IdP initiated SSO not working

Hi
I was exploring your product and was creating one PoC on SAML 2 SSO for my application. I have create a new SamlController in my existing Web API (built on ASPNET core) which has AssertionConsumer, SingleLogoutService and ArtifcatResolutionService methods. I have created a test IdP project outside of the my WEB API (serving as SP) and was not able to invoke the SSO. Can you please help to resolve the issue>
I have verified the config (appsettings.json on test IdP and SP ) and certificates, all are in place but still not able to hit SP with AssertionConsumer for SSO. I am getting site, can’t be reach (Err_Connection_Refused) error.

Thanks

Please note that SAML is a browser-based protocol.
SAML messages are sent via HTTP posts and redirects rather than as web API calls.
I suggest running the ExampleIdentityProvider and ExampleServiceProvider projects in Visual Studio to confirm SSO is working in your environment.
You could then modify the ExampleIdentityProvider’s appsettings.json to include your service provider and use this to test SSO.
Once you have your service provider working, you can switch to your own identity provider for testing if you wish.
Regarding the connection refused error, please try browsing to each of the URLs you’ve configured in the appsettings.json to check that the URLs are correct.
You might get 500 internal errors but I wouldn’t expect you to receive connection refused.
If there’s still an issue, please enable SAML trace at both your IdP and SP and send the generated log files as email attachments to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

[quote]
ComponentSpace - 9/27/2018
Please note that SAML is a browser-based protocol.
SAML messages are sent via HTTP posts and redirects rather than as web API calls.
I suggest running the ExampleIdentityProvider and ExampleServiceProvider projects in Visual Studio to confirm SSO is working in your environment.
You could then modify the ExampleIdentityProvider's appsettings.json to include your service provider and use this to test SSO.
Once you have your service provider working, you can switch to your own identity provider for testing if you wish.
Regarding the connection refused error, please try browsing to each of the URLs you've configured in the appsettings.json to check that the URLs are correct.
You might get 500 internal errors but I wouldn't expect you to receive connection refused.
If there's still an issue, please enable SAML trace at both your IdP and SP and send the generated log files as email attachments to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
[/quote]

I changed my Service provider similar to your Example service provider but still its not hitting the SP when initiated SSO from IdP sample. But when I changed my IdP sample to hit your example Service Provider it was hitting the break point. I tried with logging too but not much details about why its not hitting the SP break point (the call is not reaching the SP). The log says it initiated SSO successfully from IdP. Any further guidance what's is missing from my side.

So, just to confirm, when using your IdP and the ExampleServiceProvider, the breakpoint in the assertion consumer service endpoint is hit but when using your SP it doesn’t.
What does the browser display?
What’s the URL in the address bar? Is it still at your IdP or at your SP application?

[quote]
ComponentSpace - 9/28/2018
So, just to confirm, when using your IdP and the ExampleServiceProvider, the breakpoint in the assertion consumer service endpoint is hit but when using your SP it doesn't.
What does the browser display?
What's the URL in the address bar? Is it still at your IdP or at your SP application?
[/quote]

It was hitting the SP and SP has authorized it correctly and was return the response correctly but it was not redirecting to the correct page.

await _samlIdp.InitiateSsoAsync(partnerName, userName, attributes, relaystate);
return new EmptyResult();

should I pass something valid value in relayState? and how should I open different page from IdP?

InitiateSsoAsync will send the SAML response to the SP’s configured assertion consumer service endpoint.
Control is now at the SP site. Control is not returned to the IdP.
For IdP-initiated SSO, the optional relay state specifies the target URL the SP should redirect to once SSO completes.
So, after receiving the SAML response at its assertion consumer service endpoint, the SP will redirect to the URL specified by the relay state.
If relay state isn’t included, the SP typically redirects to whatever page it presents to a logged in user.

[quote]
ComponentSpace - 10/1/2018
InitiateSsoAsync will send the SAML response to the SP's configured assertion consumer service endpoint.
Control is now at the SP site. Control is not returned to the IdP.
For IdP-initiated SSO, the optional relay state specifies the target URL the SP should redirect to once SSO completes.
So, after receiving the SAML response at its assertion consumer service endpoint, the SP will redirect to the URL specified by the relay state.
If relay state isn't included, the SP typically redirects to whatever page it presents to a logged in user.
[/quote]

Thank you for the quick reply, I was able to redirect but not able to pass few details as response headers to the page SP wants to redirect the IdP to. How can I pass the details to the redirect page (i don't want them to be sent as Query String)?
Also I want Metadata XML of client and pem files related to each individual IdP to be stored in DB and read those details from DB when they initiate the SSO (initiateSsoAsync)? How to achieve this?

When the IdP sends a SAML response to the SP the following occurs.
1. IdP returns to the browser an HTTP response containing an HTML form and some JavaScript to automatically submit the form to the SP.
2. Browser executes the JavaScript and sends an HTTP Post with the SAML response as the post data to the SP.
3. SP receives the HTTP Post request containing the SAML response.
Did you want to include additional headers in the HTTP request to the SP?
If so, what type of information do you wish to include?
The standard way for sending information to the SP is to include SAML attributes in the SAML assertion.
Could the information be sent as SAML attributes rather than as HTTP headers?
You can store the SAML configuration including the certificates in a custom database rather than in the appsettings.json.
Please refer to our Configuration Guide which describes either specifying configuration programmatically or implementing the ISamlConfigurationResolver interface.
https://www.componentspace.com/Forums/8234/Configuration-Guide

I am not referring to information sent to SP (we can send data from IdP to SP through SAML attributes), I am referring to the information sent to the redirected page after SAML authentication is done (after Redirect from SP after SSO).
Also how can I do negative tests, if some one is sending crooked SAML request acting as IdP? I want to check how your SAML components behaves in such vulnerability scenarios.
Thanks

The only direct way to send information to the page redirected to after SAML SSO completes is as query string parameters.
The optional relay state parameter to the InitiateSsoAsync specifies the URL the SP should redirect to once SSO completes.
You could include query string parameters in this URL.
The only other option is to use SAML attributes. Your assertion consumer service page could then make these attributes available to the page you redirect to through session variables etc.
As far as negative testing, you can use Fiddler to capture the network traffic and replay it after making whatever modifications you wish to make.
https://www.telerik.com/fiddler
There’s a SAML Burp extension for more comprehensive testing.
https://github.com/SAMLRaider/SAMLRaider
There are also SAML browser extensions for Chrome and Firefox that might prove useful.
For example:
https://addons.mozilla.org/es/firefox/addon/saml-tracer/


I want more Customization (dynamic load) on the configurations. Here is what we are trying to check the feasibility in the PoC:
We will be loading the SP config details on start up ->load the IdP config details dynamically by hitting their metdata url (which are exposed through URL and we don’t want to store complete configs on our side as it might change after a period) then apply the configuration specific to current IdP who initiated SAML SSO (I think this can be done through SetConfigurationIdAsync). Can we use the Id (like the guid ) from the Metadata xml as the tenatId for applying the configs? Idp will be passing the Id as part of SAML attributes.

Does this above approach work for your component? please add I am missing any steps for SAML2 SSO here. Will your component work/support with out any issues if we read the tenant id (guid from saml attributes), load all Idp configs and then apply specific Idp configs for the call?

Thanks

The configuration ID is for multi-tenanted application (typically deployed to the cloud) where each tenant has a completely separate SAML configuration.
If you wish to load configurations dynamically you should implement the ISamlConfigurationResolver interface.
This is described in our Configuration Guide.


Thank you for your response. We have around 10 IdPs (expected to begin with this count and later may be extended to others) to hit our SP and we are not on cloud currently (not aware of any plans in next 2 years). And all use one single SP, so in this case can we use ConfigurationId for applying respective IdP who invoked the SSO? Also what are the SLAs of your SAML component? Is there any limit on many IdP can be hit the SP concurrently? I assume no limits. Please confirm.

Thanks

In that case, you only need a single SAML configuration consisting of the local SP and as many partner IdP entries as you require.
There’s no need to have multiple SAML configurations.
The configuration ID is only used when there are multiple SAML configurations.
When you call ReceiveSsoAsync, we determine which IdP sent the SAML response using the issuer field in the message.
We use this to look up the correct partner IdP configuration entry to process the message.
The configuration ID is not used for this.
We don’t set any limits on the number of partner IdPs etc.


Thank you for your reply. But I am not able to apply the configs which were read from DB. Getting Internal Server error while invoking AssertionConsumerService

{
“messsage”: “Internal Server Error”,
“success”: false,
“exception”: {
“StackTrace”: " at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.GetService(IServiceProvider sp, Type type, Type requiredBy, Boolean isDefaultParameterRequired)\r\n at lambda_method(Closure , IServiceProvider , Object[] )\r\n at Microsoft.AspNetCore.Mvc.Controllers.ControllerActivatorProvider.<>c__DisplayClass4_0.b__0(ControllerContext controllerContext)\r\n at Microsoft.AspNetCore.Mvc.Controllers.ControllerFactoryProvider.<>c__DisplayClass5_0.g__CreateController|0(ControllerContext controllerContext)\r\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\r\n at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()\r\n at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextExceptionFilterAsync()",
“Message”: “Unable to resolve service for type ‘ComponentSpace.Saml2.ISamlServiceProvider’ while attempting to activate ‘SAMLController’.”,
“InnerExceptionString”: “”
}
}

In startup.cs I have defined method
private void ConfigureSaml(SamlConfigurations samlConfigurations), which you have mentioned as Action Delegate implemented in your Component to apply configurations at run time. (as specified in your documentation @ Component Space SAMLV2.0 configuraiton.pdf --Page 8) . and I have registered this action delegate in ConfigureService method in startup.cs also, but still getting this error. Can you suggest what’s missing from my code?

Thanks



My apologies but the documentation appears to be wrong. I’ll see that it’s corrected.
Don’t call services.Configure.
Instead, your Startup class should include:

services.AddSaml(config => ConfigureSaml(config));




No Problem! I figured it out but also it worked when I did add below two lines
services.Configure(config => ConfigureSaml(config));
services.AddSaml();

Thanks



Just be careful you haven’t accidentally added multiple SAML configurations.
Are those two lines the only SAML related code in your Startup?
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace


I am getting an error even though my certs are in place.

An X.509 signature certificate for the partner identity provider https://…com hasn’t been configured.Thanks

In your SAML configuration, have you specified a PartnerCertificates for the partner identity provider?

“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“https://ExampleIdentityProvider”,”>https://ExampleIdentityProvider",
“Description”: “Example Identity Provider”,
“SignAuthnRequest”: true,
“SingleSignOnServiceUrl”: "<a href=“https://localhost:44313/SAML/SingleSignOnService",">https://localhost:44313/SAML/SingleSignOnService”,
“SingleLogoutServiceUrl”: "<a href=“https://localhost:44313/SAML/SingleLogoutService",">https://localhost:44313/SAML/SingleLogoutService”,
“ArtifactResolutionServiceUrl”: "<a href=“https://localhost:44313/SAML/ArtifactResolutionService",">https://localhost:44313/SAML/ArtifactResolutionService”,
“PartnerCertificates”: [
{
“FileName”: “certificates/idp.cer”
}
]
},



If you have, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace