FAQ Database Discussion Community


SAML login errors

spring,spring-security,saml-2.0,spring-saml
We are using ADFS as an IDP and our application acts as SP. Below is a sample Auth response <?xml version="1.0" encoding="UTF-8"?> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_82062d3d-897f-473e-90ad-0bb351d63b22" IssueInstant="2015-04-29T20:39:17.240Z" Version="2.0"> <Issuer>http://adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />...

OAuth 2 - Custom Attributes like SAML

authentication,oauth-2.0,saml-2.0
SAML supports just in time provisioning with custom user attributes to be passed as part of SAML assertion after successful login, wondering OAuth2 supports anything similar ? Thanks...

Disable SAML token authentication response digital signing

saml,saml-2.0,adfs,adfs2.0
Is it possible to disable digital signing for specific RP. I do not see that option, maybe from shall ? I need that for some testing purposes. Environment : ADFS 2.0 , SAML 2.0 protocol...

Can WIF Saml2SecurityTokenHandler validate top-level signature?

.net,single-sign-on,wif,saml-2.0,claims-based-identity
See this (stripped-down) SAML 2.0 response: <samlp:Response> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lkasjdflkasj</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <!--<snip>--> </Signature> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion> <saml:Issuer...

How to get an already issued SAML assertion?

c#,asp.net,saml-2.0,thinktecture
I have a scenario where I have an ASP.Net application that authenticates using the Thinktecture IdentityServer. This all works fine, it has a relationship with our ADFS and that is all working great. What I need though is to call the ShareFile-NET SDK and authenticate using the below sample code.....

How to get SAML Response from Ping Federate Service provider to local server?

saml-2.0,pingfederate
I have done end-to-end configuration for IdP and SP in ping federate. SAML Response is generated at IdP and the same is received at SP.But, I want the response to be at my local server in order to use the user's attributes for my logic. Could anyone tell me how...

Is exchange of metadata required for a working SAML2 connection?

single-sign-on,saml,saml-2.0
we are operating as SAML2 Service Provider. A few weeks ago our Certificate expired, so we provided new Metadata to our customers. We told them they have to upload the newdata to their Idp's, because else the SSO won't work anymore because the connection can not be seen as trusted...

How to configure Azure ACS to return SAMLResponse parameter instead of RSTR xml?

azure,single-sign-on,wif,saml-2.0,acs
I have SSO login setup with Azure similar to the one above: In the POST request (6&7) from ACS at my application (RP) end, I am getting: ~~~~~~~~ POST wa: wsignin1.0 wresult: RSTR XML - (example format - data removed) ~~~~~~~~ whereas what my RP expects and understand is...

what this samlssoTokenId used for can it be used for refresh session and get new SAML certificate?

wso2,session-cookies,saml-2.0,wso2is
I am evaluating WSO25.0.0 , require token based access authentication and authorization Using wso2 5.0.0 Identity Server, for web sso with SAML2 , when I send SAML request to wso2 using Idpurl https://localhost:9443/samlsso from browser I found it have samlssoTokenId cookie, with some expire time Can this cookie token can...

WSO2IS: SSO session timeout doesn't work

wso2,single-sign-on,saml-2.0,wso2is
I'm currently using WSO2 Identity server along with several service providers. I have also configured Single sign on between them. According to the documentation a system admin can configure a validity in seconds for any SSO sessions under /repository/conf/identity.xml, so that an user can enter their credentials, tick "remember me",...

Prepare SAML Authentication request using OpenSaml3.1.1

java,saml-2.0,shibboleth,opensaml
We are using shibboleth-idp to authenticate users using SSO solution from shibboleth. We are able to do idp upgrade (2.4 to 3.1.1) , and also we are able to check status of IdP 3.1.1.(http://localhost:8080/idp/profile/status) As we know 'IdP 2.4' was using OpenSaml2.6 and IdP 3.1.1 is using Opensaml 3.1.1, We...

How to determine authorization rights after a login via SAML SSO

single-sign-on,saml,saml-2.0
First of all I do not have any experience with SAML (version 2). I was asked to investigate how we can make an existing site, which has a normal login page with a username and password page, ready for SSO with SAML. There are some tools around which we can...

How to use Kentor AuthService to get additional assertion attributes

c#,saml-2.0,claims-based-identity,kentor-authservices
I'm using Kentor HttpModule in WebForms based application. I need to get additional information asserted with loggin. I'm not sure, but I think that Kentor parse only attributeID="userId", and I need to get few more attributes. Do I need to fork and modify Kentor in order to have these values...

Kentor.AuthServices configuring thumbprint validation

.net,single-sign-on,wif,saml-2.0,kentor-authservices
How do I configure Kentor.AuthServices to use the issuer registry from WIF? Specifically, to check based on thumbprint like in the example below: <system.identityModel> <identityConfiguration> <securityTokenHandlers> <securityTokenHandlerConfiguration> <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"> <trustedIssuers> <add thumbprint="1111111111111"...

In SAML, is there a difference between usernames and a principal's NameID?

saml,saml-2.0
The NameID is the identifier used by both the service provider and the identity provider to identify a principal (system user). So let's say I require users on one service provider to input their username and password for logging in, their SSN and password for logging in on another, and...

Please explain SAML2 Signatures and PKs

single-sign-on,saml-2.0
I am developing SAML2 Service Provider capability (supporting IdP-Initiated SSO). I understand the general flow is: 1) User authenticates at the IdP. 2) User launches to my SP via an HTTP POST to my SAML endpoint - containing XML token. 3) My SP's Assertion Consumer Service eats that token up,...

How to change Spring SAML destination endpoint?

java,spring,saml-2.0,spring-saml
Is it possible to change destination endpoint in Spring SAML? Default value is /saml/SSO I need to change that to /sso. I have edited <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain pattern="/sso" filters="samlWebSSOProcessingFilter"/> But it does not work. URL*/sso* is treated as URL which requires authentication, not the one that should recieve SAML...

.net 4.5 web forms c# Context of a variable isn't found in Codefile

.net,webforms,code-behind,saml-2.0
I'm attempting to build a SAML 2.0 Claims aware web form and got some code from MSDN. I understand what the problem is, I just don't know how to solve it: The signedIn variable (and others..) in the cs code behind page doesn't know that it is defined and associated...

Spring Security SAML assertion expiry with Application Session Expiry

angularjs,session,spring-security,saml-2.0,spring-saml
I'm getting confused with the SAML assertion expiry vs Application session expiry. In simple words, when we have an application deployed in a container, there is a session created. This session expiry can be controlled with the below entry in web.xml <session-config> <session-timeout>60</session-timeout> </session-config> Moving on, when I have Spring...

Decrypting SAML 2 assertion using .NET 4.5 (System.IdentityModel) / WIF

c#,encryption,wif,saml-2.0
I am trying to decrypt an encrypted SAML 2.0 assertion issued from a Java-based Identity Provider. Given the following setup of security token handlers: X509Certificate2 cert = ... // Contains private key var serviceTokens = new List<SecurityToken>(); serviceTokens.Add(new X509SecurityToken(cert)); var issuers = new ConfigurationBasedIssuerNameRegistry(); issuers.AddTrustedIssuer("...thumbprint...", "nottherealname"); var configuration = new...

Can SAML Assertions Be Modified In Transit?

security,single-sign-on,saml,saml-2.0
Is there anything to stop a user modifying a SAML assertion being sent to a service provider? For example, if a SAML response identifies a user to the service provider by email address, is there anything in place within the assertion to stop someone modifying the it using something like...

How to read the saml response that comes to the “../adfs/ls/”?

asp.net,single-sign-on,saml,saml-2.0,adfs2.0
I am new to the SSO and SAML . We have to set up Single sign on the our customer site using ADFS 2.0 and we did that successfully and when we try to access ../adfs/ls/idpinitiatedsignon.aspx and it redirects to the customer site and if we enter the user name...

How to terminate user session from Attask (Workfront) using SAML?

java,jquery,ajax,saml-2.0,attask
I have integrated Workfront with my application using SAML2. I am able to login with IDP (ADFS) into my system and I can easily access Workfront with the help of SAML token. No need to pass any credential or visit IDP page if user session exist already in my application....

How to log SAML response

saml-2.0,pingfederate
I am able to configure IDP and SP adapters successfully. After establishing connections between them, how to see the generated SAML response? Where do they reside in the ping Federate folder? And in order to set up one system as IDP and the other as SP, I am running tomcat...

HTTP-Redirect Binding SAML Request

single-sign-on,x509certificate,saml-2.0
Suppose SP-init SSO is carried out, HTTP-Redirect Binding is used instead of HTTP-POST Binding and signed AuthnRequest is required. It means to include the SAMLRequest in the URL. Q1. Do I need to include the signature in the URL or just embed in the SAMLRequest ? The redirect url is...

WIF config: issuerNameRegistry vs. certificateValidation

.net,single-sign-on,wif,saml-2.0,claims-based-identity
In the Windows Identity Foundation (WIF) 4.5 config, what is the relationship between issuerNameRegistry and certificateValidation? What portion of a SAML 2.0 assertion is validated by each? For example: the code & config below will verify that the issuer cert has the given thumbprint. But I assume a certificateValidationMode other...

Connection between SP and IDP in multiple SP SSO scenario

saml,saml-2.0
to make long story short. Customer has both SP (referred as SP1) and an IDP. We are integrating our application (referred as SP2) to serve a protected resource. The resource will be available after the principal identity has been verified at IDP - typical SSO service. The following scenario would...

Spring Framework SAML unable to find needed beans through autowired

spring-security,saml-2.0,spring-saml
I am trying to setup SSO with spring security SAML (spring security 4.0.1 and saml 1.0.1) but on startup I get the following error: Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.saml.log.SAMLLogger] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency...