Hi,
I've integrated IdP & SP and successfully completed testing the SP-init-SSO.
I've enabled AllowIdpInitiatedSso in AddSaml2p() options from Startup.cs, but not sure what's the URL for IdP-init-SSO to test.
Please advice.

Thanks

I am having hard time trying to make mvc app client (port 7000) to connect to IDS4 SAML SP which in turn federates to IDS4 SAML IDP to authenticate. I am using demo license for the plugin provided by RSK team.

Needed Scenario: ASP.NET Core APP ---talks--> IDS4 SAML SP ---talks--> IDS4 SAML IDP

Error I am getting:

Invalid redirect_uri: http://localhost:7000/signin-oidc
{
  "ClientId": "mvc",
  "ClientName": "MVC Client",
  "AllowedRedirectUris": [
    "http://localhost:5001/signin-oidc"
  ],
  "SubjectId": "anonymous",
  "RequestedScopes": "",
  "Raw": {
    "client_id": "mvc",
    "redirect_uri": "http://localhost:7000/signin-oidc",
    "response_type": "code id_token",
    "scope": "openid profile",
    "response_mode": "form_post",
    "nonce": "636703668912386576.MjNhODAxMmEtZDMzZS00ODFlLWJlNmMtMmQwODEwOTczOTIwM2VjZDE3NzMtZWY0OC00ZmUwLTk4YWMtOTc2OWU4MTM5ZWU3",
    "state": "CfDJ8IwNdcCHadNNga7v1HYQ8uVdzW4PxgMRT-Sz6hktJlP47BVoAzfJHGRiMqXkiCmcvNwefKmVGjFcVn2QyFRY04nHk0OBB_n7-JQ6QcEluUldNSHN-TnD4yCYrLbM_hrP89qZdclxIwrjVry9cgoRI_XEYqoiTK4XvTn8MlgeGevDs4i2q3HSN1CtddLm0OSMQ7-rnLe1DXT9gxydgKJbBLNbkMLXTkn6g7cSlk2cBM-oak3Pv5DQpcZYdN-waoZLVmbJX4RCLh9j3zQLYMnBuAvZAlXiVTFFCekfSTK6LWmSF9kOUlOIZrqQq8DxUPOVrw",
    "x-client-SKU": "ID_NETSTANDARD1_4",
    "x-client-ver": "5.2.0.0"
  }
}

ASP.NET Core MVC client is configured as:

services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = "oidc";
            })
.AddOpenIdConnect("oidc", options =>
                {
                    options.Authority = "http://localhost:5001";
                    options.RequireHttpsMetadata = false;
                    options.ClientId = "mvc";
                    options.ResponseType = "code id_token";
                    options.ClientSecret = "49C1A7E1-0C79-4A89-A3D6-A37998FB86B0";

                    options.Scope.Clear();
                    options.Scope.Add("openid");
                    options.Scope.Add("profile");

                    //options.SaveTokens = true;
                    //options.GetClaimsFromUserInfoEndpoint = true;

                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        NameClaimType = "name",
                        RoleClaimType = "role",
                    };
            })

And SP and IDP are as provided on this repo. Please help.

Hi guys,

I recently got demo license to test SAML2P integration with IdentityServer4. I got it working with IdP and SP. My goal is to create SSO functionality with a single IdP for API, SPA, MVC applications. This IdP should also have the functionality to issue JWT using PKCE or client credentials authorization flow.

So, I want to continue investigating it for authentication for REST APIs. I found it one issue from 2018 that @scottbrady91 has commented that SAML authentication for REST APIs is not possible. If not, is it possible to use some combination between SAML and OAuth and OIDC? Do I need to save the JWT token in the SAML cookie? Are there some best practices?

Looking forward to get a feedback from you.

Hi,

We have 2 pages for user registration in our IdentityServer4 IDP application and sometimes if user takes more than 2 minutes to fill the form, we are getting the following error.

I noticed this timespan property "RequestTrustLength" in SamlIdpOptions.

If I set some value for this property, will it fix my issue?
If so, what would be the maximum value I can go for it?
Does it cause any security issues if I bump the value to say 20 minutes?

I wonder what would be optimum way to fix this issue.

2019-04-30 12:12:46.000 -05:00 [SSOIDP] [ERROR] IdentityServer4.Saml.Validation.Saml2SingleSignOnRequestValidator [0HLMDHH7MSK5M:00000004]  - SAMLRequest IssueInstant too old to trust
{
  "SubjectId": "a484f725-fb3d-4690-ab67-8f759b2fa5e1",
  "BindingType": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
  "RelayState": "c1c2b43d-f9c5-4313-a477-4ea3f1b45dfb",
  "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
}

Our Identity server is updated with SAML2p and the existing client is updated as below SAML CLIENT

// SAML client
new Client
{
ClientId = "http://localhost:7002/saml",
ClientName = "RSK SAML2P Test Client",
ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
AllowedScopes = new List()
{
"api-auth",
"api-provider",
"api-documents",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.OfflineAccess
},
AlwaysIncludeUserClaimsInIdToken = true,
AllowAccessTokensViaBrowser = true,
//Access token life time is 86400 seconds (24 hour)
AccessTokenLifetime = (configuration.AccessTokenLifetime == 0) ? 86400 : configuration.AccessTokenLifetime,
//Identity token life time is 86400 seconds (24 hour)
IdentityTokenLifetime = (configuration.IdentityTokenLifetime == 0) ? 86400 : configuration.IdentityTokenLifetime,
},

// SP
new ServiceProvider
{
EntityId = "http://localhost:7002/saml",
AssertionConsumerServices =
{new Service(SamlConstants.BindingTypes.HttpPost, "http://localhost:7002/signin-saml")},
SigningCertificates = {new X509Certificate2("testclient.cer")},
ClaimsMapping = new Dictionary<string, string>
{
{ JwtClaimTypes.Name, "Name" },
{ JwtClaimTypes.GivenName, "GivenName" },
{ JwtClaimTypes.FamilyName, "FamilyName" },
{ JwtClaimTypes.Email, "Email" }
}
},
After successfully authentication with SP, but access_token is always null to pass the token for API authentication, can you suggest a way to achieve this.
FOR COMPONENT SUPPORT, PLEASE EMAIL [email protected]

1. Run Both Idp and SP Projects.
2. Navigate to login in SP.
3. We can see the SAML2P external provider login button. Click on that.
4. It will navigate to IDP. Login with some Test User Alice or bob.
5. It is redirecting to the error page. We can find error as User is not authenticated in both console and log file.
   The full log can be seen below.

2020-08-17 16:12:17.289 +05:30 [INF] Starting IdentityServer4 version 4.0.4+1b36d1b414f4e0f965af97ab2a7e9dd1b5167bca
2020-08-17 16:12:17.322 +05:30 [INF] You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
2020-08-17 16:12:17.335 +05:30 [INF] Using the default authentication scheme idsrv for IdentityServer
2020-08-17 16:12:17.335 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for authentication
2020-08-17 16:12:17.336 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for sign-in
2020-08-17 16:12:17.336 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for sign-out
2020-08-17 16:12:17.336 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for challenge
2020-08-17 16:12:17.338 +05:30 [DBG] Using idsrv as default ASP.NET Core scheme for forbid
2020-08-17 16:12:34.744 +05:30 [DBG] Login Url: /Account/Login
2020-08-17 16:12:34.746 +05:30 [DBG] Login Return Url Parameter: ReturnUrl
2020-08-17 16:12:34.746 +05:30 [DBG] Logout Url: /Account/Logout
2020-08-17 16:12:34.747 +05:30 [DBG] ConsentUrl Url: /consent
2020-08-17 16:12:34.748 +05:30 [DBG] Consent Return Url Parameter: returnUrl
2020-08-17 16:12:34.748 +05:30 [DBG] Error Url: /home/error
2020-08-17 16:12:34.751 +05:30 [DBG] Error Id Parameter: errorId
2020-08-17 16:12:34.769 +05:30 [DBG] Request path /saml/sso matched to endpoint type "Saml2Sso"
2020-08-17 16:12:34.773 +05:30 [DBG] Mapping found for endpoint: "Saml2Sso", creating handler: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint
2020-08-17 16:12:34.776 +05:30 [INF] Invoking IdentityServer endpoint: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint for /saml/sso
2020-08-17 16:12:34.981 +05:30 [DBG] Start SAML2P SSO request
2020-08-17 16:12:34.994 +05:30 [DBG] No user present in SAML2P SSO request
2020-08-17 16:12:34.997 +05:30 [DBG] Starting SAML 2 SSO request validation
2020-08-17 16:12:35.064 +05:30 [INF] Checking if 17-08-2020 10:42:34 is greater than curent time of 17-08-2020 10:42:35. Allowing values 0 seconds in the future to continue.
2020-08-17 16:12:35.065 +05:30 [INF] Checking if 17-08-2020 10:47:34 is less than curent time of 17-08-2020 10:42:35. Allowing values 0 seconds in the past to continue.
2020-08-17 16:12:35.069 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:35.081 +05:30 [INF] Showing login: User is not authenticated
2020-08-17 16:12:35.264 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:35.267 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:41.115 +05:30 [DBG] CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
2020-08-17 16:12:43.015 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:43.036 +05:30 [INF] {"Username":"bob","Provider":null,"ProviderUserId":null,"SubjectId":"88421113","DisplayName":"bob","Endpoint":"UI","ClientId":null,"Category":"Authentication","Name":"User Login Success","EventType":"Success","Id":1000,"Message":null,"ActivityId":"0HM22J9071QHE:00000003","TimeStamp":"2020-08-17T10:42:43.0000000Z","ProcessId":26172,"LocalIpAddress":"::1:5000","RemoteIpAddress":"::1","$type":"UserLoginSuccessEvent"}
2020-08-17 16:12:43.055 +05:30 [DBG] Augmenting SignInContext
2020-08-17 16:12:43.056 +05:30 [DBG] Adding idp claim with value: local
2020-08-17 16:12:43.056 +05:30 [DBG] Adding amr claim with value: pwd
2020-08-17 16:12:43.057 +05:30 [DBG] Adding auth_time claim with value: 1597660963
2020-08-17 16:12:43.071 +05:30 [INF] AuthenticationScheme: idsrv signed in.
2020-08-17 16:12:43.073 +05:30 [DBG] client configuration validation for client http://localhost:5001/saml succeeded.
2020-08-17 16:12:43.099 +05:30 [DBG] Request path /saml/sso/login matched to endpoint type "Saml2Sso"
2020-08-17 16:12:43.100 +05:30 [DBG] Mapping found for endpoint: "Saml2Sso", creating handler: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint
2020-08-17 16:12:43.101 +05:30 [INF] Invoking IdentityServer endpoint: IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint for /saml/sso/login
2020-08-17 16:12:43.105 +05:30 [DBG] Start SAML2P SSO request (after login)
2020-08-17 16:12:43.105 +05:30 [ERR] User is not authenticated

Received this error when trying to run sample project, i.e. TestClient.

Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).

Happens on Startup.cs when trying to add the testclient.pfx certificate.

Line 26:                 AuthenticateRequestSigningBehavior = SigningBehavior.Always
Line 27:             };
Line 28:             spOptions.ServiceCertificates.Add(new X509Certificate2(HostingEnvironment.MapPath("~/testclient.pfx"), "test"));
Line 29: 
Line 30:             var options = new KentorAuthServicesAuthenticationOptions(false)

Tried the following

• Adding pfx file to Personal and Trusted Root stores
• Gave all users/accounts (system or otherwise) full control to folder and pfx file
• Changed code as follows:

            var cert = new X509Certificate2(HostingEnvironment.MapPath("~/testclient.pfx"), "test");

            var serviceCertificate = new ServiceCertificate
            {
                Certificate = cert,
                Use = CertificateUse.Signing
            };

            var spOptions = new SPOptions
            {
                EntityId = new EntityId("http://localhost:50155/AuthServices"),
                AuthenticateRequestSigningBehavior = SigningBehavior.Always,
                ServiceCertificates = { serviceCertificate }
            };

            //spOptions.ServiceCertificates.Add(new X509Certificate2(HostingEnvironment.MapPath("~/testclient.pfx"), "test"));

But that yields another error: CryptographicException: Invalid provider type specified.

Hi there

I found this request in the Azure Ad Issues MicrosoftDocs/azure-docs#19654 and this part of the SAML Spec - https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf (See 3.4.1).

It implies that there is a way to tell ADFS via SAML that we would like to login as a particular subject.

Is this possible? What parameter should we set on the request to add this data to the SAML ?

I am just using the sample repo (No customization) given here with demo license. Got interesting behavior of IDP.
Steps:

1. Navigate to SP (port 5001)
2. Navigate to login page and click external SAML2p
3. Its redirects us to idp (port 5000) login page and enter credentials (alice-alice)
4. Upon clicking login, it redirect back to sp page, SP is logged in
5. Navigate to idp and no track of just logged in user alice ("idsrv" cookie is there but no "idsrv.session")

Following is the log of IDP, moment before it says logged in and after navigating/refreshing the idp page, its unauthenticated.

@scottbrady91 Any insight on this please.

Hi,

I am currently using the trial version to implement IdentityServer as a SAML Service Provider and I often got this error

Exception: SAMLRequest IssueInstant is in the future. System: 9/19/2018 1:22:48 PM with tolerance of 0 seconds. SAML: 9/19/2018 1:22:48 PM
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+<HandleRequestAsync>d__12.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Rsk.AspNetCore.Authentication.Saml2p.Saml2pAuthenticationHandler+<HandleRequestAsync>d__3.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper+<HandleRequestAsync>d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+<Invoke>d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware+<Invoke>d__7.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.BaseUrlMiddleware+<Invoke>d__3.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+<Invoke>d__7.MoveNext()

I wonder what is the proper way to fix this issue.

Thanks,

I'm testing federation of my Identity Provider with external SAML Identity Provider. I want to enable decryption of incoming SAML assertions. Everything seems to work fine when SAML IP selects PKCS1 as padding algorithm.

But when OAEP padding is used to encrypt SAML assertion than an exception is thrown based on response from native library Interop.NCrypt with ErrorCode.NTE_INVALID_PARAMETER.

System.SecurityCryptography supports both padding algorithms. Over internet you can find some weakness of PCKS1.

BTW do you provide access to source code -reporter- once someone obtain license?

Its not Id4 or rsk saml plugin issue (most probably Owin monster issue as per Anders or Chellengeresult AuthenticationProperties or SignInManager.ConfigureExternalAuthenticationProperties or AspNetIdentity cookie issue), but since it is reproducible with id4+rsk github sample, hence I am mentioning here.

1. Launch VS2017 community; build; delete chrome browser cache(everything), Multiple Startup(test client & rsk), breakpoints on home ctrl-> hit F5
2. click login ->Fill userid(email) in account.google.com form->pwd->it comes back to Home Login & User.Identity.IsAuthenticated=false->again SAML signin request generated through kentor by registering idp & loading metadata in AuthServices; and again google login choose account form ->back to Home/Login....(attached the screen shot);
   pls note that in Google setup(GSuite SAML config page) I have specified only SP EntityId, SP ACS; no return/redirect/callback/start url & the G+ API is enabled on my SAML app;
   ques: 1. why not improvement in handling(access_denied) better? fyi: same behaviour is noted when using kentor with id3;
3. if saml req/resp can be done using kentor then what rsk plugin is doing ? upstreaming ? downstreaming ?
   

I find the ReadMe.md a bit lacking. Could you elaborate more?

What is IDP?
I understand the other option is IDP with Entity Framework.

What is SP? Is it service provider?
SP with IDP initiated .. what does that mean?

Why would you choose on project over another?

SAMLResponse contains incorrect audience restriction.

I am using the Demo RSK Saml component connecting to a corporate secure auth server and receiving an exception (audience restriction.) Is there a way to set require audience restriction to false?

I am still in development and host is localhost.

The provided Licensee and LicenseKey are empty in the sample repo which causes the following runtime failure

Hello,

I have the same issue described on issue 6 (#6).

Exception: SAMLRequest IssueInstant is in the future. System: 11/5/2018 9:59:52 AM with tolerance of 0 seconds. SAML:

System.Exception: An error was encountered while handling the remote login. ---> System.Exception: SAMLRequest IssueInstant is in the future. System: 11/5/2018 9:59:52 AM with tolerance of 0 seconds. SAML: 11/5/2018 9:59:52 AM

--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Rsk.AspNetCore.Authentication.Saml2p.Saml2pAuthenticationHandler.HandleRequestAsync()
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

How is it possible to set the "TimeComparisonTolerance" property ?

Thanks a lot.

I got an exception after login and when i were back to client website. They are requires SubjectConfirmationData in response. Do you know how can i include this in response? am I missing some setting?

This issue have been fixed by upgraded package Rsk.IdentityServer4.Saml

Hello,

I'm trying to setup dynamically registered external SAML IdPs into IdentityServer4. I've opened a question on stackoverflow.

I suppose I'm missing some service registered in the DI container, but i could not find anything on it.
I can provide any additional info if required.

I hosted the saml2p SP application in azure with out any dns binding but, the requests comes from the azure gateway with sub domain to SP.while SP application trying to navigate to the IDP for Authentication it is showing as "Invalid ACS URL" error.

The Idp has two SP's configured as below one with subdomain & other with default azure url
gateway request URL : spagw.test.com (this is not working)

below are 2 SPs configured at SAML2p IDP server

 new ServiceProvider
 {
                    EntityId = "https://spagw.test.com/saml",
                    AssertionConsumerServices =
                        {new Service(SamlConstants.BindingTypes.HttpRedirect, "https://spagw.test.com/signin-saml")},
                    SigningCertificates = {new X509Certificate2("myCert2020.cer") }
}

new ServiceProvider
{
                    EntityId = "https://test-sp-portal-web.azurewebsites.net/saml",
                    AssertionConsumerServices =
                        {new Service(SamlConstants.BindingTypes.HttpPost, "https://test-sp-portal-web.azurewebsites.net/signin-saml")},
                    SigningCertificates = {new X509Certificate2("myCert2020.cer") }
}

IDP configuration at SP portal

IDP1

 .AddSaml2p("idp1", options => {
             options.Licensee = "TEST";
             options.LicenseKey = "LicenseKey";

             options.IdentityProviderOptions = new IdpOptions
             {
                 EntityId = ssoSettings.SamlSSO,
                 SigningCertificates = new List<X509Certificate2> { new X509Certificate2(Convert.FromBase64String(@"MIIGSzCCBTOgAwIBAgIJAJbzTeuezhBtMA0GCSqGSIb3DQEBCwUAMIG0MQswCQ")) },
                 SingleSignOnEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpPost),
                 SingleLogoutEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpPost),

             };

             options.ServiceProviderOptions = new SpOptions
             {
                 EntityId = "https://test-sp-portal-web.azurewebsites.net/saml",
                 MetadataPath = "/saml/metadata",
                 SignAuthenticationRequests = true,
              
                 SigningCertificate = new X509Certificate2("myCert2020.pfx", "pfxpassword@123")
             };

             options.NameIdClaimType = "sub";
             options.CallbackPath = "/signin-saml";
             options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            
             // IdP-Initiated SSO
             options.AllowIdpInitiatedSso = true;
             options.IdPInitiatedSsoCompletionPath = "/";
         })

IDP2

     .AddSaml2p("idp2", options => {
                 options.Licensee = "TEST";
                 options.LicenseKey = "LicenseKey";

                 options.IdentityProviderOptions = new IdpOptions
                 {
                     EntityId = ssoSettings.SamlSSO,
                     SigningCertificates = new List<X509Certificate2> { new X509Certificate2(Convert.FromBase64String(@"MIIGSzCCBTOgAwIBAgIJAJbzTeuezhBtMA0GCSqGSIb3DQEBCwUAMIG0MQswCQ")) },
                     SingleSignOnEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpRedirect),
                     SingleLogoutEndpoint = new SamlEndpoint("https://idp.myidpserver.com/saml/sso", SamlBindingTypes.HttpRedirect),

                 };

                 options.ServiceProviderOptions = new SpOptions
                 {
                     EntityId = "https://spagw.test.com/saml",
                     MetadataPath = "/saml/metadata",
                     SignAuthenticationRequests = true,
                  
                     SigningCertificate = new X509Certificate2("myCert2020.pfx", "pfxpassword@123")
                 };

                 options.NameIdClaimType = "sub";
                 options.CallbackPath = "/signin-saml";
                 options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                
                 // IdP-Initiated SSO
                 options.AllowIdpInitiatedSso = true;
                 options.IdPInitiatedSsoCompletionPath = "/";
             })

Above both SP requests goes to the same IDP but as a different clients

how to resolve the subdomain requests with out binding it to host? which is not originally binded to application

### SAML is generated like below



<EntityDescriptor ID="_cc5d1b6f-4ff3-43d6-9b6b-fce2682418ce" entityID="https://idp.myidpserver.com/saml" 
p1:saml2="urn:oasis:names:tc:SAML:2.0:assertion" cacheDuration="PT1H" xmlns:p1="xmlns" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><SingleLogoutService 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test-sp-portal-web.azurewebsites.net/" />

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="https://test-sp-portal-web.azurewebsites.net/" />

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Location="https://test-sp-portal-web.azurewebsites.net/signin-saml" index="1" />
 
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
  Location="https://test-sp-portal-web.azurewebsites.net/signin-saml" index="2" />
  </SPSSODescriptor>
  
  </EntityDescriptor>


but the url's in SAML should be **https://idp.myidpserver.com** instead of  **https://test-sp-portal-web.azurewebsites.net**

I just upgraded the Rsk.IdentityServer4.Saml version from 2.1.2.18 to 2.3.2.55 and I noticed that when single sign on with HttpRedirect binding we are getting an error in signature validation.
Same action was working fine though with my previous version of this library.

Something got changed with latest build?

Request Url:
http://localhost:5000/saml/sso?SAMLRequest=jdFNa8MwDAbge6H%2Fwfje%2BaNJvYokENpLobu0Ww%2B7Oa5HAomdWU7Zz1%2BadbDCGLtKeuCVlKHuWtlDOcTaHez7YDGSj651CF%2BdnA7BgdfYIDjdWYRo4Fg%2B7UE%2BcOiDj974lv40fxONaENsvKNkt81pc1ZK6Iqrc6UUTyprKylX%2BlEszZtcL1WyouRkA44gp6MfFeJgdw6jdnEscbFecLkQybPkkHAQ6pWS7bhG43ScVB1jD4y13ui29hgh5Zyza1SG6CkpvxNtvMOhs%2BFow6Ux9uWw%2FxWLNGXXe93GkJUGaTGfEZJN%2B8OUMBT%2FoBm7E%2FPZrXD%2FkOITAAAAAAAAAAAAAA%3D%3D&RelayState=SJU4voQzFUpSTXcBC2N1u60y4K5GoTBqW6KhYeO_WwiCAvZ-NZ8tmmeJ&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=gDnxSNCusBgmswKiAeaN9yvmMwxTbF3DJATVwqxPD2VcpS%2FRygzeW5KrlEfWCPyVJUFwKJQ8JwcjJiGvko7TDdapHdYS8I6Z6HbJbBbPnLPhLrEdVgsMVeItJOuKVWDHgGUsX1OT%2FeXP83utjhHITCLu3R2sfnK4Rh0LGyNWNcki1e2ZCswKTrO4rhkX7oqsYNAd1K%2FT0DeCIteT%2Fm0QSYDXe2R1rfeuj%2FmUmdeafe9DSvSieRR1qKjyMnBCbp3ViPXmZl%2FCBqCnF8CrbqF98hFlScXvI7iqQbPQx%2B62j3LFUjJHrHZTFumhCvwUKz7R2xiOGAn00YCyKKODgW1f9g%3D%3D

StackTrace:

System.NullReferenceException: Object reference not set to an instance of an object.
at IdentityServer4.Saml.Validation.Validators.SignatureValidator.Validate() in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Validation\Validators\SignatureValidator.cs:line 78
at IdentityServer4.Saml.Validation.Saml2SingleSignOnRequestValidator.ValidateAsync(NameValueCollection parameters, String bindingType, String rawUrl, String baseUrl, String issuerUri, ClaimsPrincipal subject) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Validation\Saml2SingleSignOnRequestValidator.cs:line 58
at IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint.ProcessSingleSignOnRequest(HttpContext context, NameValueCollection parameters, String bindingType, String samlRequestUrl, ClaimsPrincipal user) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Endpoints\Saml2SingleSignOnEndpoint.cs:line 139
at IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint.ProcessSingleSignOn(HttpContext context) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Endpoints\Saml2SingleSignOnEndpoint.cs:line 100
at IdentityServer4.Saml.Endpoints.Saml2SingleSignOnEndpoint.ProcessAsync(HttpContext context) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Endpoints\Saml2SingleSignOnEndpoint.cs:line 59
at IdentityServer4.Saml.Hosting.IdentityServerSamlMiddleware.Invoke(HttpContext context, ISamlEndpointRouter router, IMemoryCache cache, SamlIdpOptions options) in E:\TeamCity\buildAgent\work\73e6199d397b0702\src\IdentityServer4.Saml\Hosting\IdentityServerSamlMiddleware.cs:line 39
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in C:\local\identity\server4\IdentityServer4\src\Hosting\IdentityServerMiddleware.cs:line 72
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line 36
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Samples indicate that multiple IDPs are supported. Is configuration for such scenarios done entirely in code? Are any other configuration modes supported?

Where can I get sample schema (or sql script) for saml plugin related tables?
The idpWithEf sample is using "UseInMemoryDatabase"

When SamlSingleSignOnEndpoint URI contains a query with a question mark, the resulting challenge URI will be invalid.

For example, PingOne sign-in URL is constructed like this:

https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<idpid>

In that case the resulting challege will be rejected by the IdP as invalid:

With the latest release on Rsk.IdentityServer4.Saml version 2.2, I'm seeing the below note:
Added full support for redirect and post bindings
Added SP-initiated logout

So shall I assume that Single Logout SAML response will be posted from Idp to service provider wtih HttpPost binding? If so, can you provide us some sample code on how to achieve that?

If we allow service provider(s) to send unsigned request to IDP, what are the risks? please let me know your thoughts.

Hi, we face a problem when integrate with Google Workspace using SAML.

The Google workspace SSO URL looks like this:
https://accounts.google.com/o/saml2/idp?idpid=xyz

When generating the SAML request, the generated URL looks like this:
https://accounts.google.com/o/saml2/idp?idpid=xyz?SAMLRequest=fJFNb8IwDIb%2FSp

This result an error from Google. We need to replace the "?" with "&" to make it as a valid request:
https://accounts.google.com/o/saml2/idp?idpid=xyz&SAMLRequest=fJFNb8IwDIb%2FSp

Could you fix the issue please?

Greetings,

I want to add one more attribute to SAMLRequest:

https://localhost:8080/samlsso?SAMLRequest=fJFPb8IwDMW%2FSpV727SlBSxAYuMwJKYh2u2wy5SmEURqnS5Oxz7%2Bwj9pXDjafj%2FrPXtGomvTHpaDO%2BBOfQ%2BKXPDbtUhwmczZYBGMIE2AolMETkK5fN1AGnHorXFGmpb9Zx4jgkhZpw2yYL2as6%2BimIzkJKvzUdGM8jqdJtM6S%2BRYjtVYyqxhwYey5PVz5nEPEQ1qjeQEOt%2FiKQ95FiZFxaeQJ8D5JwtWPoVG4c7UwbmeII6Px2OkRReRiE82iQwLljczzwZp6JQtlf3RUr3vNhfQc62Roj0YcpBzzmPSe9QYnlawYHvN%2F6Sx0bh%2FnLy%2BiAheqmobbt%2FKii1m54vBOZRd3Kz2VvnLNqHoe4qsarznWXynvJb3j1v8AQAA%2F%2F8DAA%3D%3D&RelayState=zF43mWwSY1nDuAl5LVpLJgsr&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=YHTen21lr3JFtIRp2YdXCDE6g6Q%2FnVnzc0m3UISxU%2FBSq%2B5nPRs6doGmRnKW33sLcZM6L2I34AWcoh4eD03jD%2BnITZzKaF0DOUeY8hRs7RiP4GG22OjGqJjz7CUO2q3WT8HfC709WAreTqdktu296haZZUp2tqOpNj0%2BpwxDFQs5oOMfJIEsbLavzuINfTgba04vQr1CkdMpQz2NFM9HONIZ8uSFhxWPiE6tqSBJqHodHpK2j9Sf5SJPGFHrQ3VA8XuWbNCZoxFlCJqmzpZj8lpIQIsiW1U8CY1MY3vzPQ3kkWpJvUqClA87aPNUOHfDE2%2FW9YaelRGjOO%2FwqXs4Sg%3D%3D

I want to add &lang=ar to the above request.

I couldn't find anything that could help me to find a trace for this thing.
It happens right after calling this endpoint External/Challenge