2

I'm running ITFoxtec.Identity.Saml2.Mvc (v4.5.0) in MVC.NET (4.7.2 framework). And my IdP says successfully authenticated... redirecting back... But when I get my response back from the IdP - I'm getting a null exception buried in this call. Unfortunately it doesn't give me a line number or anything helpful to track it down.

saml2AuthnResponse.CreateSession()

I tried a bunch of ways of building the nuget package to get it to log out where it's failing - but so far have had no luck with that when using/referencing from outside the package. I have set the other settings as follows in web.config:

<add key="Saml2:CertificateValidationMode" value="PeerOrChainTrust" />
<add key="Saml2:RevocationMode" value="NoCheck" />

My AssertionConsumerService is almost identical to the example from your site:

public ActionResult AssertionConsumerService()
{       
    var binding = new Saml2PostBinding();
    var saml2AuthnResponse = new Saml2AuthnResponse(config);

    binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
    saml2AuthnResponse.CreateSession(claimsAuthenticationManager: new SAMLDefaultClaimsAuthenticationManager());

    var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
    return Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl);
}

In printf debugging on Saml2ResponseExtensions.cs CreateSession() ln.19 I can tell that it (probably?) doesn't throw before this line (because I can copy+paste recreate all the preceding variables in my outer scope, without problems).

var sessionSecurityToken = lifetime.HasValue 
    ? new SessionSecurityToken(transformedPrincipal, lifetime.Value) 
    ...

@AndersRevsgaard Any ideas?

m1m1k
  • 1,375
  • 13
  • 14

1 Answers1

3

I tracked this down to this line, which throws the Null ref error:

FederatedAuthentication.SessionAuthenticationModule.AuthenticateSessionSecurityToken(sessionSecurityToken, true);

which, although still mysterious, was solved by this answer: What makes the FederatedAuthentication.SessionAuthenticationModule return NULL? By adding some sections to the web.config.

<configSections>
  <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<system.web>
  <authentication mode="None" />
</system.web>
<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </modules>
</system.webServer>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" />
  </federationConfiguration>
</system.identityModel.services>

You can review the ITFoxTec test web.config for full example: https://github.com/ITfoxtec/ITfoxtec.SAML2/blob/master/WebAppTest/Web.config

m1m1k
  • 1,375
  • 13
  • 14
  • 1
    MVC.NET 4.7.2 framework use the old .NET infrastructure build on modules. Therefore, the configuration is required to add the SessionAuthenticationModule onto the request pipeline. I'm glad got it to work. – Anders Revsgaard Apr 07 '20 at 13:22