Hello,
We currently have Okta as our Active Directory Identity provider. What we are looking for is that all of our internal applications (.NET and android ) have their users login with their AD credentials. At the same time Okta is returning several user attributes needed to bring individual information . We are using Component Space as we are working only with SAML and not WFS. I’m new at this and I’m a little bit confused as which direction to take. I have my SAML.config file like this:
<ServiceProvider Name=“<a href=“https://leads.xxxxx.com””>https://leads.xxxxx.com" (Service Provider which is our server)
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService.aspx”
LocalCertificateFile=“leads_com.cer”/>
<PartnerIdentityProvider Name=“<a href=“http://www.okta.com/.......ZtHl0x7"”>http://www.okta.com/.......ZtHl0x7”
SignAuthnRequest=“true”
WantSAMLResponseSigned=“true”
SingleSignOnServiceUrl=" <a href=“https://leads.okta.com/app/template_saml_2_0/...ednnPi..../sso/saml”“>https://leads.okta.com/app/template_saml_2_0/...ednnPi..../sso/saml”
PartnerCertificateFile=“okta.cer”/>
I also have my SAML Folder with the AssersionConsumerService.aspx that recieves the atributes I need.
On the Login page I’m initializing the service Provider as:
SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP); (PArtnerIdp is defined on the web.config file)
My question is I’m I on the correct path?, what method do I use to pass the username and the password from the login page to Okta?
Again I’m new at this, any help will be appreciated!!!
As per the SAML specification, the service provider doesn’t pass the user name and password to the identity provider. Instead, these should be prompted for and validated at the identity provider.
The SAML configuration and your call to SAMLServiceProvider.InitiateSSO look fine.
The call to SAMLServiceProvider.InitiateSSO will send a SAML authn request to the identity provider.
The identity provider should then prompt for the user to login and authenticate the user’s credentials unless the user is already logged in.
A SAML response will be sent to the service provider. Calling SAMLServiceProvider.ReceiveSSO will receive and process this message.
If you run into any issues, I recommend enabling SAML trace and sending the log file to our support email address.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Thanks for your answer. It looks that I’m confused about the roles our .NET application and Okta are playing. The login page that we want the users use is on the .NET application, the idea is that when the users attempt to login, we post the username and password to Okta to authenticate the user (We have our Active Directory access secured with Okta) and return some AD attributes needed to the .NET application. We configured everything on the Okta side, the users and the attributes we need back.
My question is: Do I have to configure our .NET application both as a service provider and identity provider on the SAML?. I guess Okta will just be the Partner identity provider I’m I right?.
Thank you!.
The application where the user enters their user name and password and these are authenticated against the user registry (eg Active Directory) is the identity provider. The application that receives the SAML assertion and performs the automatic login is the service provider.
The SAML specification doesn’t support transmitting the user name and password from one application to the other.
Using SAML, the .NET application would act as the service provider and Okta as the identity provider. Users would be redirected to Okta to enter their user name and password and have these authenticated against AD.
If you want the user name and password to be entered at the .NET application and then authenticated at Okta you will need to come up with some non-SAML mechanism for passing these values to Okta.
Thank you for your help on this!! I’m getting it now. I Actually ended up using the .NET Okta SDK (non SAML) to authenticate the username and password which returns a success. It also returns a session token and a relaystate. We do are using SAML to return the other attributes from the Active Directory. My second step would be initializing the Service provider with the relaystate Okta sends right? : SAMLServiceProvider.InitiateSSO(Response, okta.relaystate, partnerIdP). If Im right (for once lol) I will be good to go as I already have my assersionfile to receive the data and continue on my app.
If the identity provider is initiating SSO and supplying a relay state then this will be the URL you should redirect to after completing SSO at the service provider.
For service provider initiated SSO the relay state is some arbitrary value only understood by the service provider. The identity provider simply returns this along with the SAML response. It may be used for retrieving state information etc but it’s use is entirely optional.
The SAMLServiceProvider.InitiateSSO overloads that take a relay state parameter may be used to send a relay state to the identity provider.
However, in most circumstances this isn’t necessary. You can use the ASP.NET session state to maintain any information required between calling SAMLServiceProvider.InitiateSSO to send the SAML authn request and calling SAMLServiceProvider.ReceiveSSO to receive the SAML response.
Example project MvcExampleServiceProvider whiсh You provided with Library contains config for Okta, but i can’t find login/pass for this configuration. Can You share it? Thanks in advance.
SnippetSnippetSnippet<PartnerIdentityProvider Name=“<a href=“http://www.okta.com/exk5xsht7oII4vg2R0h7"”>http://www.okta.com/exk5xsht7oII4vg2R0h7”
Snippet Description=“Okta”
SignAuthnRequest=“true”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
DigestMethod=“<a href=“http://www.w3.org/2001/04/xmlenc#sha256” “>http://www.w3.org/2001/04/xmlenc#sha256”
SignatureMethod=”<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”
SnippetSingleSignOnServiceUrl=“<a href=“https://dev-144911.oktapreview.com/app/componentspacedev144911_exampleserviceprovider_1/exk5xsht7oII4vg2R0h7/sso/saml””>https://dev-144911.oktapreview.com/app/componentspacedev144911_exampleserviceprovider_1/exk5xsht7oII4vg2R0h7/sso/saml"</a><br/>PartnerCertificateFile="Certificates\okta.cer"/>
We haven’t fully documented how to configure Okta but will do so.
A good place to start is to take a look at the documentation provided by Okta.
http://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html
If you run into any issues or have any questions please email support@componentspace.com
looking forward to seeing fully documented Okta configuration. 
But now, have an issue with Okta. I can successfully LogIn to my App by calling
Snippet SAMLServiceProvider.InitiateSSO(Response, null, AppConfiguration.PartnerIdP);
SnippetIn AssertionConsumerServiceUrl call
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl);
works fine.
But, when i try to LogOut, by calling (it calls without error)
SAMLServiceProvider.InitiateSLO(Response, null, “<a href=“http://www.okta.com/exk63omfn84Ir4LPV0h7” ); “=””><a href=“http://www.okta.com/exk63omfn84Ir4LPV0h7” ); “=”“><a href=“http://www.okta.com/exk63omfn84Ir4LPV0h7” ); “=””><a href=“http://www.okta.com/exk63omfn84Ir4LPV0h7”); “>http://www.okta.com/exk63omfn84Ir4LPV0h7”);
In SingleLogoutService (Action SLOService, code provided below) by calling SAMLServiceProvider.ReceiveSLO(…)
I have an error : “The partner identity provider http://localhost:55734/ is not configured.”
My saml.config
Snippet<ServiceProvider Name=“<a href=“http://localhost:55734/” “=””><a href=“http://localhost:55734/” “=”“><a href=“http://localhost:55734/” “=””><a href=“http://localhost:55734/”“>http://localhost:55734/”
Description=“MVC Example Service Provider”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService”
LocalCertificateFile=“Certificates\sp.pfx”
LocalCertificatePassword=“password”/>
<PartnerIdentityProvider Name=“<a href=“http://www.okta.com/exk63omfn84Ir4LPV0h7” “=””><a href=“http://www.okta.com/exk63omfn84Ir4LPV0h7” “=”“>http://www.okta.com/exk63omfn84Ir4LPV0h7”
SignAuthnRequest=“true”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
DisableAudienceRestrictionCheck=“true”
DigestMethod=“<a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256"”>http://www.w3.org/2001/04/xmlenc#sha256"</a></a><br/>SignatureMethod="<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"”>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"</a></a><br/>SingleSignOnServiceUrl="<a href=“https://dev-830577.oktapreview.com/app/productiveedgellcdev830577_tt20_1/exk63omfn84Ir4LPV0h7/sso/saml” “=””><a href=“https://dev-830577.oktapreview.com/app/productiveedgellcdev830577_tt20_1/exk63omfn84Ir4LPV0h7/sso/saml” “=”“><a href=“https://dev-830577.oktapreview.com/app/productiveedgellcdev830577_tt20_1/exk63omfn84Ir4LPV0h7/sso/saml” “=””><a href=“https://dev-830577.oktapreview.com/app/productiveedgellcdev830577_tt20_1/exk63omfn84Ir4LPV0h7/sso/saml”“>https://dev-830577.oktapreview.com/app/productiveedgellcdev830577_tt20_1/exk63omfn84Ir4LPV0h7/sso/saml"</a></a><br/>SingleLogoutServiceUrl="~/SAML/SLOService”
PartnerCertificateFile=“Certificates\okta.cer”/>
My SLOService (c# code in Asp.Net MVC controller)
public ActionResult SLOService()
{
bool isRequest = false;
string logoutReason = null;
string partnerIdP = null;
bool hasCompleted = false;
string partnerSP = null;
SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP); //here is an rerror ‘The partner identity provider http://localhost:55734/ is not configured.’
if (isRequest)
SAMLServiceProvider.SendSLO(Response, null);
return new EmptyResult();
}
What am i doing wrong? Why do i need to configure ‘http://localhost:55734’ IdP ? What should it be?
Thanks in advance.
In your you need to specify the SingleLogoutServiceUrl as the endpoint at Okta to send the SAML logout request to.
The current configuration causes the logout request to be sent back to your service provider’s SAML/SLOService endpoint which then fails.
The flow is you call SAMLServiceProvider.InitiateSLO to send a logout request to Okta. Once logout completes at Okta, a logout response will be sent to your logout service endpoint where you call SAMLServiceProvider.ReceiveSLO.
You will need to enable and configure SAML logout at Okta as well.