I have a Service Provider set up to work with our corporate IdP. I had SSO working in our testing environment month ago, and now I need to revisit it before release.
Unfortunately, I can’t see a SAML request anywhere, neither in SAMLTracer in the Browser, nor in Wireshark. The logs I get from IIS state that the config and certificates have been loaded correctly, and it also shows the message it is sending.
04/8: 04.01.2021 10:30:45: Request sent over HTTP POST.
804/8: 04.01.2021 10:30:45: SAML message sent: partner=urn:federation:WISAG-IdP, message=<samlp:AuthnRequest ID=“_a4c14638-fbc5-4735-ad9b-bb677f23dd26” Version=“2.0” IssueInstant=“2021-01-04T09:30:45.387Z” Destination=“<a href=“https://auth.identity.wisag.de/login/remussttstest””>https://auth.identity.wisag.de/login/remussttstest" ForceAuthn=“false” IsPassive=“false” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“<a href=“https://tts.2comtest.wisag.de/loginsaml/auth.aspx””>https://tts.2comtest.wisag.de/loginsaml/auth.aspx" xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://tts.2comtest.wisag.de/loginsaml/</saml:Issuer><Signature xmlns=“<CanonicalizationMethod”>http://www.w3.org/2000/09/xmldsig#“><CanonicalizationMethod Algorithm=”<a href=“http://www.w3.org/2001/10/xml-exc-c14n#”“>http://www.w3.org/2001/10/xml-exc-c14n#” /><SignatureMethod Algorithm=“<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"”>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” /><Transform Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#enveloped-signature””>http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm=“<InclusiveNamespaces”>http://www.w3.org/2001/10/xml-exc-c14n#“><InclusiveNamespaces PrefixList=”#default samlp saml ds xs xsi" xmlns=“<a href=“http://www.w3.org/2001/10/xml-exc-c14n#””>http://www.w3.org/2001/10/xml-exc-c14n#“ /><DigestMethod Algorithm=”<a href=“http://www.w3.org/2001/04/xmlenc#sha256"”>http://www.w3.org/2001/04/xmlenc#sha256" />fh/SQBtYWIOdZnH4kvaCfWLvvi7yY8CSMyY/1A0fJzE=VV4BzicmQWXr2msRfIeyJr3fcvT88hez0sbrBbbAVioucU2gEpYGAod3p/VzaDN6WkjGuTwUYv8P4sgGxivTXumTMA9/PmST5Lf3UM4ZhjfNbwGDkAuX2BOpN0ysqLYXdCrmyY3TbD5vJzoghuBjyYGWrB/tFsNAusjpfwAP7EC0Ec91qoVj4aE+pum3F76yiAQunk4+1hoIFYhabew+mCv+nRFs6b/EHzEhzdAwLiyXVYGcF5rB28bZisNHgCCbf4restz9VD3pNx33v9ICGl2ceEub0e0qqLcn6IwtskrFV9T0bc0Cb/e1nWSXTvPET5lX+0tyyK6evUZErfj7Iw==MIICxTCCAa2gAwIBAgIIau3DWAp5xo0wDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPUmVtdXNzIFRUUyBUZXN0MB4XDTIwMDgyNjA0MjkzOFoXDTIxMDgyNjA0MjkzOFowGjEYMBYGA1UEAxMPUmVtdXNzIFRUUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnkxjdJB/j7AKg92Nv8UkOFBvLSXo+O2CzEBafwbG00x62EuHU6ArQH+1HXFPvLpT9wvwTIZu9VFO6oXAJPJZBxLVwvnsiwYrIQUzhiiv29opL9MuiHItf9mSlI22N0yXZnq1Egbmcph0TumahEBpRoxmiunQ9bzO9DNsemeWbD/jbXYWGawwOLkTE0VokjPvQWKDVseiUPnsZcRa7ZAWQ9QRUcWPC2qJUZVAynZawRXSOvDIwcWi+4l0oV52FtKCRAntmzeOd6flBOWZPxdNzGc1cco9MXiYQ/mK778jUynIcRHgv2WbXdNAEq6rGAb6J1EU030Dd7DuP+D2dZZFjwIDAQABow8wDTALBgNVHQ8EBAMCBLAwDQYJKoZIhvcNAQELBQADggEBAD+DsbLCRftCO8AI0QPTaznKVbeE4YsVjmxrXzO3zOaYq0X8SiwEQYOV8nk/n5+W2hGgUxKmAIgDAWMBZR0tr1txaAjDZHCqlnqvn84TjhJYAHjvcUxMTbaNSWi6ng5sbIG9SAlZviLpALnNb2KT9/3Gjmif8PbvalbPRvo/4Rb3SqN5Nyq4yzR4aaD8TJFN2f8lnaTAK0jd36FOJggYku1Pk3N6aptG8+CiXiOq0UOovgz0aMruBJxk9YaOFKeXSid2O5Zq/yBRMR7u2zTiXfeaXWCMB/YRCfoRoZTCkzNR/tlimREHiLcWHKnR4BJvOnWdp/1ixC9mKUuIot45oZY=<samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” AllowCreate=“true” /></samlp:AuthnRequest>, relay state=/login.aspx, destination URL=https://auth.identity.wisag.de/login/remussttstest
804/8: 04.01.2021 10:30:45: Service provider session (7b65a687-1569-444c-bb08-abdee488034c) state:
Pending response state:
Action: ReceiveSamlResponse
Partner name: urn:federation:WISAG-IdP
Relay state:
In response to: _a4c14638-fbc5-4735-ad9b-bb677f23dd26
804/8: 04.01.2021 10:30:45: Initiation of SSO to the partner identity provider urn:federation:WISAG-IdP has completed successfully.
I have confirmed so far that no changes were made on the IdP side of things, and on my side there were also no changes. It seems like the POST just vanishes into thin air.
Is there any way to get more information out of this ? I have a feeling that this might be a network issue, but I can’t find an error message anywhere
Current trace config:
<system.diagnostics>
<add
name=“CyclicTextWriter”
type=“ComponentSpace.SAML2.Utility.CyclicTraceListener,ComponentSpace.SAML2”
initializeData=“logs”/>
</system.diagnostics>
Our log indicates a SAML authn request is being sent via the HTTP-Post binding to the IdP. I suggest using the browser developer tools (F12) to capture the network traffic. You should see an HTTP response containing an HTML form with a SAMLRequest form variable being returned to the browser. There’ll also be some JavaScript that automatically submits the form to the IdP. The next item in the network trace should be the HTTP Post of the SAMLRequest to the IdP.
If you don’t see this, please check your application code to ensure you’re not overwriting the HTTP response. If this is the case, the HTTP response you see should give you a clue as to its origin.
If you do see the SAML request and the destination URL looks correct but the request isn’t being received at the IdP, this sounds like a network issue.
[quote][/quote]
Our log indicates a SAML authn request is being sent via the HTTP-Post binding to the IdP. I suggest using the browser developer tools (F12) to capture the network traffic. You should see an HTTP response containing an HTML form with a SAMLRequest form variable being returned to the browser. There'll also be some JavaScript that automatically submits the form to the IdP. The next item in the network trace should be the HTTP Post of the SAMLRequest to the IdP.
If you don't see this, please check your application code to ensure you're not overwriting the HTTP response. If this is the case, the HTTP response you see should give you a clue as to its origin.
If you do see the SAML request and the destination URL looks correct but the request isn't being received at the IdP, this sounds like a network issue.
If you don't see this, please check your application code to ensure you're not overwriting the HTTP response. If this is the case, the HTTP response you see should give you a clue as to its origin.
If you do see the SAML request and the destination URL looks correct but the request isn't being received at the IdP, this sounds like a network issue.
I think I found the problem. The button used to be on a different position before, and moving it inside of a Telerik RadAjaxPanel cause the problem. I can debug it in the code behind, and SAMLServiceProvider.InitiateSSO is called without causing any Exceptions, but after that nothing happened. On the old position everything works again. This might be cause by a weird JS interaction between Ajax and the SAML Form POST, I'm not exactly sure.
Thanks for the update. The network trace in the browser might provide more clues.