I have a sample project to

No you need to have 2 separate entity deors. The service provi

Oh got it! So we have to add IDPSSODeor into sp metadata right. So that <code cl

No you have to add a SPSSODeor for the ServiceProvider Metadata.

The single_sign_on_service_url() method will find <co

Azure AADSTS700016: Application with identifier 'https://sts.windows.net/xxxx-xxxx-xxxx/' was not found in the directory 'xxxx-xxxx-xxxx'. about libsaml HOT 6 CLOSED

digidentity commented on August 22, 2024

Azure AADSTS700016: Application with identifier 'https://sts.windows.net/xxxx-xxxx-xxxx/' was not found in the directory 'xxxx-xxxx-xxxx'.

from libsaml.

Comments (6)

benoist commented on August 22, 2024 1

No you need to have 2 separate entity descriptors.

The service provider has it's own entity id and also requires an EntityDescriptor with SPSSODescriptor

The identity provider has another entity id and requires an EntityDescriptor with IDPSSODescriptor

As you are implementing a ServiceProvider, you need to register your current_provider with your own entity_id

In the request_authenication method you need to use the IDP's entity to find the Saml.provider
See the example below

class SamlController < ApplicationController
  extend Saml::Rails::ControllerHelper
  current_provider "<your_sp_entity_id>"

  def request_authentication
    provider = Saml.provider("<the_idp_entity_id>")
    destination = provider.single_sign_on_service_url(Saml::ProtocolBinding::HTTP_POST)

    authn_request = Saml::AuthnRequest.new(destination: destination)

    session[:authn_request_id] = authn_request._id

    @saml_attributes = Saml::Bindings::HTTPPost.create_form_attributes(authn_request)

    render text: @saml_attributes.to_yaml
  end

from libsaml.

benoist commented on August 22, 2024

Thats incorrect, the current_provider has to be configured using the entity id of your service provider.

from libsaml.

truongnmt commented on August 22, 2024

Oh got it! So we have to add IDPSSODescriptor into sp metadata right. So that Saml.current_provider.single_sign_on_service_url can return SSO URL to IdP.

from libsaml.

benoist commented on August 22, 2024

No you have to add a SPSSODescriptor for the ServiceProvider Metadata.

from libsaml.

truongnmt commented on August 22, 2024

The single_sign_on_service_url() method will find idp_descriptor()

    def idp_descriptor(raise_error = true)
      entity_descriptor.idp_sso_descriptor || raise_error &&
          raise(Saml::Errors::InvalidProvider.new("Cannot find identity provider with entity_id: #{entity_id}"))
    end

Isn't finding IDPSSODescriptor in the metadata? 🤔

With the above thinking, I add IDPSSODescriptor in SP Metadata. Here is my sp.xml file:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2020-01-24T05:41:14Z"
                     cacheDuration="PT604800S"
                     entityID="https://localhost:4447/saml/metadata">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                            Location="https://localhost:4447/saml/logout"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                 Location="https://localhost:4447/saml/acs"
                                 index="1"/>

  </md:SPSSODescriptor>
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <md:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <md:X509Data>
          <md:X509Certificate>
MIIC8DCCAdigAwIBAgIQc5ZjVSrAAbdBLLBSSGrUAzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDAxMTQwNTIxNTFaFw0yMzAxMTQwxxxx          
          </md:X509Certificate>
        </md:X509Data>
      </md:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         Location="https://login.microsoftonline.com/xxxx/saml2"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         Location="https://login.microsoftonline.com/xxxx/saml2"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                         Location="https://login.microsoftonline.com/xxxx/saml2"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

from libsaml.

truongnmt commented on August 22, 2024

That would make a lot of sense! Thanks for clearing out! Again, have some guidance about this in the Readme is super helpful!

from libsaml.

Azure AADSTS700016: Application with identifier 'https://sts.windows.net/xxxx-xxxx-xxxx/' was not found in the directory 'xxxx-xxxx-xxxx'. about libsaml HOT 6 CLOSED

Comments (6)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent