocalMachine for the certificate with find type: FindByThumbprint and find value: 3612C5178066B8840EA31B2093AE24114B8BCC61.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: The X.509 certificate with subject name CN=*.cert, OU=Domain Control Validated and serial number xxxxx has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: The X.509 certificate with subject name CN=*.cert, OU=Domain Control Validated and serial number xxxxx has been cached.
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Sending request over HTTP Redirect, baseURL=https://xxxxxxxxx/exk1z59kczQi8rC150i7/sso/saml, samlMessage=https://xxxxxxxxx/exk1z59kczQi8rC150i7/sso/saml" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">https://customersite.com<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />, relayState=
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Creating HTTP redirect query string
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Encoding SAML message: https://xxxxxxxx/exk1z59kczQi8rC150i7/sso/saml" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">https://customersite.com<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Encoded SAML message: fZJLT8MwEIT/SuS7k7ivpFZbqVAhKvEIUHHgUm3dLbWa2MHr0MevJ0kRKge4jnd2dj55RFDkpZxWfmue8aNC8sF8NmbLAQx6idr0+Ho1BN4D1ecrEMCTFDvdYXeQii6y4BUdaWvGrBPGLJgTVTg35MH4WopFyuMhj/sL0ZW9VIokHKTJGwtmdYo24Fvn1vuSZBQZPHBtPDoDeWh3HjgWCKGyRQRl2Ty/O1uVy9XRI5Gx+6WI8LATp/5wp05POnXXoh/rJCKyUdOKBTfWKWyrjdkGcsLmxAyI9Cf+KJmz3iqbX2mz1uZ9zCpnpAXSJA0USNIr+TK9v5N1Rbk6D5G8XSwynj2+LFhwKHJDsuX4v7n8TmKTUTMtW1zuwv+/vb4bXcOMTS6ZQUFhy6RGFVa7UXSx+xxUyod62XyW2VyrY0OlAP93lghFq+g137SjsjJUotIbjWsWTPPc7q8dgq8ZelfVCKPJOfX3P5p8AQ==
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Query string: SAMLRequest=fZJLT8MwEIT%2FSuS7k7ivpFZbqVAhKvEIUHHgUm3dLbWa2MHr0MevJ0kRKge4jnd2dj55RFDkpZxWfmue8aNC8sF8NmbLAQx6idr0%2BHo1BN4D1ecrEMCTFDvdYXeQii6y4BUdaWvGrBPGLJgTVTg35MH4WopFyuMhj%2FsL0ZW9VIokHKTJGwtmdYo24Fvn1vuSZBQZPHBtPDoDeWh3HjgWCKGyRQRl2Ty%2FO1uVy9XRI5Gx%2B6WI8LATp%2F5wp05POnXXoh%2FrJCKyUdOKBTfWKWyrjdkGcsLmxAyI9Cf%2BKJmz3iqbX2mz1uZ9zCpnpAXSJA0USNIr%2BTK9v5N1Rbk6D5G8XSwynj2%2BLFhwKHJDsuX4v7n8TmKTUTMtW1zuwv%2B%2Fvb4bXcOMTS6ZQUFhy6RGFVa7UXSx%2BxxUyod62XyW2VyrY0OlAP93lghFq%2Bg137SjsjJUotIbjWsWTPPc7q8dgq8ZelfVCKPJOfX3P5p8AQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Generating signature
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Data to sign: 53 41 4d 4c 52 65 71 75 65 73 74 3d 66 5a 4a 4c 54 38 4d 77 45 49 54 25 32 46 53 75 53 37 6b 37 69 76 70 46 5a 62 71 56 41 68 4b 76 45 49 55 48 48 67 55 6d 33 64 4c 62 57 61 32 4d 48 72 30 4d 65 76 4a 30 6b 52 4b 67 65 34 6a 6e 64 32 64 6a 35 35 52 46 44 6b 70 5a 78 57 66 6d 75 65 38 61 4e 43 38 73 46 38 4e 6d 62 4c 41 51 78 36 69 64 72 30 25 32 42 48 6f 31 42 4e 34 44 31 65 63 72 45 4d 43 54 46 44 76 64 59 58 65 51 69 69 36 79 34 42 55 64 61 57 76 47 72 42 50 47 4c 4a 67 54 56 54 67 33 35 4d 48 34 57 6f 70 46 79 75 4d 68 6a 25 32 46 73 4c 30 5a 57 39 56 49 6f 6b 48 4b 54 4a 47 77 74 6d 64 59 6f 32 34 46 76 6e 31 76 75 53 5a 42 51 5a 50 48 42 74 50 44 6f 44 65 57 68 33 48 6a 67 57 43 4b 47 79 52 51 52 6c 32 54 79 25 32 46 4f 31 75 56 79 39 58 52 49 35 47 78 25 32 42 36 57 49 38 4c 41 54 70 25 32 46 35 77 70 30 35 50 4f 6e 58 58 6f 68 25 32 46 72 4a 43 4b 79 55 64 4f 4b 42 54 66 57 4b 57 79 72 6a 64 6b 47 63 73 4c 6d 78 41 79 49 39 43 66 25 32 42 4b 4a 6d 7a 33 69 71 62 58 32 6d 7a 31 75 5a 39 7a 43 70 6e 70 41 58 53 4a 41 30 55 53 4e 49 72 25 32 42 54 4b 39 76 35 4e 31 52 62 6b 36 44 35 47 38 58 53 77 79 6e 6a 32 25 32 42 4c 46 68 77 4b 48 4a 44 73 75 58 34 76 37 6e 38 54 6d 4b 54 55 54 4d 74 57 31 7a 75 77 76 25 32 42 25 32 46 76 62 34 62 58 63 4f 4d 54 53 36 5a 51 55 46 68 79 36 52 47 46 56 61 37 55 58 53 78 25 32 42 78 78 55 79 6f 64 36 32 58 79 57 32 56 79 72 59 30 4f 6c 41 50 39 33 6c 67 68 46 71 25 32 42 67 31 33 37 53 6a 73 6a 4a 55 6f 74 49 62 6a 57 73 57 54 50 50 63 37 71 38 64 67 71 38 5a 65 6c 66 56 43 4b 50 4a 4f 66 58 33 50 35 70 38 41 51 25 33 44 25 33 44 26 53 69 67 41 6c 67 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 77 33 2e 6f 72 67 25 32 46 32 30 30 31 25 32 46 30 34 25 32 46 78 6d 6c 64 73 69 67 2d 6d 6f 72 65 25 32 33 72 73 61 2d 73 68 61 32 35 36
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Signature algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
ComponentSpace.SAML2 Verbose: 0 : 10200/9: 05/09/2018 14:48:17: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate signature ---> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.


And now, there is no redirect after the certificate gets load (see last reply).

Thanks for your help.

The SAMLSignatureException being thrown should be handled by your application.
We recommend you catch all exceptions, log the error and redirect the user to a generic error page.
Are you saying if SignAuthnRequest is false, you see the Okta login screen?
And, if SignAuthnRequest is true you get the SAMLSignatureException exception?
If so, are you definitely using the correct CSP?
The “CryptographicException: Invalid algorithm specified” indicates the wrong CSP is being used.

Are you saying if SignAuthnRequest is false, you see the Okta login screen?
Yes,
And, if SignAuthnRequest is true you get the SAMLSignatureException exception?
No exception any more since we corrected the CSP. It just doing nothing after the authentication request and loading the cert.
This is last thing logged in the SAML trace:

ComponentSpace.SAML2 Verbose: 0 : 6776/6: 05/09/2018 16:29:22: The X.509 certificate with subject name CN=*.cert, OU=Domain Control Validated and serial number xxxxx has been retrieved from the cache.

Thanks.

Please send the entire log file as an email attachment to support@componentspace.com mentioning your forum post.

Thanks for your reply. Got some further. Following is thrown in our application log file:
11:54:26,244 LOGIN FEDERATED SECURITY 'UseFederatedAuthentication' setting is enabled. Automatically redirecting to configured identity provider. See saml configuration file for more information.
11:54:26,259 LOGOUT FEDERATED SECURITY An exception occured: Keyset does not exist

Any Idea what "Keyset" the above refers to ?

This could be an issue accessing the private key of your certificate to sign a SAML message.
If you could email us the complete log it would be easier to determine the issue.