In src/Owin.Security.Saml/SamlMessage.cs, the following code produces a bad uri if request.Destination contains a ?:

var redirectLocation = request.Destination + "?" + redirectBuilder.ToQuery();

In trying to use Google Apps new IdP (which passes the IdP as a query parameter), the request fails since the SAMLRequest parameter is not appended with & but instead with an additional ?.

When testing SAML2 responses, this is what I do to decode the response string:
1- URL decode
2- Base64 decode
3- Inflate the string

With this method, I'm able to see SAML2 responses. Many online SAML2 debugging tools provide this as well.

However, this library only URL decodes and then Base64 decodes, and does not inflate the string - hence cannot understand the response (the relevant code is in Utility.cs, GetDecodedSamlResponse method)

Am I missing something - is this not part of the standard?

I think it is better to have an option to specific the time the generated metadata valid for, or simply not showing it in the metadata at all. I have done the code change in my fork.

stevenao@eba7f23

Guys,

would be nice to have an example on how can I trigger the logout.
Starting from the example, and calling

HttpContext.GetOwinContext().Authentication.SignOut( new AuthenticationProperties { RedirectUri = callbackUrl }, "SAML2");

I am not able to get redirect to a logout page.
Any cloue?

It would be nice to have an AddMetadataByUrl method in SAML2.Config.IdentityProviders because the identity provider we use only lets us use their metadata for 1 day. So at this moment I should create a Deamon that downloads the metadata every day. Put it in the correct directory and hope it goes well.

Is this easy to implement?

Thanks for the help and for this great library.

While using the Nuget version I found that the sample code didn't work one of the things was that the method AddByMetadataUrl was not available

Hi,
I am not able to get back the details from the SalesForce Api. Once logged in successfully, i still get redirected to the login page infinitely.

The following are the configurations done in Salesforce

Enabled the SAML SSO
Created the service provider and set the localhost urls for those
Downloaded the Self-signed certificate from Salesforce and added that the the project source so that it will be used to sign the requests
Downloaded the metadata from salesforce and then set that in the metadata folder so that it will be used.
After login, the following method always returns null

AuthenticationTicket ticket = await AuthenticateAsync();

so there is an infinite loop of redirections

I have also verified the steps as given in the following link http://www.jitendrazaa.com/blog/salesforce/step-by-step-guide-to-setup-federated-authentication-saml-based-sso-in-salesforce/

Can you please help me

Testshib and some other idp are complaining about the generated metadata that the contact elements don't have a lang attribute. I think it is better to have a way a way to specific that as an option. See my commit: stevenao@4ec9398.

SAML2/src/Owin.Security.Saml/SamlAttributeExtensions.cs is the related file. It will be better if we can have multiple claims instead of a comma separated string in terms of reading the claims value. I believe that comma is actually a valid character in the SAML2 attribute specs. In the event that the original attribute value contains a common, it will render the claim value to have incorrect value.

It has been kind of suggested in StackOverflow to add multiple claims in case of have multiple attribute values: http://stackoverflow.com/questions/24849031/storing-a-list-of-string-in-claim-system-security-claims

Need to have saml as service prodiver to validate the saml 2 token using .net core.

Supported?

Thanks

I see the library is trying to preserve the content in AuthenticationResponseChallenge.Properties in the RelayState through some custom encoding and decoding method (using & and = to delimit key and values). However, that custom method will not do its job when there is "&" or "=" in the key or value itself. I have implemented a fix for it. Please see stevenao@d4d4864.

Thanks.

Good day,
is there a way to use the libs for an Identity Provider implementation?

Thanks in advance

Hi! I have a scenario where I have multiple IdPs, and I've put their metadata files in a single folder which I add using saml2Config.IdentityProviders.AddByMetadataDirectory.
Is it possible to map attributes of a request (e.g. host name) to the appropriate IdP? If so, what's the recommended method?

I downloaded AAD metadata from: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml but following attempt at OWIN config fails with 'Metadata signature could not be verified':
var metadata = new XmlDocument() { PreserveWhitespace = true };
metadata.Load(@"C:\Workspaces\Projects\OwinSAML2\OwinSAML2\metadata.xml");
var samlConfig = new SAML2.Config.Saml2Configuration()
{
ServiceProvider = new SAML2.Config.ServiceProvider()
{
Id = "https://owinwsfedsample.com",
Server = "https://localhost:44381/",
},
IdentityProviders = new IdentityProviders(new IdentityProvider[]
{
new IdentityProvider()
{
Metadata = new Saml20MetadataDocument(metadata), OmitAssertionSignatureCheck = true
}
}),
AllowedAudienceUris = new List { new Uri("https://owinwsfedsample.com") }
};

It seems like the metadata your package provides does not really follow the standard.

SimpleSamlPHP metadata

Metadata of Owin.Security.Saml

The SimpleSaml implementation seems to use xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" as namespaces. Most elements are prepended with <md: like <md:EntityDescriptor ......> , is this something we could fix in the source? No idea where to start.

Our third party identity provider states that our metadata (from your package) is not correct.

Im getting the null ref error on
file - startup.cs
method - FileEmbeddedResource
line - stream.CopyTo(memoryStream);

any help?

Does Owin.Security.Saml support SAML logout? I see that only AuthnRequest gets created for SignIn and SignOut. And redirectUri is set for 'SignIn' irrespective of whether it is SignIn or SignOut.

I am using SAML2.Core library for decrypting incoming SAML assertions. It was working fine in my local environment and when I pushed the code to server decryption failed. After looking into the logs we are getting the foolwing Error

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Generated: Mon, 22 Oct 2018 07:41:40 GMT

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.RijndaelManaged..ctor()
at SAML2.Saml20EncryptedAssertion.GetKeyInstance(String algorithm)
at SAML2.Saml20EncryptedAssertion.ToSymmetricKey(XmlElement encryptedKeyElement, String keyAlgorithm)
at SAML2.Saml20EncryptedAssertion.Decrypt()
at WebHost.Utilities.FederationHelper.DecryptAssertion(String responseCipher) in C:\WorkArea\PPSSource\QA\Source\PPSWeb\IdentityServer3\Source\WebHost\Utilities\FederationHelper.cs:line 263
at WebHost.Utilities.FederationHelper.DecodeAssertion(String rawAssertion) in C:\WorkArea\PPSSource\QA\Source\PPSWeb\IdentityServer3\Source\WebHost\Utilities\FederationHelper.cs:line 38

When I gone through the source code, In Saml20Encryptedassertion.cs class GetKeyInstance() method it was using RijndaelManaged class which is not FIPS compliant. Then after some research I replaced the RijndaelManaged with AesCryptoServiceProvider() it works fine.

I have put this here since I didn't find much on the internet about this. Hope some one will benifit out of it.

Can you guys put this into next release?

Thanks

I'm getting an error while trying to add an identity provider based on an ADFS metadata file, the error is:

{"The specified type was not recognized: name='ApplicationServiceType',
namespace='http://docs.oasis-open.org/wsfed/federation/200706',
at ."}

It comes from the Deserialize method in the Serialization class