I am utilizing the provided SSOService code example to handle a SP initiated SSO for Asp.net SSO. The SSO request comes into the example’s SSOService action on the controller. From the sample code the ssoPending flag is set based on the value of Session[ssoPendingKey]. Which initially is false. That is ok and makes sense. Since the user has not logged into the identity provider (my application) yet the User.Identity.IsAuthenticated is also false. So the example code issues:
// Receive the authn request from the service provider (SP-initiated SSO).
SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP);
What is this ReceiveSSO doing exactly and does it rely on session state? I ask because the next section code for when User.Identity.IsAuthenticated is false redirects to our application’s login page to allow a user to enter their authentication credentials. However the act of logging into our application permits the user’s post on logon to renegotiate with our web server load balancer (we do this by design to achiever more balanced traffic across our web servers since our users tend to leave their browser open all day and relogin into the application multiple times during a day). So while the login page may be presented on web server 1 after logging a user’s traffic my be on web server 2 or 3 or etc.
I have worked around the example code’s dependency on Session[ssoPendingKey] but there appears to be additional state dependencies. Because when the code returns to SSOService for its second pass, this time the user is authenticated, the example code bypasses SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP) and will then issue SAMLIdentityProvider.SendSSO(Response, userName, attributes) after assembling the attributes dictionary. However, I am getting an error raised from ComponentSpace Saml that says the “There is no pending service provider authentication request”. What could be occurring with this use case to generate this exception. Is there session state or cookie based dependency between the first entry to SSOService between RecieveSSO and SendSSO methods? If so what is that dependency so we can work around our application’s load balancer scenario?
One more item, we do have successful SP initiated SSO working. The above scenario occurs occasionally. So I am sure that the configuration for SSO with our application being the IP is setup correctly since it does work most of the time.
By default we maintain SAML SSO session state in the ASP.NET session.
The call to SAMLIdentityProvider.ReceiveSSO receives and processes a SAML authn request from a service provider as part of SP-initiated SSO.
We save information in the SSO session to correctly support the SAML SSO protocol.
For example, the authn request ID is saved so that we can set the InResponseTo field in the SAML response that’s returned to the SP.
SAMLIdentityProvider.SendSSO will sends the SAML response and expects information such as the authn request ID to be stored in the SAML SSO session.
If it’s not then you get the exception you are seeing.
Typical ways to support web farms include storing ASP.NET sessions centrally (eg in a SQL database) or using sticky sessions.
You also have the option of creating a custom SSO session store that supports your scenario.
This requires you to implement the ComponentSpace.SAML2.Data.ISSOSessionStore interface.
You’ll find an example of this in our Developer Guide PDF.
[quote][/quote]
By default we maintain SAML SSO session state in the ASP.NET session.
The call to SAMLIdentityProvider.ReceiveSSO receives and processes a SAML authn request from a service provider as part of SP-initiated SSO.
We save information in the SSO session to correctly support the SAML SSO protocol.
For example, the authn request ID is saved so that we can set the InResponseTo field in the SAML response that's returned to the SP.
SAMLIdentityProvider.SendSSO will sends the SAML response and expects information such as the authn request ID to be stored in the SAML SSO session.
If it's not then you get the exception you are seeing.
Typical ways to support web farms include storing ASP.NET sessions centrally (eg in a SQL database) or using sticky sessions.
You also have the option of creating a custom SSO session store that supports your scenario.
This requires you to implement the ComponentSpace.SAML2.Data.ISSOSessionStore interface.
You'll find an example of this in our Developer Guide PDF.
The call to SAMLIdentityProvider.ReceiveSSO receives and processes a SAML authn request from a service provider as part of SP-initiated SSO.
We save information in the SSO session to correctly support the SAML SSO protocol.
For example, the authn request ID is saved so that we can set the InResponseTo field in the SAML response that's returned to the SP.
SAMLIdentityProvider.SendSSO will sends the SAML response and expects information such as the authn request ID to be stored in the SAML SSO session.
If it's not then you get the exception you are seeing.
Typical ways to support web farms include storing ASP.NET sessions centrally (eg in a SQL database) or using sticky sessions.
You also have the option of creating a custom SSO session store that supports your scenario.
This requires you to implement the ComponentSpace.SAML2.Data.ISSOSessionStore interface.
You'll find an example of this in our Developer Guide PDF.
Thank you
You’re welcome.
If you need further assistance, please let us know either through the forum or our support email.
[quote]
[/quote]
Hi,
I am new to using Componentspec API. I have somewhat similar situation and getting same error. I am not sure about your comment of passing the authentication ID.
I am working on SP Initiated SSO scenario. My objective is to show the Web Page (from Response Attribute) inside iFrame, whether the response attribute be it login page or something else. So, I am playing around ComponentSpec's example of MvcExampleServiiceProvider and MvcExampleIdentityProvider.
Steps
1) SP initiates the SSO thru InitiateSSO from MVCExampleServiceProvider's AccountController
2) IDP's SSO Service receives the Authentication Request (thru IDP.ReceiveSSO) and checks ssoPending ( false first time ) and calls IDP.SendSSO(response, username, attributes).. with one of the attribute as login page url (http://localhost/MvcExampleIdentityProvider/Account/Login)
3) SP's AssertionConsumerService calls ReceiveSSO, retrieves the attributes and refreshes the src element of iframe ... and it works correctly.. showing the login screen inside iFrame.
4) User logs in and displays the Login Response and other details
5) Now, when user clicks 'Get IDP Page2' option for UI on service provider, the SP's initiateSSO is called again (same code as step 1)
6) IDP's SSO Service checks ssoPending, sets attribute as Page2 and then cass SendSSO passing this attribute.
My intention is to use the attribute send thru SendSSO, so that SP will get this thru ConsumerService in ReceiveSSO like step 3) and then the same iframe now should display Page2.
But, I get exception on calling SendSSO - "There is no pending service provider authentication request".
Let me know if you need copy of modified highlevel APIs projects that I am working on.
-Chandresh
[quote]
[/quote]
Hi,
I am new to using Componentspec API. I have somewhat similar situation and getting same error. I am not sure about your comment of passing the authentication ID.
I am working on SP Initiated SSO scenario. My objective is to show the Web Page (from Response Attribute) inside iFrame, whether the response attribute be it login page or something else. So, I am playing around ComponentSpec's example of MvcExampleServiiceProvider and MvcExampleIdentityProvider.
Steps
1) SP initiates the SSO thru InitiateSSO from MVCExampleServiceProvider's AccountController
2) IDP's SSO Service receives the Authentication Request (thru IDP.ReceiveSSO) and checks ssoPending ( false first time ) and calls IDP.SendSSO(response, username, attributes).. with one of the attribute as login page url (http://localhost/MvcExampleIdentityProvider/Account/Login)
3) SP's AssertionConsumerService calls ReceiveSSO, retrieves the attributes and refreshes the src element of iframe ... and it works correctly.. showing the login screen inside iFrame.
4) User logs in and displays the Login Response and other details
5) Now, when user clicks 'Get IDP Page2' option for UI on service provider, the SP's initiateSSO is called again (same code as step 1)
6) IDP's SSO Service checks ssoPending, sets attribute as Page2 and then cass SendSSO passing this attribute.
My intention is to use the attribute send thru SendSSO, so that SP will get this thru ConsumerService in ReceiveSSO like step 3) and then the same iframe now should display Page2.
But, I get exception on calling SendSSO - "There is no pending service provider authentication request".
Let me know if you need copy of modified highlevel APIs projects that I am working on.
-Chandresh[/quote]
If it helps Chandresh, I was able to resolve the issue when using multiple web servers by putting the session state into an external provider, either the database or something like a redis based state manager. This alleviated the issue with the handshake starting on web server then the 2nd call happening on web server 2 where it needs to read session details the where stored by Component Space's dll during the first call.
[quote]
[/quote]
Hi,
I am new to using Componentspec API. I have somewhat similar situation and getting same error. I am not sure about your comment of passing the authentication ID.
I am working on SP Initiated SSO scenario. My objective is to show the Web Page (from Response Attribute) inside iFrame, whether the response attribute be it login page or something else. So, I am playing around ComponentSpec's example of MvcExampleServiiceProvider and MvcExampleIdentityProvider.
Steps
1) SP initiates the SSO thru InitiateSSO from MVCExampleServiceProvider's AccountController
2) IDP's SSO Service receives the Authentication Request (thru IDP.ReceiveSSO) and checks ssoPending ( false first time ) and calls IDP.SendSSO(response, username, attributes).. with one of the attribute as login page url (http://localhost/MvcExampleIdentityProvider/Account/Login)
3) SP's AssertionConsumerService calls ReceiveSSO, retrieves the attributes and refreshes the src element of iframe ... and it works correctly.. showing the login screen inside iFrame.
4) User logs in and displays the Login Response and other details
5) Now, when user clicks 'Get IDP Page2' option for UI on service provider, the SP's initiateSSO is called again (same code as step 1)
6) IDP's SSO Service checks ssoPending, sets attribute as Page2 and then cass SendSSO passing this attribute.
My intention is to use the attribute send thru SendSSO, so that SP will get this thru ConsumerService in ReceiveSSO like step 3) and then the same iframe now should display Page2.
But, I get exception on calling SendSSO - "There is no pending service provider authentication request".
Let me know if you need copy of modified highlevel APIs projects that I am working on.
-Chandresh[/quote]
If it helps Chandresh, I was able to resolve the issue when using multiple web servers by putting the session state into an external provider, either the database or something like a redis based state manager. This alleviated the issue with the handshake starting on web server then the 2nd call happening on web server 2 where it needs to read session details the where stored by Component Space's dll during the first call.
[/quote]
Thanks, pneborg, I am not using multiple servers. I am just playing around ComponentSpec samples (highlevelapi-mvc) on localhost. The original code of both SP and IDP works fine, when clicking on Login from Service Provider UI, second/third time.
[quote]
[/quote]
Hi,
I am new to using Componentspec API. I have somewhat similar situation and getting same error. I am not sure about your comment of passing the authentication ID.
I am working on SP Initiated SSO scenario. My objective is to show the Web Page (from Response Attribute) inside iFrame, whether the response attribute be it login page or something else. So, I am playing around ComponentSpec's example of MvcExampleServiiceProvider and MvcExampleIdentityProvider.
Steps
1) SP initiates the SSO thru InitiateSSO from MVCExampleServiceProvider's AccountController
2) IDP's SSO Service receives the Authentication Request (thru IDP.ReceiveSSO) and checks ssoPending ( false first time ) and calls IDP.SendSSO(response, username, attributes).. with one of the attribute as login page url (http://localhost/MvcExampleIdentityProvider/Account/Login)
3) SP's AssertionConsumerService calls ReceiveSSO, retrieves the attributes and refreshes the src element of iframe ... and it works correctly.. showing the login screen inside iFrame.
4) User logs in and displays the Login Response and other details
5) Now, when user clicks 'Get IDP Page2' option for UI on service provider, the SP's initiateSSO is called again (same code as step 1)
6) IDP's SSO Service checks ssoPending, sets attribute as Page2 and then cass SendSSO passing this attribute.
My intention is to use the attribute send thru SendSSO, so that SP will get this thru ConsumerService in ReceiveSSO like step 3) and then the same iframe now should display Page2.
But, I get exception on calling SendSSO - "There is no pending service provider authentication request".
Let me know if you need copy of modified highlevel APIs projects that I am working on.
-Chandresh[/quote]
Correction - Please ignore this request. It is working fine.. I called ReceiveSSO in in Step 6, before calling SendSSO.
Let me if there are still any issues. Thanks.
I just came across this (as well as antiforgery request errors) and found out it was Chrome (maybe because of some extension probably). When I tried using FF or Chrome Incognito mode, it worked as expected. Hopefully saves someone some time.
Thanks for the information.