SAML SSo Integration using Trial version in ASP net Core Application

Hello,

We have downloaded trial version of componentSpace nuget package to use SAML as a SP in our ASP net Core web application.
Our client is ready to purchase the component if the POC Works as expected.
For this, we are using PingOne as a Identity provider and we created a SAML application in Ping one.
I have added all the configuration of SAML SP in my startup.cs file, but when trying to execute method _samlServiceProvider.InitiateSsoAsync(“<a href=“https://PingOneSSo”,”>https://PingOneSSo", null, null);, I am getting following error=>

The X.509 certificate with subject name CN=9af0b084442c4ae495f0e7627c90c047, O=Ping Identity, L=Denver, S=CO, C=US and serial number 016BE5003B15 doesn’t have a private key.

To resolve this issue, we tried to add the .pfx file instead of.cer , but no luck.

Can you please guide us to resolve this.Also, it could be great if you give us some sample code in ASP Net Core for pingone.

Thanks,

To sign the SAM authn request sent to the IdP requires a private key (eg PFX file).
What error did you get when you configured a PFX file?
The ExampleServiceProvider project we ship works with all compliant SAML identity providers, including PingOne.
Typically it’s just a matter of updating the SAML configuration in appsettings.json.
Please refer to our PingOne Integration Guide which describes SSO between the ExampleServiceProvider and PingOne.
https://www.componentspace.com/Forums/8263/PingOne-Integration-Guide
If you’d like us to take a look at the SAML log file, please email it as a file attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

[quote]
ComponentSpace - 7/16/2019
To sign the SAM authn request sent to the IdP requires a private key (eg PFX file).
What error did you get when you configured a PFX file?
The ExampleServiceProvider project we ship works with all compliant SAML identity providers, including PingOne.
Typically it's just a matter of updating the SAML configuration in appsettings.json.
Please refer to our PingOne Integration Guide which describes SSO between the ExampleServiceProvider and PingOne.
https://www.componentspace.com/Forums/8263/PingOne-Integration-Guide
If you'd like us to take a look at the SAML log file, please email it as a file attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
[/quote]

Thank you for the quick response.
I already followed all the steps as per the PingOne integration Guide .
Regarding certificates,I have created a SAML app in ping one . After app created successfully, I have download the certificate (which is .Crt) from the application information. Please refer the screenshot => Pingone_SAML_App.png
But this downloaded certificate file itself not contains a private key.

As per your configuration guide, I am configured SAML SP programtically as follows=>

private void ConfigureSaml(SamlConfigurations samlConfigurations)
{
samlConfigurations.Configurations = new List()
{
new SamlConfiguration()
{
LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = "https://ExampleServiceProvider",
Description = "Example Service Provider",
A ssertionConsumerServiceUrl = "https://localhost:44360/SAML/AssertionConsumerService",
}
LocalCertificates = new List()
{
new Certificate()
{
FileName = "certificates/sp.pfx",
Password = "password"
}
}
},
PartnerIdentityProviderConfigurations = new List()
{
new PartnerIdentityProviderConfiguration()
{
Name = "https://ExampleIdentityProvider",
Description = "Example Identity Provider",
SignAuthnRequest = true,
SingleSignOnServiceUrl = "https://localhost:44313/SAML/SingleSignOnService",
SingleLogoutServiceUrl = "https://localhost:44313/SAML/SingleLogoutService",
PartnerCertificates = new List()
{
new Certificate()
{
FileName = "certificates/idp.cer"
}
}
}
}
}
};

I only have .Crt file which do not have private key.
Can you please guide me how to get .pfx file and .cer file from Pingone SAML app?

I have converted .crt file to .PFX file using OpenSSL and gave references of those files in the code but still it is throwing the error= >The X.509 certificate with subject name CN=9af0b084442c4ae495f0e7627c90c047, O=Ping Identity, L=Denver, S=CO, C=US and serial number 016BE5003B15 doesn't have a private key.


Thanks,
Sheetal





The certificate from PingOne contains the public key only. Certificates with private keys are never supplied by the partner site/organization. They always originate from your site/organization.
The certificate from PingOne should be configured as the PartnerCertificate in the PartnerIdentityProviderConfiguration.
PingOne doesn’t expect the SAML authn request to be signed so set SignAuthnRequest to false.
This means you don’t have to configure a LocalCertificate in the LocalServiceProviderConfiguration.
I recommend using the configuration we include in the PingOne Integration Guide as a starting point. In particular, take a look at the PartnerIdentityProviderConfiguration.

[quote]
ComponentSpace - 7/17/2019
The certificate from PingOne contains the public key only. Certificates with private keys are never supplied by the partner site/organization. They always originate from your site/organization.
The certificate from PingOne should be configured as the PartnerCertificate in the PartnerIdentityProviderConfiguration.
PingOne doesn't expect the SAML authn request to be signed so set SignAuthnRequest to false.
This means you don't have to configure a LocalCertificate in the LocalServiceProviderConfiguration.
I recommend using the configuration we include in the PingOne Integration Guide as a starting point. In particular, take a look at the PartnerIdentityProviderConfiguration.
[/quote]

Thanks for the reply.
I configured the same and now I can see the pingone login page . After login, the control should get back to my application through the acs url => https://localhost:44360/SAML/AssertionConsumerService. But it says, page not found. It is looking for the controller SAML =>AssertionConsumerService . Just Want to confirm whether trial version provides this controller?
I searched your documents but I didn't find the controller documentation.Can you please help me to find it.


Yes, the trial version is fully functional.
The AssertionConsumerServiceUrl specified in the LocalServiceProviderConfiguration is included in the SAML authn request sent to the IdP.
The SAML response should be sent to this URL although some IdPs ignore this and simply use the URL they have configured for the SP.
Have you checked that the assertion consumer service URL configured in PingOne is correct?
What is the URL of the page that’s not found?

[quote]
ComponentSpace - 7/17/2019
Yes, the trial version is fully functional.
The AssertionConsumerServiceUrl specified in the LocalServiceProviderConfiguration is included in the SAML authn request sent to the IdP.
The SAML response should be sent to this URL although some IdPs ignore this and simply use the URL they have configured for the SP.
Have you checked that the assertion consumer service URL configured in PingOne is correct?
What is the URL of the page that's not found?
[/quote]

Hello
I tried to use SAML as SP but it is showing me error on login page so I configured SAML as IDP.
Please refer to screenshot =>PingOneSaml_configuration.png. I mentioned the ACS URL which is same as configured in PartnerServiceProviderConfigurations section =>

PartnerServiceProviderConfigurations = new List()
{
new PartnerServiceProviderConfiguration()
{
Name= "https://PingOneSSo",
Description= "PingOne",
WantAuthnRequestSigned = false,
SignSamlResponse = false,
AssertionConsumerServiceUrl = "https://localhost:44314/SAML/AssertionConsumerService",
SingleLogoutServiceUrl = "https://localhost:44314/SAML/SLOService",
PartnerCertificates = new List()
{
new Certificate()
{
FileName = "certificates\\localhost.pfx"
}
}
}
}
In my application, I am calling await _samlIdentityProvider.InitiateSsoAsync("https://PingOneSSo", null, null,null,null); to initiate pingone sso.
I am getting pingone login screen after this call but, after successful login, I am getting page not found.Please refer to screenshot-WebApplication.png
Please give us some guidance.


Also, One more query => After logging with admin user, I need to get all users from pingone into my application. Can we sync users with component space Nuget?
If so , where can I find the API document for the same?


Thanks,
sheetal








PingOne is the IdP. Your application is the SP. I don’t understand why you configured PingOne as a partner SP. Your configuration should be similar to that of our ExampleServiceProvider as described in the PingOne Integration Guide.
In PingOne you’ve configured the assertion consumer service URL of the SP as “<a href=“https://localhost:44314/SAML/AssertionConsumerService".">https://localhost:44314/SAML/AssertionConsumerService”.
Is your application configured to run at “<a href=“https://localhost:44314”?”>https://localhost:44314”?
Can you browse to “<a href=“https://localhost:44314”?”>https://localhost:44314"?
Can you browse to "<a href=“https://localhost:44314/SAML/AssertionConsumerService"?">https://localhost:44314/SAML/AssertionConsumerService”?
If you get a 404 error, you need to ensure you have a SAML controller with an AssertionConsumerService endpoint as demonstrated by our ExampleServiceProvider.
If you get a 500 error, that’s good as it means your AssertionConsumerService endpoint exists but the HTTP Get cannot be processed. This makes sense as we expect an HTTP Post with a SAML response.
The SAML specification doesn’t support the bulk provisioning of users. You should look at other options that may be available with PingOne.

[quote]
ComponentSpace - 7/19/2019
PingOne is the IdP. Your application is the SP. I don't understand why you configured PingOne as a partner SP. Your configuration should be similar to that of our ExampleServiceProvider as described in the PingOne Integration Guide.
In PingOne you've configured the assertion consumer service URL of the SP as "https://localhost:44314/SAML/AssertionConsumerService".
Is your application configured to run at "https://localhost:44314"?
Can you browse to "https://localhost:44314"?
Can you browse to "https://localhost:44314/SAML/AssertionConsumerService"?
If you get a 404 error, you need to ensure you have a SAML controller with an AssertionConsumerService endpoint as demonstrated by our ExampleServiceProvider.
If you get a 500 error, that's good as it means your AssertionConsumerService endpoint exists but the HTTP Get cannot be processed. This makes sense as we expect an HTTP Post with a SAML response.
The SAML specification doesn't support the bulk provisioning of users. You should look at other options that may be available with PingOne.
[/quote]

Hi,
I resolved the issue for PingOne as SP. Also, I have written a controller (SAMLcontroller) in my code with AssertionConsumerService method in it. But I am unable to find the code for this method in your guide. Can you please provide me the code for this method. Actually I want SAML assertion XML after login is successful

Thanks,
Sheetal

Please take a look at the ExampleServiceProvider project. This includes a SAMLController with an AssertionConsumerService method.
This method calls ISamlServiceProvider.ReceiveSsoAsync to receive and process the SAML response and assertion.
It returns the user identity information extracted from the SAML assertion and you may use this information to perform an automatic login of the user.
The ExampleServiceProvider is described in Examples Guide.