The SAML response destination ... doesn't match the expected destination ...

After upgrading to version 2. 6.0.19


ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML response destination https://domain.com/saml/acs2 doesn’t match the expected destination https://domain.com/SAML/acs1
at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDestination(StatusResponseType samlResponse, String destinationUrl)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
at SAML.AdminACS.ProcessRequest(HttpContext context)


Note: In the service providers saml.config the AssertionConsumerServiceUrl attribute references acs1, however I have use an alternate acs endpoint for this specific Identity provider (acs2).

It seems prior to this upgrade there was no SP side checking to see if the destination match the setting in the saml.config, but that has now changed. Is there a way to disable this check? Or a different way to address this issue? Note: I have control of both sides of this exchange, so if there is a change I can make on the IdP end, I can go that route.


You can disable the check by specifying DisableDestinationCheck=“true” for the entry in your service provider’s saml.config.
<PartnerIdentityProvider
Name=“XXXX”
DisableDestinationCheck=“true”

[quote]
ComponentSpace - 3/7/2017
You can disable the check by specifying DisableDestinationCheck="true" for the entry in your service provider's saml.config.
<PartnerIdentityProvider
Name="XXXX"
DisableDestinationCheck="true"
[/quote]

It didn't work. I have version v2.6.0.19

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com, mentioning this forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also include your saml.config with any passwords removed.
Thanks.

[quote]
ComponentSpace - 3/7/2017
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com, mentioning this forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also include your saml.config with any passwords removed.
Thanks.
[/quote]

Done

You need to disable the recipient check also.
<PartnerIdentityProvider
Name=“XXXX”
DisableDestinationCheck=“true”
DisableRecipientCheck=“true”

Hello,

I have similar issue:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML response destination https://domain.com/api/saml/AssertionConsumerService doesn’t match the expected destination http://domain.com/api/SAML/AssertionConsumerService. at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDestination(StatusResponseType samlResponse, String destinationUrl) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState) at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, IDictionary& attributes, String& relayState)

Any thoughts on this? Application is running in container.

As part of the various security checks we make, we check the destination in the SAML response against the assertion consumer service URL configured in your saml.config.

The expectation is that HTTPS rather than HTTP will be used for all SSO flows.

I recommend switching to HTTPS to resolve this issue and to avoid other issues related to the SAML protocol and the secure cookie we use to support it.

This check can be disabled by setting DisableDestinationCheck=“true” for the in your saml.config. However, my recommendation is to not disable the check but instead switch to HTTPS.

Hi,
I have the same problem as satya: SAML response destination doesn’t match the expected destination because of HTTP/HTTPS.
But the problem is, that our customer has Proxy SSL. It means, that they have HTTPS on the domain, but application on the server has no HTTPS binding.

It helped to set both DisableDestinationCheck and DisableRecipientCheck to true, but do we miss some security on this login doing that?

Best regards
Tomasz

The destination check compares the destination field in the SAML response with the configured assertion consumer service URL. The DisableDestinationCheck configuration flag disables this check. It’s better to leave this check enabled if possible.

When a proxy terminates the HTTPS session, you can set the LocalProviderConfiguration.ResolveToHttps flag to true.

For example:

<ServiceProvider
  Name="https://ExampleServiceProvider"
  ResolveToHttps="true"
  AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService">

If the absolute AssertionConsumerServiceUrl is http://www.sp.com/SAML/AssertionConsumerService, this would be resolved to https://www.sp.com/SAML/AssertionConsumerService for the purposes of the destination check.

The recipient check compares the subject confirmation recipient field in the SAML response to either the configured local provider name or the assertion consumer service URL. The DisableRecipientCheck configuration flag disables this check. It’s better to leave this check enabled if possible.

The same ResolveToHttps processing applies for the recipient check if checking against the assertion consumer service URL.

Therefore, don’t disable these checks. Instead set ResolveToHttps to true.

1 Like

Thanks!
I’ll try that.

Regards
Tomasz

Hi again,

I can see, that “ResolveToHttps” was added in v4.7.0 and our licensed version is v.4.3.0 :frowning:
I guess it’s not possible to update to v.4.7.0 without buying the whole upgrade?

Regards
Tomasz

Please contact sales@componentspace.com to discuss upgrade options.