Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KeyNotFoundException in case of omitted optional Issuer tag #477

Closed
pshirshov opened this issue May 19, 2016 · 4 comments
Closed

KeyNotFoundException in case of omitted optional Issuer tag #477

pshirshov opened this issue May 19, 2016 · 4 comments
Labels
bug wontfix

Comments

@pshirshov
Copy link

In case when /Response/Issuer attribute is missing, Kentor throws KeyNotFoundException.

This response works:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>

This one not:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>

Stacktrace:

[KeyNotFoundException]: The given key was not present in the dictionary.
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Kentor.AuthServices.Configuration.IdentityProviderDictionary.get_Item(EntityId entityId)
[KeyNotFoundException]: No Idp with entity id &quot;&quot; found.
   at Kentor.AuthServices.Configuration.IdentityProviderDictionary.get_Item(EntityId entityId)
   at Kentor.AuthServices.Saml2P.Saml2Response.CheckIfUnsolicitedIsAllowed(IOptions options)
   at Kentor.AuthServices.Saml2P.Saml2Response.Validate(IOptions options)
   at Kentor.AuthServices.Saml2P.Saml2Response.<CreateClaims>d__53.MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Kentor.AuthServices.Saml2P.Saml2Response.GetClaims(IOptions options)
   at Kentor.AuthServices.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState)
   at Kentor.AuthServices.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
   at Kentor.AuthServices.HttpModule.Saml2AuthenticationModule.OnPostAuthenticateRequest(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

This attribute is optional: https://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd

<complexType name="StatusResponseType">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
<element ref="samlp:Status"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="InResponseTo" type="NCName" use="optional"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>

So, Kentor should work even if it's not defined.
@pshirshov pshirshov mentioned this issue May 19, 2016
Closed
@AndersAbel
Copy link
Member

You're right that the issuer field is optional. I'm marking this as a bug.

@AndersAbel AndersAbel added the bug label May 20, 2016
@anthonyrstevens anthonyrstevens mentioned this issue Jun 16, 2017
Closed
@explunit explunit mentioned this issue Dec 6, 2017
Closed
@saurabhrmq
Copy link

saurabhrmq commented Jan 15, 2018
edited by AndersAbel
Loading

Hi,
In my case when running Id3 Mvc Authentication sample in Idp initiated flow. #743 says the config issue and this #477 is about missing issuer. but mine is not config nor missing issuer case. Unexpected entity id "https://extstub.com:52071/Metadata" found when loading metadata for "https://extstub.com:52071/MetaData".

in Id3 Mvc Authentication startup

var options = new KentorAuthServicesAuthenticationOptions(false)
            {
                SPOptions = new SPOptions
                {
                    EntityId = new EntityId("https://extauth.com:44319/identity/AuthServices"),
                },
                SignInAsAuthenticationType = signInAsType,
                Caption = "SAML2p"
            };
            UseIdSrv3LogoutOnFederatedLogout(app, options);
            options.SPOptions.ServiceCertificates.Add(new X509Certificate2(AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Kentor.AuthServices.Tests.pfx", "", X509KeyStorageFlags.MachineKeySet));
            options.SPOptions.ServiceCertificates[0].Use = CertificateUse.Signing
            var idp = new IdentityProvider(new EntityId("https://extstub.com:52071/MetaData"), options.SPOptions)
            {
                AllowUnsolicitedAuthnResponse = true,
                LoadMetadata =true,
                Binding = Saml2BindingType.HttpRedirect,
            };
            idp.SigningKeys.AddConfiguredKey(new X509Certificate2(HostingEnvironment.MapPath("~/App_Data/GoogleIDPCertificate.cer")));
            options.IdentityProviders.Add(idp);

            app.UseKentorAuthServicesAuthentication(options);
            new Federation("https://extstub.com:52071/MetaData", true, options);

Pls help to resolve the idp dictionary issue. even dictionary has the same EntityId.Id but not able to fetch the idp for given entityId object; btw the GetHashCode()s were different for entityId.Id and dictionary.FirstOrDefault().Key.Id; Kindly guide me...

@AndersAbel
Copy link
Member

@saurabh12231978 The config is case sensitive. In your config it's MetaData and in the actual metadata it's Metadata.

Also you should remove the new Federation(...) line since you are only loading metadata that contains a single Idp.

@saurabhrmq
Copy link

Thank you very much Anders, Its working fine till Id3->signInMessage.IdP.IsPresent(); after that I am struggling a bit.
Though I am also closely looking on following:

#341

#319

https://github.com/Sustainsys/Saml2/blob/master/doc/IdentityServer3Okta.md

http://stackoverflow.link/question/43671537

#748

IdentityServer/IdentityServer3#833

https://stackoverflow.com/questions/40841072/okta-kentor-authservices-identityserver3-idp-initiated-sso-is-triggering-sp-init

@AndersAbel AndersAbel reopened this Jan 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pshirshov @AndersAbel @saurabhrmq