Search code examples
owinsustainsys-saml2

404 error for /saml2/idp/ after upgrading Kentor.AuthServices to Sustainsys.Saml2

Had things working with Kentor.AuthServices.Owin 0.18.0 and typically this traffic log.

200 GET https://some-saml2-idp.com/saml2/idp/SSO_1..39%3D&RelayState=Os..j
302 POST https://demo.local/AuthServices/Acs
200 GET for the set RedirectUri

After upgrading to Sustainsys.Saml2.Owin 2.2.0 I get this traffic log...

200 GET https://some-saml2-idp.com/saml2/idp/SSO_1a7f5..sy%2Fh9rebTw%3D%3D&RelayState=1M..3c
302 POST https://demo.local/AuthServices/Acs
303 GET https://demo.local/login?error=access_denied
200 GET https://some-saml2-idp.com/saml2/idp/SSO_1a7f..NfLr6E299uPwE%3D&RelayState=cS..L
302 POST https://demo.local/AuthServices/Acs
404 GET https://demo.local/saml2/idp/SSO_1..39?SAMLRequest=hZ..bTw==&RelayState=1M..c&error=access_denied

I've tried clearing cookies everywhere and tried to find any "own" code responsible for the error or the error parameter.

I would prefer if I could get things working for both my branches without changing anything on the IDP side.

My Web.config has the following structure...

<sustainsys.saml2 entityId="https://demo.local/AuthServices"
        returnUrl="https://demo.local"
        publicOrigin="https://demo.local"
        modulePath="/AuthServices">
    <serviceCertificates>
        <add fileName="~/somename.pfx"
            use="Signing" />
    </serviceCertificates>
    <identityProviders>
        <add entityId="My-IDP"
            allowUnsolicitedAuthnResponse="true"
            loadMetadata="true"
            metadataLocation="https://some-saml2-idp.com/metadata" />
    </identityProviders>
</sustainsys.saml2>

And my Owin startup...

var defaultSignInAsAuthType = "Cookies";

app.SetDefaultSignInAsAuthenticationType(defaultSignInAsAuthType);

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = defaultSignInAsAuthType,
    ReturnUrlParameter  = "returnUrl",
    LoginPath = new PathString("/login"),
    LogoutPath = new PathString("/logout")
});

var saml2Options = new Saml2AuthenticationOptions(true);
app.UseSaml2Authentication(saml2Options);
app.UseStageMarker(PipelineStage.Authenticate);

AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;

What am I missing to mimic the behaviour of the older package setup?

Solution

  • There are a number of breaking changes between those releases that might trigger problems.

    The Katana logging will contain error messages. Some things that are relevant are:

    1. The mininum accepted incoming signing algorithm is now by default SHA-256. Can be set through the minIncomingSigninAlgorithm config.
    2. The module path (base path for all endpoints) now defaults to /Saml2 instead of /AuthServices. In the question, it is already correctly configured to /AuthServices to be backwards compatible.
    3. The ClaimsAuthenticationManager is no longer supported on 2.X as it no longer uses the System.IdentityModel token handlers. Use the AcsCommandResultCreated notification to modify the created identity instead.