Got an error that’s giving us a full-stop when the idp is calling the AssertionConsumerService after login. Can you provide any pointers for debugging this?
dbug: ComponentSpace.Saml2.Bindings.Post.HttpPostBinding[0]
The SAML message has been received over HTTP-Post.
fail: ComponentSpace.Saml2.SamlServiceProvider[100]
Receiving an SSO response from a partner identity provider has failed.
ComponentSpace.Saml2.Exceptions.SamlSchemaValidationException: SAML XML schema validation failed. —> System.ArgumentNullException: Value cannot be null.
Parameter name: input
at System.Xml.XmlReaderSettings.CreateReader(Stream input, Uri baseUri, String baseUriString, XmlParserContext inputContext)
at ComponentSpace.Saml2.Utility.SamlSchemaValidator.Validate(XmlElement xmlElement) in /opt/app-root/src/ComponentSpace/Utility/SamlSchemaValidator.cs:line 83
— End of inner exception stack trace —
at ComponentSpace.Saml2.Utility.SamlSchemaValidator.Validate(XmlElement xmlElement) in /opt/app-root/src/ComponentSpace/Utility/SamlSchemaValidator.cs:line 93
at ComponentSpace.Saml2.SamlProvider.ValidateMessage(XmlElement messageElement) in /opt/app-root/src/ComponentSpace/SamlProvider.cs:line 375
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync() in /opt/app-root/src/ComponentSpace/SamlServiceProvider.cs:line 192
dbug: ComponentSpace.Saml2.Authentication.SamlAuthenticationHandler[0]
An exception has been caught by the SAML authentication handler.
ComponentSpace.Saml2.Exceptions.SamlSchemaValidationException: SAML XML schema validation failed. —> System.ArgumentNullException: Value cannot be null.
And the init code from my Startup.cs file:
private void ConfigureSaml(SamlConfigurations samlConfigurations)
{
samlConfigurations.Configurations = new List()
{
new SamlConfiguration()
{
LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = “<a href=“https://saml.test.domain”,”>https://saml.test.domain",
Description = “Example Service Provider”,
AssertionConsumerServiceUrl = "<a href=“https://saml.test.domain/SAML/AssertionConsumerService",">https://saml.test.domain/SAML/AssertionConsumerService”,
SingleLogoutServiceUrl = "<a href=“https://saml.test.domain/SAML/SingleLogoutService",">https://saml.test.domain/SAML/SingleLogoutService”,
ArtifactResolutionServiceUrl = "<a href=“https://saml.test.domain/SAML/ArtifactResolutionService",">https://saml.test.domain/SAML/ArtifactResolutionService”,
LocalCertificates = new List()
{
new Certificate()
{
FileName = “Certificates/cert.pfx”,
Password = “passwordremoved”
}
}
},
PartnerIdentityProviderConfigurations = new List()
{
new PartnerIdentityProviderConfiguration()
{
Name = "<a href=“http://sts.testad.local/adfs/services/trust",">http://sts.testad.local/adfs/services/trust”,
Description = “ADFS”,
SignAuthnRequest = true,
SignLogoutRequest = true,
SignLogoutResponse = true,
WantAssertionEncrypted = true,
WantLogoutResponseSigned = true,
SingleSignOnServiceUrl = "<a href=“https://sts.testad.local/adfs/ls/“,”>https://sts.testad.local/adfs/ls/”,
SingleLogoutServiceUrl = "<a href=“https://sts.testad.local/adfs/ls/?wa=wsignout1.0",">https://sts.testad.local/adfs/ls/?wa=wsignout1.0”,
ArtifactResolutionServiceUrl = "<a href=“https://sts.testad.local/adfs/services/trust/artifactresolution/“,”>https://sts.testad.local/adfs/services/trust/artifactresolution/”,
PartnerCertificates = new List()
{
new Certificate()
{
FileName = “certificates/testad.local.signing.cer”
}
}
}
}
}
};
}
Thanks for the information. The issue is related to validating the receive SAML message against the SAML XML schema.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
[quote][/quote]
Thanks for the information. The issue is related to validating the receive SAML message against the SAML XML schema.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
I'll see what I can do. I'm not familiar with Serilog and our server runtime images are dynamically generated in git/openstack, which limits our ability to generate application-level logfiles on the fs. I'll see if I can get it to write to the console and capture it from there.
We use the standard Microsoft logging. It doesn’t necessarily have to be configured to use Serilog. The console capture will be fine. We just need the logging from when the SAML message is received through to the exception. Thanks.
What operating system are you using?
This may be an issue related to Assembly.GetExecutingAssembly().GetManifestResourceStream.
Once you’ve captured the log and while we investigate, you can workaround the issue by setting the LocalServiceProviderConfiguration.DisableSchemaCheck to true.
[quote][/quote]
Thanks for the information. The issue is related to validating the receive SAML message against the SAML XML schema.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
I'll see what I can do. I'm not familiar with Serilog and our server runtime images are dynamically generated in git/openstack, which limits our ability to generate application-level logfiles on the fs. I'll see if I can get it to write to the console and capture it from there.
[/quote]
CentOS 7. I'm working on the capture, but it may be a little while until I can email it in.
Thanks.