Hey,
So, I’ve downloaded the sample MvcExampleIdentityProvider/MvcExampleServiceProvider projects, and managed to get them running locally, which is great.
I’ve tried to hook up an existing application as the identity provider, so I pointed the MvcExampleServiceProvider to use the existing app, but I can’t seem to get the configuration right.
In MvcExampleServiceProvider, I’ve got this in saml.config -
<?xml version="1.0"?>
<ServiceProvider Name=“http://external-web.devmachine.com”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService”
LocalCertificateFile=“sp.pfx”
LocalCertificatePassword=“password”/>
<PartnerIdentityProvider Name=“http://external-web.devmachine.com”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“<a href=“http://external-web.devmachine.com/SAML/SSOService””>http://external-web.devmachine.com/SAML/SSOService"
SingleLogoutServiceUrl=“http://external-web.devmachine.com/SAML/SLOService”
PartnerCertificateFile=“idp.cer”/>
And in the web.config, I have -
<add key=“PartnerIdP” value=“”>http://external-web.devmachine.com"/>
Now, in external-web.devmachine.com (the identity provider), I have this in my saml.config -
<?xml version="1.0"?>
<IdentityProvider Name=“<a href=“http://external-web.devmachine.com””>http://external-web.devmachine.com"
LocalCertificateFile=“idp.pfx”
LocalCertificatePassword=“password”/>
<PartnerServiceProvider Name=“<a href=“http://external-web.devmachine.com””>http://external-web.devmachine.com"
WantAuthnRequestSigned=“false”
SignSAMLResponse=“true”
SignAssertion=“false”
EncryptAssertion=“false”
AssertionConsumerServiceUrl=“<a href=“http://external-web.devmachine.com/SAML/AssertionConsumerService””>http://external-web.devmachine.com/SAML/AssertionConsumerService"
SingleLogoutServiceUrl=“<a href=“http://external-web.devmachine.com/SAML/SLOService””>http://external-web.devmachine.com/SAML/SLOService"
PartnerCertificateFile=“sp.cer”/>
Now, I can log in fine if I go to the service provider - it redirects to external-web, authenticates and redirects back. It all looks fine.
But, when I try to log out, it seems the SLOService in external-web is called twice. The first, the log out works correctly. The second time it is called, this error is thrown -
A logout response was unexpectedly received. Stack Trace: at ComponentSpace.SAML2.AbstractSAMLProvider.ProcessLogoutResponse(HttpRequestBase httpRequest, XmlElement logoutResponseElement, String signatureAlgorithm, String signature) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\AbstractSAMLProvider.cs:line 387…
What is going wrong here? The only thing I can guess is that because the Identity Provider is listed as a PartnerServiceProvider within itself, it is trying to log out that service (not realising that it is itself). But if I remove that provider from the list, I cannot log in, as I get this error -
No partner service providers have been configured Stack Trace: at ComponentSpace.SAML2.Configuration.SAMLConfiguration.GetPartnerServiceProvider(String name) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Configuration\SAMLConfiguration.cs:line 669 at ComponentSpace.SAML2.InternalSAMLIdentityProvider.ReceiveSSO(HttpRequestBase httpRequest, String& partnerSP, SSOOptions& ssoOptions) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLIdentityProvider.cs:line 732…
Any ideas would be appreciated!
Hi Jamie
I think part of the confusion is that the identity provider and service provider have the same name. You should specify different names for these.
If you take a look at the MvcExampleIdentityProvider’s saml.config it includes:
<IdentityProvider Name=“http://localhost/MvcExampleIdentityProvider”
LocalCertificateFile=“idp.pfx”
LocalCertificatePassword=“password”/>
<PartnerServiceProvider Name=“http://localhost/ExampleServiceProvider”
WantAuthnRequestSigned=“false”
SignSAMLResponse=“true”
SignAssertion=“false”
EncryptAssertion=“false”
AssertionConsumerServiceUrl=“http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx”
SingleLogoutServiceUrl=“http://localhost/ExampleServiceProvider/SAML/SLOService.aspx”
PartnerCertificateFile=“sp.cer”/>
And the MvcExampleServiceProvider’s saml.config includes:
<ServiceProvider Name=“http://localhost/MvcExampleServiceProvider”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService”
LocalCertificateFile=“sp.pfx”
LocalCertificatePassword=“password”/>
<PartnerIdentityProvider Name=“http://localhost/ExampleIdentityProvider”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx”
SingleLogoutServiceUrl=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx”
PartnerCertificateFile=“idp.cer”/>
Notice that the identity provider and service provider have unique names. Also note that the SingleLogoutServiceUrl is different for the identity provider and service provider.
Please try changing the names in your saml.config files to make them unique.
Also, ensure that the identity provider and service provider have unique URLs for their single logout services.
If there’s still an issue, please enable SAML trace for both applications and send the log files as email attachments to support@componentspace.com mentioning this topic. Also include your two saml.config files.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Yup, that did the trick. Knew it would be something simple like that. Thanks for your help!