After upgrading to version 2. 6.0.19
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML response destination https://domain.com/saml/acs2 doesn’t match the expected destination https://domain.com/SAML/acs1
at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDestination(StatusResponseType samlResponse, String destinationUrl)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
at SAML.AdminACS.ProcessRequest(HttpContext context)
Note: In the service providers saml.config the AssertionConsumerServiceUrl attribute references acs1, however I have use an alternate acs endpoint for this specific Identity provider (acs2).
It seems prior to this upgrade there was no SP side checking to see if the destination match the setting in the saml.config, but that has now changed. Is there a way to disable this check? Or a different way to address this issue? Note: I have control of both sides of this exchange, so if there is a change I can make on the IdP end, I can go that route.
You can disable the check by specifying DisableDestinationCheck=“true” for the entry in your service provider’s saml.config.
<PartnerIdentityProvider
Name=“XXXX”
DisableDestinationCheck=“true”
It didn't work. I have version v2.6.0.19
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com, mentioning this forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also include your saml.config with any passwords removed.
Thanks.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also include your saml.config with any passwords removed.
Thanks.
Done
You need to disable the recipient check also.
<PartnerIdentityProvider
Name=“XXXX”
DisableDestinationCheck=“true”
DisableRecipientCheck=“true”
Hello,
I have similar issue:
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML response destination https://domain.com/api/saml/AssertionConsumerService doesn’t match the expected destination http://domain.com/api/SAML/AssertionConsumerService. at ComponentSpace.SAML2.AbstractSAMLProvider.CheckDestination(StatusResponseType samlResponse, String destinationUrl) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState) at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, IDictionary& attributes, String& relayState)
Any thoughts on this? Application is running in container.
As part of the various security checks we make, we check the destination in the SAML response against the assertion consumer service URL configured in your saml.config.
The expectation is that HTTPS rather than HTTP will be used for all SSO flows.
I recommend switching to HTTPS to resolve this issue and to avoid other issues related to the SAML protocol and the secure cookie we use to support it.
This check can be disabled by setting DisableDestinationCheck=“true” for the in your saml.config. However, my recommendation is to not disable the check but instead switch to HTTPS.