Hello ComponentSpace,
I am trying to configure an IDP - SP set up using certs that exist in the cert store.
Here’s my IDP SAML.config file:
-----------------------------------------------------------------------------
<?xml version="1.0"?>
<IdentityProvider Name=“urn:componentspace:MyIdentityProvider”
LocalCertificateSerialNumber=“[IDP_CertSerialNumber]”/>
<PartnerServiceProvider Name=“urn:componentspace:MvcExampleServiceProvider”
WantAuthnRequestSigned=“true”
SignSAMLResponse=“true”
SignAssertion=“true”
EncryptAssertion=“true”
AssertionConsumerServiceUrl=“<a href=“http://MySpSite.com/SAML/AssertionConsumerService””>http://MySpSite.com/SAML/AssertionConsumerService"
SingleLogoutServiceUrl=“MySpSite.com/SAML/SLOService”
CertificateSerialNumber=“[SP_CertSerialNumber]”/>
---------------------------------------------------------------------------
Here’s my SP SAML.config file:
---------------------------------------------------------------------------
<?xml version="1.0"?>
<ServiceProvider Name=“urn:componentspace:MvcExampleServiceProvider”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService”
CertificateSerialNumber=“[SP_CertSerialNumber]”/>
<PartnerIdentityProvider Name=“urn:componentspace:MyIdentityProvider”
SignAuthnRequest=“true”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“true”
WantAssertionEncrypted=“true”
SingleSignOnServiceUrl=“<a href=“http://MyIdpSite.com/SAML/SSOService””>http://MyIdpSite.com/SAML/SSOService"
SingleLogoutServiceUrl=“<a href=“http://MyIdpSite.com/SAML/SLOService””>http://MyIdpSite.com/SAML/SLOService"
CertificateSerialNumber=“[IDP_CertSerialNumber]”/>
------------------------------------------------------------------------------
With this set up, when I first navigate to the SP, the SP never makes it out to the IDP.
You can see from the Logs that it just dies and I get no explanation of what has happened.
Also, I attached a screen shot of the page I end up on.
If I change the SAML configs to use the certs that exist in the web root, i.e. the certs provided by ComponentSpace, I have no issues authenticating through the entire SP - IDP process.
Any help would be appreciated.
Thanks,
Will
Hi Will
I don’t see any issues with your configuration and the log doesn’t show any errors. It doesn’t appear that there have been any calls to the SAML API.
The URL in the browser window (failure.png) is to the page /Account/SingleSignOn?ReturnUrl=%2f.
The ReturnUrl query string parameter indicates this is part of a local login.
Please check that this is the page you expect to end up at if you browse to your SP site and aren’t logged in.
You should also be calling SAMLServiceProvider.InitiateSSO to perform SAML SSO instead of a local login at the SP site.
You’ll see how this is done in the ExampleServiceProvider and MvcExampleServiceProvider projects.
You’re welcome to email us if there’s still an issue and perhaps include the relevant sections of your code.
I don't see any issues with your configuration and the log doesn't show any errors. It doesn't appear that there have been any calls to the SAML API.
The URL in the browser window (failure.png) is to the page /Account/SingleSignOn?ReturnUrl=%2f.
The ReturnUrl query string parameter indicates this is part of a local login.
Please check that this is the page you expect to end up at if you browse to your SP site and aren't logged in.
You should also be calling SAMLServiceProvider.InitiateSSO to perform SAML SSO instead of a local login at the SP site.
You'll see how this is done in the ExampleServiceProvider and MvcExampleServiceProvider projects.
You're welcome to email us if there's still an issue and perhaps include the relevant sections of your code.
Hi ComponentSpace,
Is it possible there is something wrong with the Certs in the store that I am using? They are X.509 certs.
A little more background for you all to know.
The SP-website and IDP-website I am using are both on the same web server and both certs for the two sites are in that web server's Certificate Store.
The code I am using for the ServiceProvider is straight from the MvcExampleServiceProvider from ComponentSpace.
Thanks,
Will
I don’t think this is an issue with the certificates. From the log file I can see the certificates have been loaded successfully.
I think the issue lies with the code somehow. You’re welcome to email us the section of code where you call SAMLServiceProvider.InitiateSSO. Also include the full SAML log file as an email attachment.
I think the issue lies with the code somehow. You're welcome to email us the section of code where you call SAMLServiceProvider.InitiateSSO. Also include the full SAML log file as an email attachment.
Hi ComponentSpace,
Would it matter if the certificates I have installed are using SHA1 rather than SHA256?
I think the issue lies with the code somehow. You're welcome to email us the section of code where you call SAMLServiceProvider.InitiateSSO. Also include the full SAML log file as an email attachment.
Hi ComponentSpace,
Would it matter if the certificates I have installed are using SHA1 rather than SHA256?
[/quote]
Hi again ComponentSpace,
So, I took the Certificates out of the Windows Certificate Store and placed them into the root of the website for both the SP-website and IDP-website, just like in the MvcExample you have provided. And this worked for me, which signals to me that the Certs work just fine.
Perhaps there is something wrong with how we have the Certs stored in the Certificate Store?
Thanks,
Will
The SHA1 or SHA256 you see listed in the certificate’s properties refers to the algorithm used by the issuer to sign the certificate. Most certificates these days are signed using SHA256. Older certificates use SHA1.
Regardless, this doesn’t affect the use of the certificate.
Could you please enable SAML trace and send the generated log file as an email attachment to our support email address?
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Please mention this forum post.