ITfoxtec.Identity.Saml2 | ITfoxtec Identity Saml2 adds SAML-P support | Authentication library
kandi X-RAY | ITfoxtec.Identity.Saml2 Summary
kandi X-RAY | ITfoxtec.Identity.Saml2 Summary
The ITfoxtec Identity Saml2 package adds SAML-P support for both Identity Provider (IdP) and Relying Party (RP). The ITfoxtec Identity Saml2 package implements the most important parts of the SAML-P standard and some optional features. Message signing and validation as well as decryption is supported. The package supports SAML 2.0 login, logout, single logout and metadata. Both SP Initiated and IdP Initiated sign on is supported. Please see the test samples. The ITfoxtec Identity Saml2 package supports signing/encryption certificates in Azure Key Vault. Please see the TestWebAppCoreAzureKeyVault sample. The ITfoxtec Identity Saml2 package is tested for compliance with AD FS, Azure AD and Azure AD B2C. The ITfoxtec Identity Saml2 package supports the Danish NemLog-in2 (NemID) / OIOSAML 2 and NemLog-in3 (MitID and NemID) / OIOSAML 3. The TestWebAppCoreNemLogin3Sp sample application is configured (both as private IT system and public IT system) with NemLog-in3 and show how to implement an NemLog-in3 Service Provider (SP).
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ITfoxtec.Identity.Saml2
ITfoxtec.Identity.Saml2 Key Features
ITfoxtec.Identity.Saml2 Examples and Code Snippets
Community Discussions
Trending Discussions on ITfoxtec.Identity.Saml2
QUESTION
I have a application build with .NET Core. This application is very simple, but the problem is that I have to integrate a 2FA app (PingId) for double security instead of one simple Login. I am guided to use SAML, for building bridges between Service Provider and Identity Provider. I have found some solutions online, and one of them that is open source is itfoxtec.identity.saml2.
What I want to know is that, is there anyone who can clear the way how this works? I mean I cannot understand some url in appsetting.json file.
Here is a demo of this file:
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/appsettings.json
For example IdPMetadata key is a xml file that has to be provided by Identity Provider administrator?
SigningCertificateFile is a generated certificate by my Service Provider app or is something builded inside the application, if that is how to generate it?
ANSWER
Answered 2022-Mar-30 at 19:38Yes, the identity provider (IdP) should expose a SAML 2.0 metadata endpoint, the URL is added in the IdPMetadata.
The TestIdPCore sample is for testing the samples and to show how to implement a SAML 2.0 based IdP.
Your application (relaying party RP) needs a certificate, which is e.g., added as a file in SigningCertificateFile.
QUESTION
I have created an IDP using the code contained within https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestIdPCore/Controllers/AuthController.cs
This is throwing an error when I attempt to bind the authNResponse using the following code:
...ANSWER
Answered 2022-Jan-05 at 09:00Maybe you are missing the part of adding claims to the token and creating the token?
QUESTION
We are getting "Signature is invalid" errors while calling Unbind() and stumbled upon this in code.
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/42a2d6de46f38d14f0c6f607594d19f2366ad5f2/src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs#L106
Why validateXmlSignature argmument is always true within UnbindInternal()?
ANSWER
Answered 2021-Nov-12 at 08:53The validateXmlSignature argument is always true because the signature is placed in XML in a POST binding and the SAML 2.0 Authn response signature has to be validated. The signature validation is the trust of the SAML 2.0 token.
QUESTION
I have one IdP and two SP's (A and B) setup. SSO works great between them. Single Logout also works when I logout from site A (it logs user out from site B too) but issue occurs when I am trying to logout from site B. It logs user out from site B but when I navigate to site A I'm still logged in until I delete session cookies or sessions times out.
Site A uses ITfoxtec.Identity.Saml2 SAML2.0 MVC implementation.
If I manually delete cookies and refresh the page I'm redirected to login page.
It seems that it kills the session but session cookies persists in the browser and it lets user to browse until it expires, it cannot renew it.
SingleLogout endpoint is the same as in example (Source from ITfoxtec.Identity.Saml2 - TestWebApp)
Have you seen anything like it? I ran out of ideas what could be done in this case.
...ANSWER
Answered 2021-Oct-26 at 18:45It is probably your IdP restricting sending the cookie to site A but not to site B when the browser is redirected from the IdP to site A. If it is the case you can try to use POST instead of redirect. POST are probably not be restricted.
You can debug by tracing the HTTPS traffic in Fiddler or maybe in the browser.
QUESTION
I'm trying to integrate OpenAM Saml SSO to my .net 5 application. ITfoxtec.Saml2 is used to handle the authentication on the SP. When trying to login, a valid post samlResponse is send. But when validating the response, I get following exception.
...ANSWER
Answered 2021-Oct-26 at 09:03The ITfoxtec Identity Saml2 package do not read the IdP signing certificate in the EntityDescriptor/KeyDescriptor element, the element is not supported.
The IdP certificate is read in the EntityDescriptor/IDPSSODescriptor/KeyDescriptor element.
Valid IdP metadata sample for the TestIdPCore sample:
QUESTION
I'm writing a SAML2 service provider/relying party. My IdP is returning Assertions in an encrypted form (EncryptedAssertion element). Is this Assertion decryption scenario supported by ITfoxtec.Identity.Saml2? I'm getting this exception:
ANSWER
Answered 2021-Oct-25 at 13:12Finally got it! I just needed to set Saml2Configuration.DecryptionCertificate.
QUESTION
I am trying to setup an authentication mechanism based on the new OIOSAML3.0. Using your https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCoreNemLogin3Sp works fine for me.
However, having moved the various startup calls over into my own code I get a HTTP 404 on the redirects to '/idp/saml/3.0/?...'
The same thing happends when I take your example, but change over to my own organisation metadata.
I thought these endpoints would be setup by the call to AddSaml2() and UseSaml2() in Startup.cs but that does not seem to be the case.
Can you lend any insight into where and how these endspoints are added to the project?
...ANSWER
Answered 2021-Oct-07 at 07:52The IdP endpoint is read from the NemLog-in metadata. I the sample the NemLog-in metadata is in the TestWebAppCoreNemLogin3Sp-metadata.xml file.
The NemLog-in metadata is read in Startup.cs line 39. And the endpoints is read in line 43 and 44.
QUESTION
We have an asp.net 5 web app that will serve as a Service Provider to our users.
We have chosen ITfoxtec Identity SAML 2.0 library for this purpose.
The request is successful, but in the response we get the following error:
System.ArgumentException: IDX13300: 'System.String' must be an absolute Uri, was: 'System.Uri'
For completeness here is the full stack trace:
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'System.String' for Saml2SecurityToken. Inner exception: 'System.ArgumentException'. ---> System.ArgumentException: IDX13300: 'System.String' must be an absolute Uri, was: 'System.Uri' at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_DeclarationReference(Uri value) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationStatement(XmlDictionaryReader reader) at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAssertion(XmlReader reader) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(XmlReader reader) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token) at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(String tokenString) at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) at ITfoxtec.Identity.Saml2.Saml2Binding1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response) at SsoGovILApi.Controllers.SamlController.AssertionConsumerService() in F:\Dev\ashilon\SsoGovIlApi\Controllers\SamlController.cs:line 45 at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Logged|17_1(ResourceInvoker invoker) at Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Serilog.AspNetCore.RequestLoggingMiddleware.Invoke(HttpContext httpContext) at Microsoft.AspNetCore.Builder.Extensions.UsePathBaseMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT1.ProcessRequestAsync()
I have looked up the error and found that the authentication context can be ignored, and some libraries give this option, like this one for example:
IgnoreAuthenticationContextInResponse compatibility flag
Is there a way to this in the ITfoxtec library too?
Thanks in advance,
ashilon
ANSWER
Answered 2021-Sep-14 at 08:51You can implement you own version of Saml2AuthnResponse and on the Saml2SecurityTokenHandler property set your own implementation of Saml2ResponseSecurityTokenHandler.
I think it should be possible to change the authentication context validation in your own implementation of the Saml2ResponseSecurityTokenHandler.
QUESTION
I feel like I'm missing something, either in my understanding of SSO, or in how IdP-initiated in the example projects (MVC and Core) at ITFoxtec.Identity.Saml2 are working.
It seems like the only project set up to be the IdP is TestIdPCore, yet the only projects that have IdPInitiatedController seem to be set up to only be an Service Provider (relying party?).
I dropped IdPInitiatedController into TestIdPCore and was able to get Initiate() to work.
I guess I am confused on how to get IdP-initiated working with the examples as they are.
Thank you for your time, both in the work done and in your responses!
...ANSWER
Answered 2021-Aug-31 at 10:35It sounds like you understand IdP-initiated correct. In the old days the solution did not contain the TestIdPCore IdP sample. Therefore, the IdP-initiated sample is placed in a SP (Service Provider). But you are right, I should move it to the IdP sample.
If you like, you are welcome to do a pull request to move the IdP-initiated sample to the TestIdPCore IdP sample.
QUESTION
I'm validating AAD-SSO for TestWebApp(ASP.NET MVC) ITfoxtec / ITfoxtec.Identity.Saml2.
I confirmed login -> AAD sign-in -> Redirect to app but app still remains not logging-in.
I assigned "https://localhost:***/Metadata" as Redirect Uri.
I checked the other settings from another post.
However that means the app only makes a xml file.
Tell the procedure if there's anyone who succeeded logging-in on app?
Or do I have to build new logic?
e.g. of logic) receive session from AAD and
ANSWER
Answered 2021-Jun-10 at 07:57The https://localhost:***/Metadata is the metadata URL. AAD needs to redirect back to the applications AssertionConsumerService endpoint.
You can have AAD reading the metadata or you can configure the AssertionConsumerService endpoint manually in AAD.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ITfoxtec.Identity.Saml2
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
