5

As we're developing a webapp which we want to authorize against a Shibboleth IDP we're getting the following error, after what seems like a successfull login at the IDPP:

An unhandled exception occurred while processing the request.

UnexpectedInResponseToException: Received message contains unexpected InResponseTo "idd95739d3bc9e44efa1154b3e62a2e121". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.

Sustainsys.Saml2.Saml2P.Saml2Response.ReadAndValidateInResponseTo(XmlElement xml, Saml2Id expectedInResponseTo, IOptions options) in Saml2Response.cs, line 153

Our startup.cs looks like this: 

    services.AddAuthentication()
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId("https://adress.to.the.SP.net");
options.SPOptions.Compatibility.UnpackEntitiesDescriptorInIdentityProviderMetadata = true;

options.SPOptions.ReturnUrl = new Uri(@"https://adress.to.a.site.of.our.site.net.net/Saml/Session");

options.SPOptions.ServiceCertificates.Add(new X509Certificate2(@"wwwroot/mycert.pfx"));    // "Sustainsys.Saml2.Tests.pfx"

options.IdentityProviders.Add(
new IdentityProvider(
new EntityId("adress.to.the.IDP.net"), options.SPOptions) 
{
LoadMetadata = true,
MetadataLocation = ("https://adress.to.the.MetadataLocation.xml")

});

IdentityProvider idp;
var x = options.IdentityProviders.TryGetValue(new EntityId(Prov.Idp), out idp);

X509Certificate2 ssoTest = new X509Certificate2(@"wwwroot/sso-test.pem");
idp.SigningKeys.AddConfiguredKey(ssoTest);
});^^^

This is what I see when I check the browser's dev-tools cokkies option:

  1. Gett 200 BIGipServer~idm~ipv4-shib-test: ! experimentation_subject_id: JSESSIONID: shib_idp_session:

  2. Post 500 .AspNetCore.Antiforgery.w5W7x28NAIs: ARRAffinity: Saml2.t8NpWx0u6S6zBFc97nzgN_IL:

  3. Gett 200 .AspNetCore.Antiforgery.w5W7x28NAIs: ARRAffinity: Saml2.5AYF3RXdiYbN3iolD0HCRu9P:
evil_kanivel
  • 51
  • 1
  • 4
  • Please use the browser dev tools to check that a Saml2.XYZ cookie is correctly set when redirecting to the Idp and then check that the cookie is included in the request to /Saml2/Acs. – Anders Abel Feb 15 '20 at 18:51
  • The strange thing is when I look in the Firefox Add-on "SAML Tracker" I see that a ID was set, and that this ID coresponce to a inResponceto that I get when the exeption is thrown. – evil_kanivel Feb 19 '20 at 08:59
  • @AndersAbel: could you please take a look at the traffic? Could it also be the request-string isn't quite correct? – evil_kanivel Feb 20 '20 at 09:10
  • 1
    Is the RelayState properly round-tripped? It should match the name of the cookie. Without a RelayState in the post to /Saml2/Acs, the cookie will not be found/used. – Anders Abel Feb 20 '20 at 09:15

0 Answers0