3

I'm trying to get the sample MVC application from Kentor AuthServices deployed to Azure and using Okta as the IDP. I've jumped a few hurdles but have stumbled on the CryptographicException "The data protection operation was unsuccessful". I'm unsure how to resolve it.

When this occurs the URL in the browser is https://mysite.azurewebsites.net/AuthServices/Acs

Any assistance is appreciated, thanks.

Below is the kentor section of my web.config. I don't have an identity server so removed all the federation config..

<kentor.authServices entityId="https://mysite.azurewebsites.net/AuthServices"
               returnUrl="https://mysite.azurewebsites.net/"
               authenticateRequestSigningBehavior="Never">
<identityProviders>
  <add entityId="http://www.okta.com/1111111"
       allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" 
       metadataLocation="https://dev-11111.oktapreview.com/app/1111111/sso/saml/metadata"
       loadMetadata="true">
    <signingCertificate fileName="~/App_Data/okta.cert" />
  </add>
</identityProviders>

Let me know if I can provide any further info to assist you in assisting me!

Steve
  • 1,584
  • 2
  • 18
  • 32

2 Answers2

2

It was actually an Azure issue as Anders points out. The fix was to add the following to web.config:

<system.identityModel>
    <identityConfiguration>
      <securityTokenHandlers>
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
    </identityConfiguration>
  </system.identityModel>
Steve
  • 1,584
  • 2
  • 18
  • 32
1

Looks like a bug in Kentor.AuthServices. I've recently done some rewriting which makes use of data protection API so something might be wrong there. Please file an issue at the github site and include the stack trace of the exception as well as information on what API module you are using (MVC, HttpModule or OWIN).

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Ok thanks Anders. I've raised an issue (https://github.com/KentorIT/authservices/issues/427). I'll remove this post later if it is a bug. – Steve Mar 20 '16 at 22:06
  • @steve Better to leave this here for others to find if they run into the same problem. – Anders Abel Mar 21 '16 at 08:03