I’m getting the following error when making the ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(context.Request, out partnerIdP, out LoginID, out attributes, out targetUrl) call.
I am unclear why this is happening.
ComponentSpace.SAML2.Exceptions.SAMLException: The partner X.509 certificate identifier (subject name or serial number) hasn’t been configured.
at ComponentSpace.SAML2.Configuration.CertificateManager.GetPartnerCertificate(String certificateID)
at ComponentSpace.SAML2.Configuration.SAMLConfiguration.GetPartnerCertificate(PartnerProviderConfiguration partnerProviderConfiguration)
at ComponentSpace.SAML2.SAMLServiceProvider.VerifySAMLResponseSignature(XmlElement samlResponseElement)
at ComponentSpace.SAML2.SAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, String& userName, IDictionary& attributes)
at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, String& partnerIdP, String& userName, IDictionary& attributes, String& targetUrl)
One thing I’m confused about is how the library correlates identity providers listed in the saml.config with certificates
I have some more information.
I currently have a site configuration. Each site is a Identity Provider and each site is a service provider. SAML SSO works perfectly between these two sites.
The problem comes in when I attempt to configure a 3rd site. Once I add a second Service Provider, or a second identity provider, I get the error message above.
An attempt is being made to verify the XML signature on the SAML response from the partner identity provider. However, no certificate has been configured for this partner identity provider.
Are you specifying the certificate in the configuration?
For example:
<PartnerIdentityProvider Name=“http://localhost/ExampleIdentityProvider” PartnerCertificateFile=“idp.cer”
Or, if the certificate is stored in the Windows certificate store you would instead use PartnerCertificateSerialNumber, PartnerCertificateThumbprint or PartnerCertificateSubject.
Alternatively, have you implemented your own ICertificateManager?
No certificate properties have to match the partner provider name. The ICertificateManager interface includes methods that specify the partner provider name and it’s up to the certificate manager to determine how to identify which certificate to return.
Are you specifying the certificate in the configuration?
For example:
http://localhost/ExampleIdentityProvider" PartnerCertificateFile="idp.cer"
Or, if the certificate is stored in the Windows certificate store you would instead use PartnerCertificateSerialNumber, PartnerCertificateThumbprint or PartnerCertificateSubject.
Alternatively, have you implemented your own ICertificateManager?
No certificate properties have to match the partner provider name. The ICertificateManager interface includes methods that specify the partner provider name and it's up to the certificate manager to determine how to identify which certificate to return.
When I attempt to add the PartnerCertificateSerialNumber="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" attribute to the partneridentityprovider tag in the saml.config file I get a HttpException exception with the message "One or more configuration XML schema validation errors occurred."
I have not implemented my own ICertificateManager class. I'm instantiating the CertificateManager class provided by ComponentSpace, setting the LocalCertificate property by retrieving a certificate from the windows certificate store, Calling the AddPartnerCerficate method with a certificate retrieved from the windows store, and assigning it to SAMLConfiguration.Current.CertificateManager.
Could you go back to specifying the certificate by configuration rather than instantiating the CertificateManager class?
The PartnerCertificateSerialNumber should work.
Please email support@componentspace.com your complete saml.config with the PartnerCertificateSerialNumber specified.
Also, please enable SAML trace and include the log file as an email attachment. This will include more details around the configuration error.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
The PartnerCertificateSerialNumber should work.
Please email support@componentspace.com your complete saml.config with the PartnerCertificateSerialNumber specified.
Also, please enable SAML trace and include the log file as an email attachment. This will include more details around the configuration error.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I'm still getting the xml validation error. The documentation I have makes no reference to a partnercertificateserialnumber attribute. Is this something that may have been added in a newer release?
My ComponentSpace.SAML2.dll is dated 4/13/2013 with a file version 2.5.0.0. I'm running under .NET 4.5.1
In the version you have PartnerCertificateSerialNumber is named CertificateSerialNumber. We added a Partner prefix in a later version to make the meaning more specific.