4

I have error like that :

For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

this error occurs in this method, could You check ?

entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
Phil Sandler
  • 27,544
  • 21
  • 86
  • 147
Mateusz Kaleta
  • 91
  • 7

3 Answers3

2

The same error happened to me when I tried to follow the guidance from Okta. Later I realized that I used wrong url. Instead of metadata url, I have used Identity Provider Single Sign-On URL.

At first I tried to load metadata from file with entityDescriptor.ReadIdPSsoDescriptorFromFile. Here I took correct metadata and later I realized the mistake with url.

With Okta the url should look like:

  • https://dev-92799999.okta.com/app/exk59ob18tTqAxxxxx/sso/saml/metadata

Wrong one I used was:

  • https://dev-92799999.okta.com/app/dev-92785832_oktasamlexample_1/exk59ob18tTqAxxxxx/sso/saml
mybrave
  • 1,662
  • 3
  • 20
  • 37
1

I was finally able to find a solution to this problem. The question originally didn't tag "Okta" or "C#", but I believe this error was encountered when trying to follow the setup instructions here:

https://developer.okta.com/blog/2020/10/23/how-to-authenticate-with-saml-in-aspnet-core-and-csharp

As noted in the article open the SAML Setup Instructions, which can (currently) be found by clicking the "Sign On" tab of your application:

Okta screenshot

The value you in the "Identity Provider Single Sign-On URL" should look something like this:

https://dev-xxxxxxx.okta.com/app/dev-xxxxxx1_testapp_1/exk3--------------/sso/saml

Using this URL will result in the DTD error as shown in the question.

To build the correct URL:

  1. Remove the URL section between "app" and "exk...". I think this is the appId, but not sure.
  2. Add "/metadata" to the end

So, based on the above example, the final URL will be:

`https://dev-xxxxxxx.okta.com/app/exk3--------------/sso/saml/metadata

As a quick test, you should be able to hit this URL in a browser.

FWIW, this aligns with mybrave's answer, but with a bit more detail on how to get the correct metadata URL.

Phil Sandler
  • 27,544
  • 21
  • 86
  • 147
0

It is a security check, apparently the external metadata XML contain DTD (Document Type Definition) which is not allowed.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    is there any solution for that? – Mateusz Kaleta Nov 29 '21 at 18:32
  • You can download the external metadata and remove the DTD element. It the metadata XML document is signed, then remove the signature. There is really no reason for signing a metadata document. You can do it manually or programmatically. – Anders Revsgaard Nov 30 '21 at 07:52
  • Could You tell me where I have to save this document? Where is that DTD element to remove? In Your package? – Mateusz Kaleta Nov 30 '21 at 23:17
  • It is not supported in the ITfoxtec Identity Saml2 package. You need to implement download and XML formatting your selv. – Anders Revsgaard Dec 01 '21 at 08:32
  • Make sure the path to your metadata url is correct. You can verify that by navigating to the url in browser and getting back the results containing your metadata. – Anders Revsgaard Dec 14 '22 at 08:26