Sustainsys: error: “IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken....





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















Nuget Packages in use:




  1. Microsoft.AspNetCore.App - 2.1.1

  2. Microsoft.NETCore.App - 2.1.0

  3. Sustainsys.Saml2.AspNetCore2 - 2.2.0


Dotnet Core version: 2.1.302



Implementation



Following code is added in the startup.cs file in ConfigureServices(IServiceCollection services) method:



services.AddSaml2("saml2", options =>

{

    options.SPOptions.EntityId = new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPEntityId);

    options.SPOptions.MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";

    options.SPOptions.NameIdPolicy = new Sustainsys.Saml2.Saml2P.Saml2NameIdPolicy(true, Sustainsys.Saml2.Saml2P.NameIdFormat.Unspecified);

    options.IdentityProviders.Add(

            new Sustainsys.Saml2.IdentityProvider(

                new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPMetadata), options.SPOptions)

                {

                    LoadMetadata = true,

                    Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost

                });

})


The authentication is triggered by following controller action:



[HttpGet]

public IActionResult Login(string returnUrl = null)

{

    var redirectUrl = Url.Content("~/Saml/Callback");

    return Challenge(

        new AuthenticationProperties { RedirectUri = redirectUrl }, "saml2");

}


The authentication with the ID server is successfully done and response is received as POST request on https://SP-Server-xxxx/server/Saml2/Acs as per XML at the end of this post. However, then following error is returned with HTTP code 500:



{

    error: "IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.ArgumentException'."

}


Please suggest what is wrong with the setup or the implementation.



Response XML:



<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://SP-Server-xxxx/server/Saml2/Acs" ID="XXXXX" InResponseTo="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

    <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </samlp:Status>

    <saml:Assertion ID="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

        <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <ds:SignedInfo>

                <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                <ds:Reference URI="#yyyyy">

                    <ds:Transforms>

                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                    </ds:Transforms>

                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                    <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">zzzzz</DigestValue>

                </ds:Reference>

            </ds:SignedInfo>

            <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> 'removed the signature value' </SignatureValue>

            <ds:KeyInfo>

                <ds:X509Data>

                    <ds:X509Certificate> 'removed the certificate' </ds:X509Certificate>

                </ds:X509Data>

            </ds:KeyInfo>

        </ds:Signature>

        <saml:Subject>

            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://ID-Server-yyyy/zzzz/saml2/metadata" SPNameQualifier="https://SP-Server-xxxx">

                abc@xyz.com

            </saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="XXXXX" NotOnOrAfter="2018-11-28T06:31:12Z" Recipient="https://SP-Server-xxxx/server/Saml2/Acs"/>

            </saml:SubjectConfirmation>

        </saml:Subject>

        <saml:Conditions NotBefore="2018-11-28T06:21:12Z" NotOnOrAfter="2018-11-28T06:31:12Z">

            <saml:AudienceRestriction>

                <saml:Audience>https://SP-Server-xxxx</saml:Audience>

            </saml:AudienceRestriction>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2018-11-28T06:26:09Z" SessionIndex="XXXXX">

            <saml:AuthnContext>

                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

                <saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>

            </saml:AuthnContext>

        </saml:AuthnStatement>

        <saml:AttributeStatement>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Last Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">abc@xyz.com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="MiddleName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Middle Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">First Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Id Value</saml:AttributeValue>

            </saml:Attribute>

        </saml:AttributeStatement>

    </saml:Assertion>

</samlp:Response>


UPDATE:
After setting IdentityModelEventSource.ShowPII to true the error response is changed as followed:



{

    error: "IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri' at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value) at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'."

}


Based on the error message I assume the ID server needs to set the AuthnContext with a valid URI. Please confirm.



Following is the Stack-Trace:



2018-11-29 08:45:10.700 +01:00 [Debug] Signature validation passed for Saml Response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id

2018-11-29 08:45:10.759 +01:00 [Error] Exception is occurred

Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'. ---> System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationStatement(XmlDictionaryReader reader)

   at Sustainsys.Saml2.Saml2P.Saml2PSerializer.ReadAssertion(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()

   at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)

   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)

   at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)

   at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState)

   at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)

   at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()

   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

   at Service.Provider.Middleware.LanguageHandlingMiddleware.Invoke(HttpContext context) in X:ProjectsService-ProviderMiddlewareLanguageHandlingMiddleware.cs:line 21

   at Service.Provider.Middleware.ErrorHandlingMiddleware.Invoke(HttpContext context, ILogger`1 logger) in X:ProjectsService-ProviderMiddlewareErrorHandlingMiddleware.cs:line 22


Update 2



Thanks for the response @Anders. As we dont have control over the ipd, I have requested the idp developers to consider above change.
But meanwhile we have tried to dig further into the options. I have referred one the documents hosted here: https://media.readthedocs.org/pdf/saml2/latest/saml2.pdf. The section 2.18.1 lists the attributes of Element. It mentions about IgnoreAuthenticationContextInResponse attribute. Based on the description of the attribute, it seems that making this as true will solve the above error.
But I cannot find this attribute while configuring the Compatibility element in SPOtions (options.SPOptions.Compatibility.IgnoreAuthenticationContextInResponse ?)



We are using Sustainsys.Saml2.AspNetCore2 package version 2.2.0.



Is it so that the Compatibility.IgnoreAuthenticationContextInResponse attribute is not yet available in version 2.2.0 ?






asp.net-core .net-core asp.net-core-mvc saml-2.0 sustainsys-saml2







share|improve this question

























  • Please provide the stack trace of the exception and also set the IdentityModelEventSource.ShowPII flag to true to show the actual value in the log message.

    – Anders Abel
    Nov 29 '18 at 6:57











  • I have edited the question to add the stack trace.

    – Ashish Gamit
    Nov 29 '18 at 8:35











  • Yes, the IgnoreAuthenticationContextInResponse compatibility flag might have been forgotten in the move to 2.0. Please file a bug in the repo.

    – Anders Abel
    Nov 29 '18 at 14:16











  • Thanks for the clarification. I have reported the bug here: github.com/Sustainsys/Saml2/issues/1045

    – Ashish Gamit
    Nov 29 '18 at 14:35


















0















Nuget Packages in use:




  1. Microsoft.AspNetCore.App - 2.1.1

  2. Microsoft.NETCore.App - 2.1.0

  3. Sustainsys.Saml2.AspNetCore2 - 2.2.0


Dotnet Core version: 2.1.302



Implementation



Following code is added in the startup.cs file in ConfigureServices(IServiceCollection services) method:



services.AddSaml2("saml2", options =>

{

    options.SPOptions.EntityId = new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPEntityId);

    options.SPOptions.MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";

    options.SPOptions.NameIdPolicy = new Sustainsys.Saml2.Saml2P.Saml2NameIdPolicy(true, Sustainsys.Saml2.Saml2P.NameIdFormat.Unspecified);

    options.IdentityProviders.Add(

            new Sustainsys.Saml2.IdentityProvider(

                new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPMetadata), options.SPOptions)

                {

                    LoadMetadata = true,

                    Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost

                });

})


The authentication is triggered by following controller action:



[HttpGet]

public IActionResult Login(string returnUrl = null)

{

    var redirectUrl = Url.Content("~/Saml/Callback");

    return Challenge(

        new AuthenticationProperties { RedirectUri = redirectUrl }, "saml2");

}


The authentication with the ID server is successfully done and response is received as POST request on https://SP-Server-xxxx/server/Saml2/Acs as per XML at the end of this post. However, then following error is returned with HTTP code 500:



{

    error: "IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.ArgumentException'."

}


Please suggest what is wrong with the setup or the implementation.



Response XML:



<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://SP-Server-xxxx/server/Saml2/Acs" ID="XXXXX" InResponseTo="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

    <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </samlp:Status>

    <saml:Assertion ID="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

        <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <ds:SignedInfo>

                <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                <ds:Reference URI="#yyyyy">

                    <ds:Transforms>

                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                    </ds:Transforms>

                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                    <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">zzzzz</DigestValue>

                </ds:Reference>

            </ds:SignedInfo>

            <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> 'removed the signature value' </SignatureValue>

            <ds:KeyInfo>

                <ds:X509Data>

                    <ds:X509Certificate> 'removed the certificate' </ds:X509Certificate>

                </ds:X509Data>

            </ds:KeyInfo>

        </ds:Signature>

        <saml:Subject>

            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://ID-Server-yyyy/zzzz/saml2/metadata" SPNameQualifier="https://SP-Server-xxxx">

                abc@xyz.com

            </saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="XXXXX" NotOnOrAfter="2018-11-28T06:31:12Z" Recipient="https://SP-Server-xxxx/server/Saml2/Acs"/>

            </saml:SubjectConfirmation>

        </saml:Subject>

        <saml:Conditions NotBefore="2018-11-28T06:21:12Z" NotOnOrAfter="2018-11-28T06:31:12Z">

            <saml:AudienceRestriction>

                <saml:Audience>https://SP-Server-xxxx</saml:Audience>

            </saml:AudienceRestriction>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2018-11-28T06:26:09Z" SessionIndex="XXXXX">

            <saml:AuthnContext>

                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

                <saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>

            </saml:AuthnContext>

        </saml:AuthnStatement>

        <saml:AttributeStatement>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Last Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">abc@xyz.com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="MiddleName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Middle Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">First Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Id Value</saml:AttributeValue>

            </saml:Attribute>

        </saml:AttributeStatement>

    </saml:Assertion>

</samlp:Response>


UPDATE:
After setting IdentityModelEventSource.ShowPII to true the error response is changed as followed:



{

    error: "IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri' at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value) at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'."

}


Based on the error message I assume the ID server needs to set the AuthnContext with a valid URI. Please confirm.



Following is the Stack-Trace:



2018-11-29 08:45:10.700 +01:00 [Debug] Signature validation passed for Saml Response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id

2018-11-29 08:45:10.759 +01:00 [Error] Exception is occurred

Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'. ---> System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationStatement(XmlDictionaryReader reader)

   at Sustainsys.Saml2.Saml2P.Saml2PSerializer.ReadAssertion(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()

   at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)

   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)

   at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)

   at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState)

   at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)

   at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()

   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

   at Service.Provider.Middleware.LanguageHandlingMiddleware.Invoke(HttpContext context) in X:ProjectsService-ProviderMiddlewareLanguageHandlingMiddleware.cs:line 21

   at Service.Provider.Middleware.ErrorHandlingMiddleware.Invoke(HttpContext context, ILogger`1 logger) in X:ProjectsService-ProviderMiddlewareErrorHandlingMiddleware.cs:line 22


Update 2



Thanks for the response @Anders. As we dont have control over the ipd, I have requested the idp developers to consider above change.
But meanwhile we have tried to dig further into the options. I have referred one the documents hosted here: https://media.readthedocs.org/pdf/saml2/latest/saml2.pdf. The section 2.18.1 lists the attributes of Element. It mentions about IgnoreAuthenticationContextInResponse attribute. Based on the description of the attribute, it seems that making this as true will solve the above error.
But I cannot find this attribute while configuring the Compatibility element in SPOtions (options.SPOptions.Compatibility.IgnoreAuthenticationContextInResponse ?)



We are using Sustainsys.Saml2.AspNetCore2 package version 2.2.0.



Is it so that the Compatibility.IgnoreAuthenticationContextInResponse attribute is not yet available in version 2.2.0 ?






asp.net-core .net-core asp.net-core-mvc saml-2.0 sustainsys-saml2







share|improve this question

























  • Please provide the stack trace of the exception and also set the IdentityModelEventSource.ShowPII flag to true to show the actual value in the log message.

    – Anders Abel
    Nov 29 '18 at 6:57











  • I have edited the question to add the stack trace.

    – Ashish Gamit
    Nov 29 '18 at 8:35











  • Yes, the IgnoreAuthenticationContextInResponse compatibility flag might have been forgotten in the move to 2.0. Please file a bug in the repo.

    – Anders Abel
    Nov 29 '18 at 14:16











  • Thanks for the clarification. I have reported the bug here: github.com/Sustainsys/Saml2/issues/1045

    – Ashish Gamit
    Nov 29 '18 at 14:35














0












0








0








Nuget Packages in use:




  1. Microsoft.AspNetCore.App - 2.1.1

  2. Microsoft.NETCore.App - 2.1.0

  3. Sustainsys.Saml2.AspNetCore2 - 2.2.0


Dotnet Core version: 2.1.302



Implementation



Following code is added in the startup.cs file in ConfigureServices(IServiceCollection services) method:



services.AddSaml2("saml2", options =>

{

    options.SPOptions.EntityId = new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPEntityId);

    options.SPOptions.MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";

    options.SPOptions.NameIdPolicy = new Sustainsys.Saml2.Saml2P.Saml2NameIdPolicy(true, Sustainsys.Saml2.Saml2P.NameIdFormat.Unspecified);

    options.IdentityProviders.Add(

            new Sustainsys.Saml2.IdentityProvider(

                new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPMetadata), options.SPOptions)

                {

                    LoadMetadata = true,

                    Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost

                });

})


The authentication is triggered by following controller action:



[HttpGet]

public IActionResult Login(string returnUrl = null)

{

    var redirectUrl = Url.Content("~/Saml/Callback");

    return Challenge(

        new AuthenticationProperties { RedirectUri = redirectUrl }, "saml2");

}


The authentication with the ID server is successfully done and response is received as POST request on https://SP-Server-xxxx/server/Saml2/Acs as per XML at the end of this post. However, then following error is returned with HTTP code 500:



{

    error: "IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.ArgumentException'."

}


Please suggest what is wrong with the setup or the implementation.



Response XML:



<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://SP-Server-xxxx/server/Saml2/Acs" ID="XXXXX" InResponseTo="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

    <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </samlp:Status>

    <saml:Assertion ID="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

        <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <ds:SignedInfo>

                <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                <ds:Reference URI="#yyyyy">

                    <ds:Transforms>

                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                    </ds:Transforms>

                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                    <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">zzzzz</DigestValue>

                </ds:Reference>

            </ds:SignedInfo>

            <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> 'removed the signature value' </SignatureValue>

            <ds:KeyInfo>

                <ds:X509Data>

                    <ds:X509Certificate> 'removed the certificate' </ds:X509Certificate>

                </ds:X509Data>

            </ds:KeyInfo>

        </ds:Signature>

        <saml:Subject>

            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://ID-Server-yyyy/zzzz/saml2/metadata" SPNameQualifier="https://SP-Server-xxxx">

                abc@xyz.com

            </saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="XXXXX" NotOnOrAfter="2018-11-28T06:31:12Z" Recipient="https://SP-Server-xxxx/server/Saml2/Acs"/>

            </saml:SubjectConfirmation>

        </saml:Subject>

        <saml:Conditions NotBefore="2018-11-28T06:21:12Z" NotOnOrAfter="2018-11-28T06:31:12Z">

            <saml:AudienceRestriction>

                <saml:Audience>https://SP-Server-xxxx</saml:Audience>

            </saml:AudienceRestriction>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2018-11-28T06:26:09Z" SessionIndex="XXXXX">

            <saml:AuthnContext>

                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

                <saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>

            </saml:AuthnContext>

        </saml:AuthnStatement>

        <saml:AttributeStatement>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Last Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">abc@xyz.com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="MiddleName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Middle Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">First Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Id Value</saml:AttributeValue>

            </saml:Attribute>

        </saml:AttributeStatement>

    </saml:Assertion>

</samlp:Response>


UPDATE:
After setting IdentityModelEventSource.ShowPII to true the error response is changed as followed:



{

    error: "IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri' at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value) at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'."

}


Based on the error message I assume the ID server needs to set the AuthnContext with a valid URI. Please confirm.



Following is the Stack-Trace:



2018-11-29 08:45:10.700 +01:00 [Debug] Signature validation passed for Saml Response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id

2018-11-29 08:45:10.759 +01:00 [Error] Exception is occurred

Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'. ---> System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationStatement(XmlDictionaryReader reader)

   at Sustainsys.Saml2.Saml2P.Saml2PSerializer.ReadAssertion(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()

   at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)

   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)

   at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)

   at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState)

   at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)

   at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()

   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

   at Service.Provider.Middleware.LanguageHandlingMiddleware.Invoke(HttpContext context) in X:ProjectsService-ProviderMiddlewareLanguageHandlingMiddleware.cs:line 21

   at Service.Provider.Middleware.ErrorHandlingMiddleware.Invoke(HttpContext context, ILogger`1 logger) in X:ProjectsService-ProviderMiddlewareErrorHandlingMiddleware.cs:line 22


Update 2



Thanks for the response @Anders. As we dont have control over the ipd, I have requested the idp developers to consider above change.
But meanwhile we have tried to dig further into the options. I have referred one the documents hosted here: https://media.readthedocs.org/pdf/saml2/latest/saml2.pdf. The section 2.18.1 lists the attributes of Element. It mentions about IgnoreAuthenticationContextInResponse attribute. Based on the description of the attribute, it seems that making this as true will solve the above error.
But I cannot find this attribute while configuring the Compatibility element in SPOtions (options.SPOptions.Compatibility.IgnoreAuthenticationContextInResponse ?)



We are using Sustainsys.Saml2.AspNetCore2 package version 2.2.0.



Is it so that the Compatibility.IgnoreAuthenticationContextInResponse attribute is not yet available in version 2.2.0 ?






asp.net-core .net-core asp.net-core-mvc saml-2.0 sustainsys-saml2







share|improve this question
















Nuget Packages in use:




  1. Microsoft.AspNetCore.App - 2.1.1

  2. Microsoft.NETCore.App - 2.1.0

  3. Sustainsys.Saml2.AspNetCore2 - 2.2.0


Dotnet Core version: 2.1.302



Implementation



Following code is added in the startup.cs file in ConfigureServices(IServiceCollection services) method:



services.AddSaml2("saml2", options =>

{

    options.SPOptions.EntityId = new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPEntityId);

    options.SPOptions.MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";

    options.SPOptions.NameIdPolicy = new Sustainsys.Saml2.Saml2P.Saml2NameIdPolicy(true, Sustainsys.Saml2.Saml2P.NameIdFormat.Unspecified);

    options.IdentityProviders.Add(

            new Sustainsys.Saml2.IdentityProvider(

                new Sustainsys.Saml2.Metadata.EntityId(this.Configuration.Get<AppSetting>().SPMetadata), options.SPOptions)

                {

                    LoadMetadata = true,

                    Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpPost

                });

})


The authentication is triggered by following controller action:



[HttpGet]

public IActionResult Login(string returnUrl = null)

{

    var redirectUrl = Url.Content("~/Saml/Callback");

    return Challenge(

        new AuthenticationProperties { RedirectUri = redirectUrl }, "saml2");

}


The authentication with the ID server is successfully done and response is received as POST request on https://SP-Server-xxxx/server/Saml2/Acs as per XML at the end of this post. However, then following error is returned with HTTP code 500:



{

    error: "IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.ArgumentException'."

}


Please suggest what is wrong with the setup or the implementation.



Response XML:



<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://SP-Server-xxxx/server/Saml2/Acs" ID="XXXXX" InResponseTo="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

    <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </samlp:Status>

    <saml:Assertion ID="XXXXX" IssueInstant="2018-11-28T06:26:12Z" Version="2.0">

        <saml:Issuer>https://ID-Server-yyyy/zzzz/saml2/metadata</saml:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <ds:SignedInfo>

                <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                <ds:Reference URI="#yyyyy">

                    <ds:Transforms>

                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                    </ds:Transforms>

                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                    <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">zzzzz</DigestValue>

                </ds:Reference>

            </ds:SignedInfo>

            <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> 'removed the signature value' </SignatureValue>

            <ds:KeyInfo>

                <ds:X509Data>

                    <ds:X509Certificate> 'removed the certificate' </ds:X509Certificate>

                </ds:X509Data>

            </ds:KeyInfo>

        </ds:Signature>

        <saml:Subject>

            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://ID-Server-yyyy/zzzz/saml2/metadata" SPNameQualifier="https://SP-Server-xxxx">

                abc@xyz.com

            </saml:NameID>

            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <saml:SubjectConfirmationData InResponseTo="XXXXX" NotOnOrAfter="2018-11-28T06:31:12Z" Recipient="https://SP-Server-xxxx/server/Saml2/Acs"/>

            </saml:SubjectConfirmation>

        </saml:Subject>

        <saml:Conditions NotBefore="2018-11-28T06:21:12Z" NotOnOrAfter="2018-11-28T06:31:12Z">

            <saml:AudienceRestriction>

                <saml:Audience>https://SP-Server-xxxx</saml:Audience>

            </saml:AudienceRestriction>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2018-11-28T06:26:09Z" SessionIndex="XXXXX">

            <saml:AuthnContext>

                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

                <saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>

            </saml:AuthnContext>

        </saml:AuthnStatement>

        <saml:AttributeStatement>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Last Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">abc@xyz.com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="MiddleName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Middle Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">First Name</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                <saml:AttributeValue xsi:type="xs:string">Id Value</saml:AttributeValue>

            </saml:Attribute>

        </saml:AttributeStatement>

    </saml:Assertion>

</samlp:Response>


UPDATE:
After setting IdentityModelEventSource.ShowPII to true the error response is changed as followed:



{

    error: "IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri' at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value) at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'."

}


Based on the error message I assume the ID server needs to set the AuthnContext with a valid URI. Please confirm.



Following is the Stack-Trace:



2018-11-29 08:45:10.700 +01:00 [Debug] Signature validation passed for Saml Response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id

2018-11-29 08:45:10.759 +01:00 [Error] Exception is occurred

Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'AuthnContext' for Saml2SecurityToken. Inner exception: 'System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)'. ---> System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'name/password/uri'

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationStatement(XmlDictionaryReader reader)

   at Sustainsys.Saml2.Saml2P.Saml2PSerializer.ReadAssertion(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token)

   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

   at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()

   at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)

   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)

   at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)

   at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState)

   at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)

   at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()

   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

   at Service.Provider.Middleware.LanguageHandlingMiddleware.Invoke(HttpContext context) in X:ProjectsService-ProviderMiddlewareLanguageHandlingMiddleware.cs:line 21

   at Service.Provider.Middleware.ErrorHandlingMiddleware.Invoke(HttpContext context, ILogger`1 logger) in X:ProjectsService-ProviderMiddlewareErrorHandlingMiddleware.cs:line 22


Update 2



Thanks for the response @Anders. As we dont have control over the ipd, I have requested the idp developers to consider above change.
But meanwhile we have tried to dig further into the options. I have referred one the documents hosted here: https://media.readthedocs.org/pdf/saml2/latest/saml2.pdf. The section 2.18.1 lists the attributes of Element. It mentions about IgnoreAuthenticationContextInResponse attribute. Based on the description of the attribute, it seems that making this as true will solve the above error.
But I cannot find this attribute while configuring the Compatibility element in SPOtions (options.SPOptions.Compatibility.IgnoreAuthenticationContextInResponse ?)



We are using Sustainsys.Saml2.AspNetCore2 package version 2.2.0.



Is it so that the Compatibility.IgnoreAuthenticationContextInResponse attribute is not yet available in version 2.2.0 ?






asp.net-core .net-core asp.net-core-mvc saml-2.0 sustainsys-saml2




asp.net-core .net-core asp.net-core-mvc saml-2.0 sustainsys-saml2






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 29 '18 at 13:09







Ashish Gamit

















asked Nov 29 '18 at 6:39









Ashish GamitAshish Gamit

153




153













  • Please provide the stack trace of the exception and also set the IdentityModelEventSource.ShowPII flag to true to show the actual value in the log message.

    – Anders Abel
    Nov 29 '18 at 6:57











  • I have edited the question to add the stack trace.

    – Ashish Gamit
    Nov 29 '18 at 8:35











  • Yes, the IgnoreAuthenticationContextInResponse compatibility flag might have been forgotten in the move to 2.0. Please file a bug in the repo.

    – Anders Abel
    Nov 29 '18 at 14:16











  • Thanks for the clarification. I have reported the bug here: github.com/Sustainsys/Saml2/issues/1045

    – Ashish Gamit
    Nov 29 '18 at 14:35



















  • Please provide the stack trace of the exception and also set the IdentityModelEventSource.ShowPII flag to true to show the actual value in the log message.

    – Anders Abel
    Nov 29 '18 at 6:57











  • I have edited the question to add the stack trace.

    – Ashish Gamit
    Nov 29 '18 at 8:35











  • Yes, the IgnoreAuthenticationContextInResponse compatibility flag might have been forgotten in the move to 2.0. Please file a bug in the repo.

    – Anders Abel
    Nov 29 '18 at 14:16











  • Thanks for the clarification. I have reported the bug here: github.com/Sustainsys/Saml2/issues/1045

    – Ashish Gamit
    Nov 29 '18 at 14:35

















Please provide the stack trace of the exception and also set the IdentityModelEventSource.ShowPII flag to true to show the actual value in the log message.

– Anders Abel
Nov 29 '18 at 6:57





Please provide the stack trace of the exception and also set the IdentityModelEventSource.ShowPII flag to true to show the actual value in the log message.

– Anders Abel
Nov 29 '18 at 6:57













I have edited the question to add the stack trace.

– Ashish Gamit
Nov 29 '18 at 8:35





I have edited the question to add the stack trace.

– Ashish Gamit
Nov 29 '18 at 8:35













Yes, the IgnoreAuthenticationContextInResponse compatibility flag might have been forgotten in the move to 2.0. Please file a bug in the repo.

– Anders Abel
Nov 29 '18 at 14:16





Yes, the IgnoreAuthenticationContextInResponse compatibility flag might have been forgotten in the move to 2.0. Please file a bug in the repo.

– Anders Abel
Nov 29 '18 at 14:16













Thanks for the clarification. I have reported the bug here: github.com/Sustainsys/Saml2/issues/1045

– Ashish Gamit
Nov 29 '18 at 14:35





Thanks for the clarification. I have reported the bug here: github.com/Sustainsys/Saml2/issues/1045

– Ashish Gamit
Nov 29 '18 at 14:35












1 Answer
1






active

oldest

votes


















0














The problem is that the idp supplies a value name/password/uri for <saml:AuthnContextDeclRef>. That is a not a valid value, it must be an absolute URI according to the SAML2 specification.



But in this case I think the Idp should omit that element totally.It is already referencing a well known authentication method in the line above: <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>






share|improve this answer
























  • Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

    – Ashish Gamit
    Nov 29 '18 at 13:09












Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53533206%2fsustainsys-error-idx13102-exception-thrown-while-reading-pii-is-hidden-f%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














The problem is that the idp supplies a value name/password/uri for <saml:AuthnContextDeclRef>. That is a not a valid value, it must be an absolute URI according to the SAML2 specification.



But in this case I think the Idp should omit that element totally.It is already referencing a well known authentication method in the line above: <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>






share|improve this answer
























  • Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

    – Ashish Gamit
    Nov 29 '18 at 13:09
















0














The problem is that the idp supplies a value name/password/uri for <saml:AuthnContextDeclRef>. That is a not a valid value, it must be an absolute URI according to the SAML2 specification.



But in this case I think the Idp should omit that element totally.It is already referencing a well known authentication method in the line above: <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>






share|improve this answer
























  • Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

    – Ashish Gamit
    Nov 29 '18 at 13:09














0












0








0







The problem is that the idp supplies a value name/password/uri for <saml:AuthnContextDeclRef>. That is a not a valid value, it must be an absolute URI according to the SAML2 specification.



But in this case I think the Idp should omit that element totally.It is already referencing a well known authentication method in the line above: <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>






share|improve this answer













The problem is that the idp supplies a value name/password/uri for <saml:AuthnContextDeclRef>. That is a not a valid value, it must be an absolute URI according to the SAML2 specification.



But in this case I think the Idp should omit that element totally.It is already referencing a well known authentication method in the line above: <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 29 '18 at 8:41









Anders AbelAnders Abel

57.2k10123199




57.2k10123199













  • Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

    – Ashish Gamit
    Nov 29 '18 at 13:09



















  • Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

    – Ashish Gamit
    Nov 29 '18 at 13:09

















Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

– Ashish Gamit
Nov 29 '18 at 13:09





Thanks for the answer. I have made another update in the question, as there is not enough space in the comments box. I would appreciate if you can take a look.

– Ashish Gamit
Nov 29 '18 at 13:09




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53533206%2fsustainsys-error-idx13102-exception-thrown-while-reading-pii-is-hidden-f%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Lallio

Image
Coordenadas: 45° 40' N 9° 38' E Lallio      Comuna    Lallio Localização de Lallio na Itália Coordenadas 45° 40' N 9° 38' E Região Lombardia Província Bérgamo Área - Total 2 km² Altitude 216 m População  - Total 3 826     • Densidade 1 913 hab./km² Outros dados Comunas limítrofes Bergamo, Dalmine, Stezzano, Treviolo Código ISTAT 016123 Código cadastral E422 Código postal 24040 Prefixo telefônico 035 Website www.comune.lallio.bg.it Lallio é uma comuna italiana da região da Lombardia, província de Bérgamo, com cerca de 3.826 habitantes. Estende-se por uma área de 2 km², tendo uma densidade populacional de 1913 hab/km². Faz fronteira com Bergamo, Dalmine, Stezzano, Treviolo. [ 1 ] [ 2 ] [ 3 ] Demografia | Variação demográfica do município entre 1861 e 2011 [ 3 ] Fonte : Istituto Nazionale di Statistica (ISTAT) - Elabor...
Read more

Unable to find Lightning Node

Image
2 I have successfully installed and synced my lightning node (Raspiblitz). I see my public ip on port 8333 has 8 conns. However, when I check my node on 1ml.com my node is not found. I did forward port 8333 and 9735 on my router. Should I connect to a peer or create a channel before my node is visible for the outside? lightning-network lightning-network-daemon share | improve this question asked 1 hour ago Bart DV Bart DV 31 3 add a comment  |  ...
Read more

Futebolista

Image
Ronaldo primeiro jogador a ser eleito por três vezes o melhor jogador do mundo pela FIFA. Ronaldinho Gaúcho atuando pelo Barcelona onde foi duas vezes eleito o melhor jogador do mundo pela FIFA. Kaká atuando pelo Milan onde foi eleito em 2007 o melhor jogador do mundo pela FIFA. Lothar Matthäus primeiro jogador a ser eleito o melhor jogador do mundo pela FIFA em 1991 pela Inter de Milão. Neymar durante partida contra a Escócia, em 27 de março de 2011. Crianças praticando futebol. Robinho, futebolista brasileiro, em 15 de novembro de 2006. Atletas do Chelsea, da Inglaterra. A venda de camisas com nome e número dos jogadores é uma grande fonte de arrecadação. Jürgen Klinsmann atuou como jogador e foi treinador da Alemanha. Estádio de futebol, principal local onde laboram os jogadores. O jogador de futebol , ou Futebolista , é um atleta profissional de futebol, e cuja prática do desporto coletivo é fundamental. Estes trabalhadores sã...
Read more