Hello everyone!
I’m sure this has been covered somewhere, but I’m just not finding it. When calling:
InitiateSSO(HttpResponse httpResponse, string relayState, string partnerIdP)
we are getting the error:
“Object reference not set to an instance of an object.”
“at ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.SendRequest(HttpResponse httpResponse, String baseURL, XmlElement samlMessage, String relayState, AsymmetricAlgorithm key, String signatureAlgorithm)”
The values for HttpResponse, relayState, and partnerIdP are not null (and there is a config associated to the partnerIdP), I’m unsure where the null is coming from, or what information is to be expected that may not be contained in the HttpResponse. Are there steps we can take to trace the values being passed within InitiateSSO to uncover what is being sent to SendRequest as a null value?
Thank you!
Are you passing a System.Web.HttpResponse as the first parameter?
Please enable SAML trace. This should provide more information.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
You’re welcome to send the SAML log file to support@componentspace.com and we’ll take a look.
Please enable SAML trace. This should provide more information.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
You're welcome to send the SAML log file to support@componentspace.com and we'll take a look.
Just think kind of information I was looking for, thank you! We'll see what this turns up :)
Thank you.
Please enable SAML trace. This should provide more information.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
You're welcome to send the SAML log file to support@componentspace.com and we'll take a look.
I am having this same issue and looking through the trace log doesn't tell me what is null. I am going to send in my log file for you to look at. Thank you.
In the previous case, the HttpRequest and HttpResponse objects associated with the current HTTP request were not being used. This meant that these objects weren’t initialized correctly. The solution was simply to pass in the correct HttpRequest and HttpResponse objects.
Of course, if this isn’t what you’re seeing, please forward the SAML log file to support@componentspace.com.
Thanks.
Of course, if this isn't what you're seeing, please forward the SAML log file to support@componentspace.com.
Thanks.
That was the issue in that the Response object was not propagating into the method call. Now that it is working I get a different error that I believe is on the IdP side.
Could you confirm that this means the Identity Provider is not sending a post back to my site? If that is not the case, what does this message mean?
[SAMLBindingException: The message is not an HTTP POST.]
ComponentSpace.SAML2.Bindings.HTTPPostBinding.ReceiveRequest(HttpRequest httpRequest, XmlElement& samlMessage, String& relayState) +182
The log file says: Initiation of SSO to the partner identity provider https://xxxx.net has completed successfully.
It looks like SSO was initiated successfully (ie a SAML authn request was created and sent to the IdP). However, the SAML response isn’t being received.
The SAML response must be sent in an HTTP Post. If instead we receive an HTTP Get etc, we throw the exception you’re seeing.
I suggest using the browser developer tools (F12) to take a look at the network traffic. You should see a 302 redirect including the SAMLRequest query string parameter. This is the SAML authn request being sent to the identity provider. If everything was working, after the user logs in at the identity provider, you should see an HTTP Post of the SAMLResponse.
If you’re not sure how to interpret this, you’re welcome to save the network traffic and email us the HAR file.
The SAML response must be sent in an HTTP Post. If instead we receive an HTTP Get etc, we throw the exception you're seeing.
I suggest using the browser developer tools (F12) to take a look at the network traffic. You should see a 302 redirect including the SAMLRequest query string parameter. This is the SAML authn request being sent to the identity provider. If everything was working, after the user logs in at the identity provider, you should see an HTTP Post of the SAMLResponse.
If you're not sure how to interpret this, you're welcome to save the network traffic and email us the HAR file.
That's what I thought but wanted to be sure before contacting our new IdP. It's better to be armed with good information :) Thanks!
I suggest checking the network traffic first just in case the issue is at your end.
The issue is that they expect to get the request as a POST with params in the body, but it is being sent as a GET with params in the query string. I don't see any way to change SAMLServiceProvider.InitiateSSO to accommodate this. Is there a setting to send as a POST?
By default, we send the SAML authn request using the HTTP-Redirect binding (transport) which results in an HTTP Get to the identity provider.
There is also the option to send it using the HTTP-Post binding. To do so, specify SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” in your SAML configuration.
For example:
<PartnerIdentityProvider
Name=“<a href=“https://ExampleIdentityProvider””>https://ExampleIdentityProvider"
Description=“Example Identity Provider”
SignAuthnRequest=“true”
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleSignOnServiceUrl=“<a href=“https://localhost:44390/SAML/SSOService.aspx””>https://localhost:44390/SAML/SSOService.aspx"
SingleLogoutServiceUrl=“”>https://localhost:44390/SAML/SLOService.aspx">
There is also the option to send it using the HTTP-Post binding. To do so, specify SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your SAML configuration.
For example:
<PartnerIdentityProvider
Name="https://ExampleIdentityProvider"
Description="Example Identity Provider"
SignAuthnRequest="true"
SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SingleSignOnServiceUrl="https://localhost:44390/SAML/SSOService.aspx"
SingleLogoutServiceUrl=""="">">https://localhost:44390/SAML/SLOService.aspx">
Thanks for the POST config, but I now get a different error. I noted in your example you also have the partner's cert, is that needed? They have my key and I have my cert, but nothing of theirs.
Here's the exception I am getting:
[CryptographicException: Cannot find the requested object.
]
IdpName.Applications.OurName.Portal.Authentication.SAML2IDP.SingleSignonService.ProcessRequest(HttpContext context) +441
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +790
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +88
You should have the partner identity provider’s certificate as this is used to verify the signature on the SAML response or assertion returned by the identity provider.
I suggest emailing us the SAML log file if you need assistance debugging the current issue.
Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user.
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?
Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user.
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?[/quote]
Also, the IdP has their certificate exposed in their metadata endpoint like so:
">http://www.w3.org/2000/09/xmldsig#">
base64String
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?
Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user.
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?[/quote]
Also, the IdP has their certificate exposed in their metadata endpoint like so:
"="">">http://www.w3.org/2000/09/xmldsig#">
base64String
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?[/quote]
Hi again!
We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier).
I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully.
But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file?
Thanks again for all your help!
Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user.
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?[/quote]
An HTML form is returned in the HTTP response to the browser. Some JavaScript automatically submits the form which results in an HTTP Post to the identity provider. This is perfectly normal and how the SAML HTTP-Post binding is supposed to work. The identity provider won't see the HTML form. They'll receive an HTTP Post with the SAML response as post data. If you use the browser developer tools to take a look at the network traffic you'll see what I mean.
Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user.
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?[/quote]
Also, the IdP has their certificate exposed in their metadata endpoint like so:
"="">">http://www.w3.org/2000/09/xmldsig#">
base64String
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?[/quote]
The base-64 encoded X.509 certificate string can be copied to a .CER text file and this file specified as the partner identity provider's certificate.
Looking at the log file I think the issue is that it is sending a form to the IdP. I think it should be sending them params in a POST body, then they are going to present a form to the user.
Is this normal behavior? Should I send you the log file or does this point to a configuration issue?[/quote]
Also, the IdP has their certificate exposed in their metadata endpoint like so:
"="">"="">">http://www.w3.org/2000/09/xmldsig#">
base64String
Does this work with SAML for .NET or do I need the actual certificate stored in the Certificates folder?[/quote]
Hi again!
We worked out the first issue, as I thought, they needed my cert not just my key as they had asked. Now I am able to initiate the flow and get an exception that I think might point to my not having a copy of their cert (available from their metadata as stated earlier).
I get this in the log file: Initiation of SSO to the partner identity provider https://globalsignin.cobalttest.net has completed successfully.
But on the web page, I get an exception saying the "The partner identity provider xxx is not configured" which they obviously are. Does this point to my not having their cert? Would you like me to send you the log file?
Thanks again for all your help!
[/quote]
That sounds like a configuration issue rather than a certificate issue. You should have a entry with a Name of "xxx".
You're welcome to send the SAML log file as an email attachment to support@componentspace.com if you'd like us to take a look.