Hi I am loading my configuration programatically like this:
var samlConfiguration = new SAMLConfiguration
{
LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = “IlluminaPortal”,
Description = “Illumina Portal”,
AssertionConsumerServiceUrl = “~/auth/saml2/AssertionConsumerService.aspx”,
LocalCertificateFile = @“App_Data\sp.pfx”,
LocalCertificatePassword = “password”
}
};
samlConfiguration.AddPartnerIdentityProvider(new PartnerIdentityProviderConfiguration
{
Name = “okta”,
Description = “Okta”,
SignAuthnRequest = true,
SignLogoutRequest = true,
SignLogoutResponse = true,
WantSAMLResponseSigned = true,
WantLogoutRequestSigned = true,
WantLogoutResponseSigned = true,
SingleSignOnServiceBinding = “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”,
SingleSignOnServiceUrl = “<a href=“https://illumina.oktapreview.com/app/illuminapreview_prmdev_1/exk9ch00ympptBHwI0h7/sso/saml” ,”=“”><a href=“https://illumina.oktapreview.com/app/yyyyyyy/xxxxxxx/sso/saml” ,“=”“><a href=“https://illumina.oktapreview.com/app/yyyyyyy/xxxxxxx/sso/saml” ,”=“”><a href=“https://illumina.oktapreview.com/app/yyyyyyy/xxxxxxx/sso/saml",">https://illumina.oktapreview.com/app/yyyyyyy/xxxxxxx/sso/saml”,
SingleLogoutServiceBinding = “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”,
SingleLogoutServiceUrl = “<a href=“https://illumina.oktapreview.com/app/illuminapreview_prmdev_1/exk9ch00ympptBHwI0h7/slo/saml” ,”=“”><a href=“https://illumina.oktapreview.com/app/yyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxx/slo/saml” ,“=”“><a href=“https://illumina.oktapreview.com/app/yyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxx/slo/saml” ,”=“”><a href=“https://illumina.oktapreview.com/app/yyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxx/slo/saml",">https://illumina.oktapreview.com/app/yyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxx/slo/saml”,
PartnerCertificateFile = @“App_Data\okta.cert”
});
And then I am doing this
SAMLController.Configuration = samlConfiguration;
SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP);
But I am getting an exception
System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider…ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at ComponentSpace.SAML2.InternalSAMLServiceProvider.CreateAuthnRequest(SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.InitiateSSO(HttpResponse httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl)
at ASP.auth_login_aspx.ssoLinkButton_Click(Object sender, EventArgs e) in e:\Websites\Illumina\Illumina.RV.TreeHouseI.com\Main\www\auth\Login.aspx:line 73
at System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e)
at System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Any thoughts I whats going on?
This seems to run fine when I run in visual studio. But does not work in IIS.
Thank you
Hi Sunil
There’s an issue accessing the private key in your PFX file.
It’s most likely a permissions issue.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option is to store the certificate and private key in the Windows certificate store rather than a PFX file.
In this case, setting permissions is done through the Microsoft Management Console (MMC) Certificates snap-in.
You can reference a certificate in the Windows certificate store by its serial number, thumbprint or subject DN.
For example, instead of LocalCertificateFile and LocalCertificatePassword you would use LocalCertificateSerialNumber.
There's an issue accessing the private key in your PFX file.
It's most likely a permissions issue.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option is to store the certificate and private key in the Windows certificate store rather than a PFX file.
In this case, setting permissions is done through the Microsoft Management Console (MMC) Certificates snap-in.
You can reference a certificate in the Windows certificate store by its serial number, thumbprint or subject DN.
For example, instead of LocalCertificateFile and LocalCertificatePassword you would use LocalCertificateSerialNumber.
I tried the Loading it using Thumbprint.
When I go into the cert store Action > All Tasks > Manage Private Keys to set permissions I get "No keys to manage".
I am using sp.pfx provided in the Samples.
I I use a different cert I am getting "algorithm does not match" error
Weird.
How come more people don't run into this issue. How are they doing it differently from me?
Is there a fix on the way?
Thank you.
That’s very strange. We haven’t seen or heard of that issue before.
The “Manage Private Keys” menu item only appears if the certificate includes a private key.
The “No keys to manage” error implies there is no private key.
When you imported sp.pfx, did the Certificates snap-in prompt for the password?
Could you try idp.pfx to see if that works for you?
The “algorithm does not match” is a different error. It’s most likely an issue with the cryptographic service provider (CSP) specified by your private key.
Please refer to the following forum post to confirm and fix this issue:
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type