Search code examples
asp.net-mvcsaml-2.0kentor-authservices

Getting error Expected message to contain InResponseTo "id142e8231161a4246bf345d331a7b0ace", but found none. in Kendor.AuthServices.MVC


This is my web.config File

<configuration>
    <configSections>
        <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
        <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
        <section name="kentor.authServices" type="Kentor.AuthServices.Configuration.KentorAuthServicesSection, Kentor.AuthServices" />
    </configSections>
    <appSettings>
        <add key="webpages:Version" value="3.0.0.0" />
        <add key="webpages:Enabled" value="false" />
        <add key="ClientValidationEnabled" value="true" />
        <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    </appSettings>
    <system.diagnostics>
        <trace>
            <listeners>
                <add type="Microsoft.WindowsAzure.Diagnostics.DiagnosticMonitorTraceListener, Microsoft.WindowsAzure.Diagnostics, Version=2.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" name="AzureDiagnostics">
                    <filter type="" />
                </add>
            </listeners>
        </trace>
    </system.diagnostics>
    <!--
    For a description of web.config changes see http://go.microsoft.com/fwlink/?LinkId=235367.

    The following attributes can be set on the <httpRuntime> tag.
      <system.Web>
        <httpRuntime targetFramework="4.6.1" />
      </system.Web>
  -->
    <system.web>
        <compilation debug="true" targetFramework="4.6.1" />
        <httpRuntime targetFramework="4.5.2" />

        <authentication mode="Forms">
            <forms loginUrl="~/AuthServices/SignIn" />
        </authentication>
    </system.web>
    <system.webServer>
        <modules>
            <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
        </modules>

    </system.webServer>

    <kentor.authServices entityId="http://myapp.ci.01/metadata" returnUrl="http://localhost:63238/AuthServices/Acs">
        <identityProviders>
            <add entityId="http://myapp.ci.01/metadata" 
                 signOnUrl="https://sso.myapp.com/issue/saml/?binding=redirect" 
                allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
                <signingCertificate fileName="~/App_Data/MyApp.AuthServices.StubIdp.cer" />
            </add>
        </identityProviders>
    </kentor.authServices>
    <system.identityModel.services>
        <federationConfiguration>
            <cookieHandler requireSsl="false" name="RMInform" />
        </federationConfiguration>
    </system.identityModel.services>


    <system.codedom>
        <compilers>
            <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" />
            <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" />
        </compilers>
    </system.codedom>
    <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                <assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" culture="neutral" />
                <bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
            </dependentAssembly>
        </assemblyBinding>
    </runtime>
</configuration>

But while redirecting to my localhost after sign in I am getting error

Server Error in '/' Application.

Expected message to contain InResponseTo "id0dda716c55fd41bd98d4899ca3e14036", but found none.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Kentor.AuthServices.Exceptions.Saml2ResponseFailedValidationException: Expected message to contain InResponseTo "id0dda716c55fd41bd98d4899ca3e14036", but found none.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[Saml2ResponseFailedValidationException: Expected message to contain InResponseTo "id0dda716c55fd41bd98d4899ca3e14036", but found none.]
Kentor.AuthServices.Saml2P.Saml2Response.ReadAndValidateInResponseTo(XmlElement xml, Saml2Id expectedInResponseTo) +295
Kentor.AuthServices.Saml2P.Saml2Response..ctor(XmlElement xml, Saml2Id expectedInResponseTo) +317
Kentor.AuthServices.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +869
Kentor.AuthServices.Mvc.AuthServicesController.Acs() +81
lambda_method(Closure , ControllerBase , Object[] ) +87
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +280
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary
2 parameters) +35
System.Web.Mvc.Async.<>c__DisplayClass42.b__41() +33 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +42
System.Web.Mvc.Async.<>c__DisplayClass39.b__33() +80 System.Web.Mvc.Async.<>c__DisplayClass4f.b__49() +386 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +42
System.Web.Mvc.Async.<>c__DisplayClass2a.b__20() +32 System.Web.Mvc.Async.<>c__DisplayClass25.b__22(IAsyncResult asyncResult) +185
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +38
System.Web.Mvc.<>c__DisplayClass1d.b__18(IAsyncResult asyncResult) +27
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +22 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +53
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +22 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +38
System.Web.Mvc.<>c__DisplayClass8.b__3(IAsyncResult asyncResult) +42
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +22 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +38
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +657 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +146

This is my SAML response

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="idcbb43fbc52b34e88b34e71fcb80c9ac8" Version="2.0" IssueInstant="2016-06-14T12:09:50Z" Destination="sso.myapp.com/issue/saml? binding=redirect" AssertionConsumerServiceURL="localhost:63238/AuthServices/Acs">; <saml2:Issuer>myapp.ci.01/metadata</saml2:Issuer>; </saml2p:AuthnRequest>

Solution

  • Looks like your Idp isn't properly including an inResponseTo attribute in the response message. This is a violation of the SAML specification.

    Use a tool such as SAML Tracer for Firefox or SAML DevTools for Chrome to view the SAML messages in the browser. Check if the response has an InResponseTo matching the Id of the AuthnRequest sent from the SP. If it is not present, the Idp is incorrect.

    It might be possible to add a compatibility setting in AuthServices to ignore this error. If you need that, please open an issue on the AuthServices GitHub issue tracker to discuss it.