I am using ITfoxtec Identity.Saml2.MvcCore for .net core v3.1 for Single sign on using Ping Identity.
SAML ERROR Form key length limit 2048 exceeded. at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ThrowKeyTooLargeException()
at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ParseValuesSlow(ReadOnlySequence1& buffer, KeyValueAccumulator& accumulator, Boolean isFinalBlock) at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ParseFormValues(ReadOnlySequence1& buffer, KeyValueAccumulator& accumulator, Boolean isFinalBlock)
at Microsoft.AspNetCore.WebUtilities.FormPipeReader.ReadFormAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Http.Features.FormFeature.InnerReadFormAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Http.Features.FormFeature.ReadForm()
at Microsoft.AspNetCore.Http.DefaultHttpRequest.get_Form()
at ITfoxtec.Identity.Saml2.MvcCore.HttpRequestExtensions.ToGenericHttpRequest(HttpRequest request)
at Nbc.Score.Remotes.Web.Controllers.HomeController.AssertionConsumerService()
Failed method ITfoxtec.Identity.Saml2.MvcCore.HttpRequestExtensions.ToGenericHttpRequest
It looks like an form property is to lang, more then 2048 characters. It do not look like it is a value length which is a problem but instead a property length.
How dos the raw response look like?
Related
I'm setting up a saml2 authorization, and is using itfoxtec libary.
But from the idp i only get one attribute value and no NameId.
In my assertionConsumerService i get a ArgumentNullException on nameId.
They say that nameId is optional, so therefore they only send the attribute value.
So can you use itfoxtec without nameid or is it requred?
Adding stacktrace
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'NameIDType' for Saml2SecurityToken. Inner exception: 'System.ArgumentNullException: IDX10000: The parameter 'value' cannot be a 'null' or an empty object. (Parameter 'value')
at Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier.set_Value(String value)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)'.
---> System.ArgumentNullException: IDX10000: The parameter 'value' cannot be a 'null' or an empty object. (Parameter 'value')
at Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier.set_Value(String value)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameId(XmlDictionaryReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdentifier(XmlDictionaryReader reader, String parentElement)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadSubject(XmlDictionaryReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(String tokenString)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature, Boolean detectReplayedTokens)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature, Boolean detectReplayedTokens)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
at ...Controllers.AuthorizationsController.AssertionConsumerService() in ...Areas\Client\Controllers\AuthorizationsController.cs:line 95
You can use the ITfoxtec Identity SAML2 component without a NameID, but then you are not able to do logout or single logout. NameID is optional in login but not in logout and single logout.
Where are you experiencing a ArgumentNullException?
UPDATE
I have added support for issuing SAML 2.0 tokens without a NameID and testet that the component accept tokens without NameID. You should not experience an error. Are you using the latest version 2.8.2?
So I have two demo applications to test. One in .net 4.7 and the other in .net core 3.1.
When running the applications I'm getting different results depending the one used.
In both of them I put the CertificationValidationMode to None.
In .Net core I'm getting this error:
ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
which is good because I modified the assertion to extend the time for testing and at that point I'm assuming that the validation was bypassed and it is failing because it does not match.
In .Net Framework, this error is coming up:
ID4037: The key needed to verify the signature could not be resolved from the following security key
identifier
'SecurityKeyIdentifier(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()
at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()
at System.IdentityModel.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(XmlNode assertionElement)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
Here I'm thinking that the validation is happening, it is not bypassed, and it is failing. Basically the Validation Mode is ignored.
Am I thinking this wrong?
Thanks
As you say the result looks correct regarding .NET core.
It looks like the .Net Framework cannot find a certificate that match the certificate used in the SAML. 2.0 AuthnResponse. Maybe the .Net Framework application is not configured with the correct certificate? I do not think it has anything to do with the Validation Mode.
I am enabling cookies on my cakephp app as mentioned in the documentation problem is i am getting the security error while setting the cookies.
Invalid key for encrypt(), key must be at least 256 bits (32 bytes) long.
I have searched but did not find a solution for this error.
In my controller i am setting and array to the cookie's $key.
$this->Auth->setUser($contactData);
$this->Cookie->write('contactData', $contactData);
I have also enabled the component in appController.php.
Any help would be much appreciated.
It means your Security salt in app.php does not have the correct length. Adjust it to match what the error message is suggesting.
'Security' => [
'salt' => env('SECURITY_SALT', <Add your 256 bits (32 bytes) key here>),
],
Dataflow job is throwing this error message when I try to save a very long string: The value of property "myProperty" is longer than 1500 bytes., code=INVALID_ARGUMENT.
There is an error when following Google's DatastoreWordCount sample and saving a string longuer then 1500 bytes.
I know that when using Datastore API, I am able to save strings that are longer than 1500 bytes by saving the property as com.google.appengine.api.datastore.Text. However, There is no alternative in DatastoreWordCount sample or in DatastoreHelper class documentation that could indicate that Text type is supported.
Could be a way to save such long strings using that api so that it could be read as com.google.appengine.api.datastore.Text?
The full error message is as follow:
java.lang.RuntimeException: com.google.cloud.dataflow.sdk.util.UserCodeException: java.lang.RuntimeException: com.google.cloud.dataflow.sdk.util.UserCodeException: java.lang.RuntimeException: com.google.cloud.dataflow.sdk.util.UserCodeException: java.lang.RuntimeException: com.google.cloud.dataflow.sdk.util.UserCodeException: com.google.datastore.v1.client.DatastoreException: The value of property "dalekTestExecutions" is longer than 1500 bytes., code=INVALID_ARGUMENT
at com.google.cloud.dataflow.sdk.runners.worker.SimpleParDoFn$1.output(SimpleParDoFn.java:162)
at com.google.cloud.dataflow.sdk.util.DoFnRunnerBase$DoFnContext.outputWindowedValue(DoFnRunnerBase.java:288)
at com.google.cloud.dataflow.sdk.util.DoFnRunnerBase$DoFnContext.outputWindowedValue(DoFnRunnerBase.java:284)
at com.google.cloud.dataflow.sdk.util.DoFnRunnerBase$DoFnProcessContext$1.outputWindowedValue(DoFnRunnerBase.java:508)
at com.google.cloud.dataflow.sdk.util.GroupAlsoByWindowsAndCombineDoFn.closeWindow(GroupAlsoByWindowsAndCombineDoFn.java:205)
at com.google.cloud.dataflow.sdk.util.GroupAlsoByWindowsAndCombineDoFn.processElement(GroupAlsoByWindowsAndCombineDoFn.java:192)
at com.google.cloud.dataflow.sdk.util.SimpleDoFnRunner.invokeProcessElement(SimpleDoFnRunner.java:49)
at com.google.cloud.dataflow.sdk.util.DoFnRunnerBase.processElement(DoFnRunnerBase.java:139)
at com.google.cloud.dataflow.sdk.runners.worker.SimpleParDoFn.processElement(SimpleParDoFn.java:190)
at com.google.cloud.dataflow.sdk.runners.worker.ForwardingParDoFn.processElement(ForwardingParDoFn.java:42)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorkerLoggingParDoFn.processElement(DataflowWorkerLoggingParDoFn.java:47)
at com.google.cloud.dataflow.sdk.util.common.worker.ParDoOperation.process(ParDoOperation.java:55)
at com.google.cloud.dataflow.sdk.util.common.worker.OutputReceiver.process(OutputReceiver.java:52)
at com.google.cloud.dataflow.sdk.util.common.worker.ReadOperation.runReadLoop(ReadOperation.java:224)
at com.google.cloud.dataflow.sdk.util.common.worker.ReadOperation.start(ReadOperation.java:185)
at com.google.cloud.dataflow.sdk.util.common.worker.MapTaskExecutor.execute(MapTaskExecutor.java:72)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorker.executeWork(DataflowWorker.java:287)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorker.doWork(DataflowWorker.java:223)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorker.getAndPerformWork(DataflowWorker.java:173)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorkerHarness$WorkerThread.doWork(DataflowWorkerHarness.java:193)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorkerHarness$WorkerThread.call(DataflowWorkerHarness.java:173)
at com.google.cloud.dataflow.sdk.runners.worker.DataflowWorkerHarness$WorkerThread.call(DataflowWorkerHarness.java:160)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
You can save a string longer than 1500 bytes by excluding the value from indexing:
Value longString = Value.newBuilder()
.setStringValue(...)
.setExcludeFromIndexes(true)
.build();
If you need compatibility with App Engine's com.google.appengine.api.datastore.Text type, you would also want to set the meaning to 15:
Value longString = Value.newBuilder()
.setStringValue(...)
.setExcludeFromIndexes(true)
.setMeaning(15)
.build();
DataStore create index for each property so there is a default limit of 1500 bytes on properties. Now if you need to store data something like big JSON then you can specify that index is not needed for this property in following way:
Entity newEntity =
Entity.newBuilder(key)
.set("time", Timestamp.parseTimestamp("1970-01-01T00:00:00Z"))
.set("message", StringValue.newBuilder(JSON).setExcludeFromIndexes(true).build())
.build();
This way you will be able to save data of bigger size rather than default limit of 1500 bytes.
To be exact:
StringValue.newBuilder(yourString).setExcludeFromIndexes(true).build()
I am having an issue in while querying to solr that when my page size is larger that 75 I got error An
existing connection was forcibly closed by the remote host.
I think it might be an issue at solr side but nothing is logged in tomcat logs, I am using solr 1.4.1 with solr net
Can any body help me to resolve this particular issue.
here is the stack trace
at System.Net.ConnectStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.IO.StreamReader.ReadBuffer()
at System.IO.StreamReader.ReadToEnd()
at SolrNet.Impl.SolrConnection.GetResponse(IHttpWebRequest request)
at SolrNet.Impl.SolrPostConnection.Post(String relativeUrl, String s)
at SolrNet.Impl.SolrPostConnection.Get(String relativeUrl, IEnumerable`1 parameters)
at SolrNet.Impl.SolrQueryExecuter`1.Execute(ISolrQuery q, QueryOptions options)
at SolrNet.Impl.SolrBasicServer`1.Query(ISolrQuery query, QueryOptions options)
at SolrNet.Impl.SolrServer`1.Query(String q, QueryOptions options)
Regards
Ahsan
Try increasing the connection timeout.