We have now implemented your excellent Identity Saml2 package for several of our customers.
However, one of our customers has written to us as follows:
LogoutRequests need to be signed (mandatory), and I need to add the
certificate you are signing with into the metadata to verify that it
was [your application] that signed it.
The same certificate is also used for signing the AuthnRequest (but
that is optional but preferred)
We do not know what to do about this. Any advice will be greatly appreciated.
In case it helps, following is in our application web.config for this customer:
<add key="SamlSpSettings:entityid" value="https://fmcentralqa.csu.edu.au/sisfm-enquiry" />
<add key="SamlSpSettings:acs" value="https://fmcentralqa.csu.edu.au/SISfm-Enquiry/CSU/saml.aspx" />
<add key="SamlIdpSettings:entityid" value="https://idpqa.csu.edu.au/idp/shibboleth" />
<add key="SamlIdpSettings:loginurl" value="https://idpqa.csu.edu.au/idp/profile/SAML2/Redirect/SSO" />
<add key="SamlIdpSettings:logouturl" value="https://idpqa.csu.edu.au/idp/profile/SAML2/Redirect/SLO" />
<add key="SamlIdpSettings:signercert1" value="...................." />
<add key="SamlIdpSettings:saml2sessionindex" value="http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2sessionindex" />
<add key="SamlIdpSettings:saml2nameidformat" value="http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameidformat" />
<add key="SamlIdpSettings:uid" value="urn:oid:0.9.2342.19200300.100.1.1" />
<add key="SamlIdpSettings:emailaddress" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
<add key="SamlIdpSettings:name" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" />
<add key="SamlIdpSettings:givenname" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
<add key="SamlIdpSettings:surname" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
<add key="SamlIdpSettings:groups" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" />
Thank you.
It is correct that the SAML 2.0 standard require the LogoutRequest to be signed.
You need a certificate for the application and to configure the certificate.
In the config file:
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/appsettings.json#L16
And load the configured certificate:
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Startup.cs#L35
You can also load the certificate by thumbprint from the machines Certificate Store.
saml2Configuration.SigningCertificate = CertificateUtil.Load(StoreName.My, StoreLocation.LocalMachine, X509FindType.FindByThumbprint, Configuration["Saml2:SigningCertificateThumbprint"]);
Related
Have tried to use ITFoxtec in my webform application but getting an error as below when I click on Login. I have registered the app in my default directory of my Azure AD.
<appSettings> <add key="Saml2:Issuer" value="urn:itfoxtec:identity:saml2:testwebapp" /> <add key="Saml2:SingleSignOnDestination" value="https://test-adfs.itfoxtec.com/adfs/ls/" /> <add key="Saml2:SingleLogoutDestination" value="https://test-adfs.itfoxtec.com/adfs/ls/" /> <add key="Saml2:SignatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <add key="Saml2:CertificateValidationMode" value="None" /></appSettings> This I have added in the web.config
I think you need an administrator to consent/approve your application in Azure AD.
The config in the question looks like the sample config, and not the config you are using.
I have a website and api hosted on IIS 8.5 and lately users of the site are getting the following console error when attempting to POST data to the api when using Microsoft Edge:
HTTP401: DENIED - The requested resource requires user authentication.
(XHR)OPTIONS - http://my-local-address/api/customers/approval/post
Note: Users are authenticated by using Windows Authentication.
This occurs spontaneously and to get around the issue the users are forced to do a hard refresh (Ctrl + F5) on MS Edge and then they can continue with their process. Could there be a setting on IIS that's releasing the user authentication after a period of time?
I've listed my attempts to resolve the issue below:
I've got my organisation to add in a trusted policy for my local web address.
Changed the providers of the API. Moved NTLM above Negotiate.
Removed Negotiate based on this stackoverflow post Windows authentication failing in IIS 7.5.
Try and catch the error from the POST request but I'm returning null every time.
Configured CORS to allow for cross origin.
NB: I'm using angularjs for my front end and ASP.NET Web API 2 for the API.
The following code snippet details how the Web Api is configured:
WebApiConfig.cs
var cors = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };
config.EnableCors(cors);
Web.config
<system.web>
<identity impersonate="true" />
<compilation debug="true" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.2" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="TRACEVerbHandler" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Angular module config using $httpProvider to supply $http requests with credentials
$httpProvider.defaults.withCredentials = true;
Everything works fine locally, but when I publish, I get the error below. I am using forms authentication, but I define my own connection string to a non-sqlexpress database. I don't understand why my application would need access to create a database (or anything else) in the App_Data folder, because my database is not/will not be there. Any help is appreciated.
Connection String:
<connectionStrings>
<add name="DataContext" providerName="System.Data.SqlClient" connectionString="Data Source=localhost;Initial Catalog={my db};Integrated Security=SSPI;MultipleActiveResultSets=True" />
</connectionStrings>
Error:
Access denied creating App_Data subdirectory
Description: For security reasons, the identity 'IIS APPPOOL\ASP.NET v4.0' (under which this web application is running), does not have permissions to create the App_Data subdirectory within the application root directory. ASP.NET stores the Microsoft SQL Express Database file used for services such as Membership and Profile in the App_Data subdirectory of your application.
Edit: It tells me how to fix the error by adding the App_Data folder and providing the correct permissions, but I don't understand why I need this folder at all, and if I can avoid changing permissions, I'd like to.
I think I finally figured out how to stop ASP from trying to create the ASPNETDB.MDF database in the App_Data folder automatically. What I found worked combined two existing stackoverflow answers:
Disable SQL Membership Provider (ASP.Net Forms Authentication)
It turns out that, on the production machine, the SQL membership provider was defined in machine.config. I don't think the ops team changed anything from the default Windows 2008 install, so that's probably generally the case for that platform.
To remove references to any SQL providers defined at a higher level include the following in your web.config
<membership>
<providers>
<clear />
</providers>
</membership>
<roleManager enabled="false">
<providers>
<clear />
</providers>
</roleManager>
<profile>
<providers>
<clear />
</providers>
</profile>
AspNet Role provider kicking in and it shouldn't be
To disable 'SimpleMembership' you can add app setting enableSimpleMembership with value="false" (web.config). This will prevent webmatrix from reconfiguring RoleManager.
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
<add key="enableSimpleMembership" value="false" />
</appSettings>
</configuration>
Check if the 'connectionStringName' property of the 'membership' node in your web.config is set to your connectionstring, like this:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider"
type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
connectionStringName="DataContext"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
*<membership>
<providers>
<clear />
</providers>
</membership>
<roleManager enabled="false">
<providers>
<clear />
</providers>
</roleManager>
<profile>
<providers>
<clear />
</providers>
</profile>*
I am trying to create web app that is using ActiveDirectoryMembership with AD LDS
When I try to register a new user, or login with existing user, I am getting this error
"If either of the properties connection-username or connection-password is specified, the other must also be specified"
And I am getting a similar error when I am trying to use "ASP.NET configuration"
My web.config looks like this, and as you can see I am providing both the username and password:
<connectionStrings>
<add name="ADService" connectionString="LDAP://localhost:5000/OU=Users,O=TestDirectory"/>
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" defaultUrl="default.aspx"/>
</authentication>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
connectionStringName="ADService"
connectionUserName="CN=ADAMAdmin,OU=Users,O=TestDirectory" connectionPassword="admin"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionProtection="None"/>
</providers>
</membership>
Typically username is in the format Domain\Username.
Additionally the property is connectionUsername not connectionUserName (note the lowercase n).
The attributes are case-sensitive. Try 'connectionUsername' instead of 'connectionUserName'.
I've just upload my ASPNETDB.mdf using "Generate Scripts" into server.
The problem is, I don't know how can I connect to it for my Membership.(e.g LogIn Controls)
where is the ConnectionString?
update the Data Source tag in web config
Provider=Microsoft.ACE.OLEDB.12.0;Data Source=<<PATH Goes Here>>;Persist Security Info=False;
The connectionstring is in the web.config file.
Modify the web.config file for your application to redefine the LocalSqlServer connection string to point to the database.
<connectionStrings>
<remove name="LocalSqlServer"/>
<add name="LocalSqlServer"
connectionString="server=.;database=aspnetdb;
integrated security=sspi;"/>
</connectionStrings>
If your Membership provider is not pointing to "LocalSqlServer", then you can modify that in the web.config as well.
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider"/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>