Search code examples
c#saml-2.0itfoxtec-identity-saml2

Is it possible to ignore AuthnContextClassRef?

I'm facing the following problem:

The IDP has not a valid URI in AuthnContextClassRef field, and the lib itfoxtec-identity-saml2 is throwing an error when I try to use the method:

binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);

The error is: ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'adumbstringthatsomeoneconfigured'

StackTrace:

Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)
Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationStatement(XmlDictionaryReader reader)
Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAssertion(XmlReader reader)
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(string token)
ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(string tokenString)
ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(string xml, bool validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2Binding<T>.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
Okta_SAML_Example.Controllers.LoginController.AssertionConsumerService() in LoginController.cs
+
            binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);

Exception:

System.ArgumentException: IDX13300: 'value' must be an absolute Uri, was: 'LoginXyzWTPRO_Extern'
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext.set_ClassReference(Uri value)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2AuthenticationContext..ctor(Uri classReference, Uri declarationReference)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAuthenticationContext(XmlDictionaryReader reader)
Solution

  • I would expect that the AuthnContextClassRef is set by the RP in the Saml2AuthnRequest?

    According to the SAML 2.0 standard it should be a URI. But the ITfoxtec Identity SAML library accept a string.

    I'm not able to reproduce the error. Please add a stack trace for more debug information.

    ****** EDITED ******

    The library only support to resive a URI based AuthnContextClassRef from the IdP. The AuthnContextClassRef is validated by the underlining .NET classes, which require an URI. But with good reason, the SAML 2.0 standard require it to be a URI.

    From SAML 2.0: A URI reference identifying an authentication context class that describes the authentication context...