2

I am new to SAML2 authentication and have tried using ITfoxtec. Im getting this error when i run my app

AuthenticationException: The remote certificate is invalid according to the validation procedure. System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

HttpRequestException: The SSL connection could not be established, see inner exception. System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

WebException: The SSL connection could not be established, see inner exception. The remote certificate is invalid according to the validation procedure. System.Net.HttpWebRequest.GetResponse()

i am ussing a generated certificate using OpenSSL and installed the pfx cert in the Trusted Root CA store in MMC. im not sure why its still causing me errors. I have also added the app as a Relying trust party in my ADFS already.## Heading ##

this is the snippet of my StartUp.cs

  services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));

            services.Configure<Saml2Configuration>(saml2Configuration =>
            {

                //saml2Configuration.SignAuthnRequest = true;
                saml2Configuration.SigningCertificate = CertificateUtil.Load(Configuration["Saml2:SigningCertificateFile"], Configuration["Saml2:SigningCertificatePassword"]);
               //saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);



                var entityDescriptor = new EntityDescriptor();
                entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
                if (entityDescriptor.IdPSsoDescriptor != null)
                {
                    saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
                    saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                    saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
                    saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
                    if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
                    {
                        saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
                    }
                }
                else
                {
                    throw new Exception("IdPSsoDescriptor not loaded from metadata.");
                }
            });
            services.AddSaml2();

and this is my appsettings.json

  "Saml2": {
    "IdPMetadata": "adfs url/FederationMetadata/2007-06/FederationMetadata.xml",
    "Issuer": "saml_Example",
    "SingleSignOnDestination": "http://adfs url/adfs/ls/",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "SigningCertificateFile": "cert.pfx",
    "SigningCertificatePassword": "pw",
    "CertificateValidationMode": "None",
    "RevocationMode": "NoCheck"
  },
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
Page F.P.T
  • 653
  • 4
  • 11
  • 24

1 Answers1

1

According to the error your machine/server do not trust the AD FS SSL/TLS certificate.

You have configured "IdPMetadata": "adfs url/FederationMetadata/2007-06/FederationMetadata.xml". It should be a real URL like https://....

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    hello yeah my idp config here is -> https://.cloudapp.azure.com/FederationMetadata/2007-06/FederationMetadata.xml. i created a self signed cert via powershell with CN as that of my IDP installed it in the root but still the same error. – Page F.P.T Aug 02 '21 at 08:07
  • You can try ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true; https://stackoverflow.com/questions/2675133/c-sharp-ignore-certificate-errors – Anders Revsgaard Aug 02 '21 at 09:51
  • 1
    tried that it worked but im having a diff issue related to https://stackoverflow.com/questions/65324798/itfoxtec-identity-saml2-invalid-uri-issue , my idp is not okta but adfs 4 – Page F.P.T Aug 02 '21 at 10:34
  • Okay then you need to update to .NET Core or .NET 5.0. – Anders Revsgaard Aug 02 '21 at 11:07
  • Okay. I have read AD FS metadata files many times. It should really not be a problem. – Anders Revsgaard Aug 03 '21 at 08:47