I'm using SSOCircle and have my metadata imported and a valid redirect request executing. I am not getting any errors in my AuthnRequest (I was, but I corrected that). However, when I execute the redirect I receive the error:
Reason: Destination is invalid.
Not sure what I am missing.
My Authn looks like this:
<samlp:AuthnRequest ID="_ID_" Version="2.0" IssueInstant="2016-02-25T16:20:04.869Z" Destination="http://localhost:9000/saml/service" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/saml/assert" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER_ID</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="_ID_">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>_DIGEST_</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>_SIGNATURE_VALUE_</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>_CERTIFICATE_STRING_</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="MY_ISSUER_ID" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
I am sending the redirect to:
https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle
The library I am using is from ComponentPro (which I am pretty happy with).
The problem is that your Destination attribute in the AuthnRequest is set to http://localhost:9000/saml/service and your are actually sending it to https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle.
The destination attribute must be the same as the actual destination.
Related
ELMAH generates an exception like below when a known process visits a non-existing URL on our website:
System.Web.HttpException: The controller for path '/manager/' was not
found or does not implement IController.
Whereas going to that non-existent URL from a browser generates a typical IIS 404.
The resource cannot be found. Description: HTTP 404. The resource you
are looking for (or one of its dependencies) could have been removed,
had its name changed, or is temporarily unavailable. Please review
the following URL and make sure that it is spelled correctly.
Requested URL: /manager
I know the process accessing these addresses is harmless, and want to stop receiving these specific emails being generated from a range of IP addresses. This is what I have in web.config but ELMAH email still comes through.
The URL filter seems to be working fine.
<elmah>
<security allowRemoteAccess="false" />
<errorMail from="elmah#mydomain.com" to="elmahlog#mydomain.com" async="true" smtpServer="mail.mydomain.com" smtpPort="25" useSsl="false" />
<errorFilter>
<test>
<and>
<equal binding="HttpStatusCode" value="500" type="Int32" />
<or>
<!--TrustWave scans our website with intentional bad addresses-->
<regex binding="Context.Request.ServerVariables['REMOTE_ADDR']" pattern="64.37.231.\d{1,3}" type="String" />
<!--Google looking for Digital Asset Links - well known statements the website wants to make-->
<regex binding="Context.Request.ServerVariables['URL']" pattern="/.well-known/assetlinks.json" type="String" />
<!--Apple devices searching for universal links - app-site association. we dont have an app.-->
<regex binding="Context.Request.ServerVariables['URL']" pattern="/.well-known/apple-app-site-association" type="String" />
</or>
</and>
</test>
</errorFilter>
</elmah>
Even though ELMAH email message looks like a 500 error occurred, the web.config really needed a 404 error code for the filter to work.
<equal binding="HttpStatusCode" value="404" type="Int32" />
instead of
<equal binding="HttpStatusCode" value="500" type="Int32" />
I am trying to implement a Simple STS web site alongside my MVC application in a development environment. I was able to get this working properly on my local machine. I would navigate to my MVC app, kicked out to the STS web application, I login, then am redirected back to my MVC app. This is not using AFDS by the way.
When I migrated this to my Development environment, I see similar activity but I get the error below when I login. I have checked about 20 times that my thumbprint in the MVC app is the exact same as the cert.
(The login is working fine as I don't get redirected until the authentication succeeds.)
Any guesses?
Error message I recieve:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer
web.config from STS website:
<appSettings>
<add key="IssuerName" value="STSTestCert"/>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value=""/>
</appSettings>
web.config from MVC application:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:57543/mySTS/" realm="http://localhost/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://localhost:57543/mySTS/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="11111" name="http://localhost:57543/mySTS/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
Copying your thumbprint adds hidden unicode characters. Try typing it in.
As MJCoffman mentioned it is most probably because you copied the thumbprint with hidden character. You can find more details here.
In my case the problem was also that copying the thumbprint and pasting it was adding some characters that a regular text editor do not show. I found the following instructions very useful to remove the special characters (look #4). posted by Edwin Guru Singh
Do this to get rid of the special characters using Visual Studio:
Close the web.config
Right-click on it and open it with binary editor
Find where the thumbprint is and delete additional characters (everything that is not a number, usually dots).
Save and try again, it should work.
I have started implementing Joauth authentication. Ofcourse, right now i am doing copy paste to learn how it works.
currently i am facing issue
"cvc-elt.1: Cannot find the declaration of element 'oauth-config'. [2]"
I have taken reference URL and that URL is beneath.
JOAuth, a java-based OAuth 1 (final) and OAuth 2 (draft 10) library. How do I use it?
oauth-config.xml code snippet
<?xml version="1.0" encoding="UTF-8" ?>
<oauth-config>
<!-- Twitter OAuth Config -->
<oauth name="twitter" version="1">
<consumer key="TWITTER_KEY" secret="TWITTER_SECRET" />
<provider requestTokenUrl="https://api.twitter.com/oauth/request_token" authorizationUrl="https://api.twitter.com/oauth/authorize" accessTokenUrl="https://api.twitter.com/oauth/access_token" />
</oauth>
<!-- Facebook OAuth -->
<oauth name="facebook" version="2">
<consumer key="APP_ID" secret="APP_SECRET" />
<provider authorizationUrl="https://graph.facebook.com/oauth/authorize" accessTokenUrl="https://graph.facebook.com/oauth/access_token" />
</oauth>
<service path="/request_token_ready" class="com.neurologic.music4point0.oauth.TwitterOAuthService" oauth="twitter">
<success path="/start.htm" />
</service>
<service path="/oauth_redirect" class="com.neurologic.music4point0.oauth.FacebookOAuthService" oauth="facebook">
<success path="/start.htm" />
</service>
</oauth-config>
can u help what is the wrong here? i think we need to add "dtd" file. can u please suggest me here. If you need any additional info, please suggest me.
Really appreciable,
Pradeep
I am using WIF SSO for authentication in my website. Everything works perfect in development environment. But on deployment I got issue
Message: The data protection operation was unsuccessful. This may have
been caused by not having the user profile loaded for the current
thread's user context, which may be the case when the thread is
impersonating. ExceptionStackTrace: at
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData,
Byte[] optionalEntropy, DataProtectionScope scope) at
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[]
value)
Searching abt this issue leads me to this stackoverflow question
Is it possible to run WIF without LoadUserProfile = True
I added the code mentioned but now I am getting
Value cannot be null
I am getting e.ServiceConfiguration.ServiceCertificate ServiceCertificate null. My question is what kind of certificate is this and where can I define this in my config. Do I need to place the same certificate on ACS.
here is my config section
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost:9494/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://devworks-sb.accesscontrol.appfabriclabs.com/v2/wsfederation" realm="http://localhost:9494" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'https://devworks-sb.accesscontrol.appfabriclabs.com/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />-->
<!--<claimType type="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" optional="true" />-->
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="BE9D0A516BEC2BC820C23D5C2EA79F068C094382" name="https://devworks-sb.accesscontrol.appfabriclabs.com/" />
</trustedIssuers>
</issuerNameRegistry>
</service> </microsoft.identityModel>
thanx
First thing you mentioned that the problem occurred after deployment, is that right? In your web.config have you changed the audienceUris to http://whatever_service_name.cloudapp.net?
<audienceUris>
<add value="http://localhost:9494/" /> <== This is wrong
</audienceUris>
Next your question about certificate is NULL at e.ServiceConfiguration.ServiceCertificate, please verify the following:
A. Endpoint is added in your application Service Definition:
B. Certificate thumbprint is set in Service Configuration
C. Certificate is set in web.config which is correct above
D. Finally added the following in your web.config so certificate can be search by thumbprint:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="CERT_THUMB" />
</serviceCertificate>
Study these two resources which will be very helpful:
http://www.jimandkatrin.com/CodeBlog/post/Troubleshooting-Azure-issues.aspx
http://blogs.msmvps.com/marcelmeijer/blog/2012/05/04/windows-azure-wif-access-control-acs/
The root cause is likely to be you’re using DPAPI (the default configuration of WIF). Please try to do a few modifications for the application to work in Windows Azure. I would like to suggest you to check http://msdn.microsoft.com/en-us/IdentityTrainingCourse_WIFonWAZLab2010 for a tutorial.
Best Regards,
Ming Xu.
I want to use ConfigurableActiveDirectoryMembershipProvider in my code. I have my current settings as
<add name="XXXXMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershi pProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="XXXXConnectionString"
connectionUsername="user"
connectionPassword="password"
connectionProtection="Secure" />
I have changed this to
<add connectionStringName=""
name="XXXXDomainADMembershipProvider"
type="Spring.Web.Providers.MembershipProviderAdapter, Spring.Web" />
and added in to my spring config file as
<object id="XXXXDomainADMembershipProvider"
type="Spring.Web.Providers.ConfigurableActiveDirec toryMembershipProvider">
<property name="connectionStringName" value="XXXXDomainConnectionString" />
<property name="connectionUsername" value="user" />
<property name="connectionPassword" value="password" />
</object>
But I am getting the following error
Error creating context 'spring.root': Could not load type from string value 'Spring.Web.Providers.ConfigurableActiveDirectoryM embershipProvider'.
I checked the Spring.WebQuickStart source code and the class Spring.Web.Providers.ConfigurableActiveDirectoryMembershipProvider has been commented out.
Is that the reason I am getting the above error?
Yes, I think you are correct. The error you are getting is exactly the error Spring returns when you are trying to configure an object using a type that can not be loaded. For instance if the class does not exist at all, which appears to be the case here.
You can double check if the ConfigurableActiveDirectoryMembershipProvider class exists by using the object browser to explore the Spring.Web.Providers namespace in the Spring.Web assembly you are using in your project.
You are right that the class is commented out in the current state of the trunk code. It has a small TBD note, so I think they are not sure if they want to implement this. But it could be that it wasn't commented out in the version of Spring.Web you are using, so you should still check it using the object explorer.
Strangely enough, the ConfigurableActiveDirectoryMembershipProvideris mentioned in the documentation - you might want to post this on the Spring.Net forum they're likely to help you.