The partner identity provider is not configured.

Hi,

Im loading/configuring a IDP via a database, and loading it dynamically.

my code is essentially

var idp = SQM.DAL.SamlIdentityProvider.GetForDomain(Domain);
// get SAML for domain
SAMLConfiguration samlConfiguration = new SAMLConfiguration();
var url = Request.Url.ToString().ToLower();

string entityId = Request.Url.AbsoluteUri.Substring(0, Request.Url.AbsoluteUri.IndexOf(Request.Url.PathAndQuery)).ToLower();

samlConfiguration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = entityId,
Description = “My Service Provider”,
AssertionConsumerServiceUrl = entityId + “/ssoacs”,
};

var pipc = new PartnerIdentityProviderConfiguration()
{
Description = idp.Name,
Name = idp.EntityId,
SingleSignOnServiceUrl = idp.SingleSignOnServiceUrl,
OverridePendingAuthnRequest = true
};
if (idp.UsePartnerCertificate && idp.PartnerCertificate != null)
{
string cerPath = Server.MapPath(@“temp\certificates”);
if (System.IO.Directory.Exists(cerPath) == false)
System.IO.Directory.CreateDirectory(cerPath);
string cerFile = System.IO.Path.Combine(cerPath, idp.Id + “_” + CleanFileName(idp.PartnerCertificateChecksum));
if (System.IO.File.Exists(cerFile) == false)
System.IO.File.WriteAllBytes(cerFile, idp.PartnerCertificate);
pipc.PartnerCertificateFile = cerFile;
}

samlConfiguration.AddPartnerIdentityProvider(pipc);

SAMLController.Configuration = samlConfiguration;

SAMLServiceProvider.InitiateSSO(HttpContext.Current.Response, null, idp.EntityId);



this works 99% of the time, but during some testing, we started getting the error
The partner identity provider [providername] is not configured.
In visual studio, i commented out the cert code, ran it again, and it worked, uncommented out the code, and it also ran fine (thought it may be an issue with the cert file permissions or something). But no, it worked fine with no code changes, just sometimes it says cannot find.

we’re about to ship this product, and well this has thrown a spanner in the works, what am I doing wrong/missing?

Thanks
John

Hi John
I don’t see any obvious issues with the code.
Are there multiple simultaneous SSO requests when this issue occurs?
I’m wondering if there’s some sort of timing issue.
To debug this, I suggest logging the SAMLController.Configuration and specifically the partner identity provider names.
You could do this immediately after setting SAMLController.Configuration and also when you catch the exception.
Let me know what you find.

It shouldn’t be. I was just trying to think of scenarios that would cause this to fail very occasionally.
If you’re loading the SAML configuration each time before calling SAMLServiceProvider.InitiateSSO etc then there should always be SAML configuration.
If the information in the database isn’t changing then the SAML configuration being loaded should always be the same and the specified partner identity provider should exist.
If you updated the database (eg removed a partner identity provider) this may affect an existing request being processed for that identity provider.
However, on-the-fly updates are more likely to be adding new partner identity providers or perhaps updating the certificate for an existing partner identity provider.

update.

We were using an unlicensed dll version 2.8.3.0 and had no issues at all. We just purchased a license and upgraded to 2.8.5.0 and now the issue is easily reproducible.
The first IDP we configure is fine, but when we reach this bit of a code a second time the issue always appears.

I had thought about loading all IDPs in one go and just refreshing these when they change, but the way our product works is the user can be browsing to the site via any number of URLs (we allow customers to have custom domains so in theory hundreds of domains).
So we don’t know what the AssertionConsumerServiceUrlor the Name/entityid will be until they we get the request (we use the address they enter as those details). Its up to the customer to configure their IDP to use the URL they tell their users to use.

Since this is a static configuration, would I need to put a mutex/lock around this piece of code?

SAMLController.Configuration = samlConfiguration;
SAMLServiceProvider.InitiateSSO(HttpContext.Current.Response, null, idp.EntityId);


Does the ssoacs callback:

SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);

need the SAMLController.Configuration set? (since I won’t be able to keep the lock around all that).
If it does and needs to match, I could build a list whenever a user logs in, and if the URL is different and/or the IDP isnt in the list, and it to my list and update the SAMLController.Configuration with the new list of however many IDPs are configured.


However all of these changes do not address the issue I’m having with the 2.8.5.0 build.

I’m not sure why you’re seeing issue in 2.8.5. There are no obvious differences between 2.8.3 and 2.8.5 that would cause this.
We don’t recommend using a mutex or lock for performance reasons.
SAMLServiceProvider.ReceiveSSO definitely requires the SAML configuration. It will use the issuer field in the SAML response to lookup the corresponding partner identity provider configuration. If it’s missing, you’ll see the “partner identity provider is not configured” exception.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
I’d like to confirm exactly what’s going on.