Integration with ForgeRock

Question

ForgeRock always returns HTTP 500 error for SSO. I am using itfoxtec-identity-saml2 for the binding (redirect) in my asp.net core application as my IDP for forgeRock and following steps mentioned in the github

This is the SAML Auth Request sent out

<saml2p:AuthnRequest
     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
     ID="_f149a6ed-298a-4d41-951f-3817a5e3f7ae"
     Version="2.0"
     IssueInstant="2020-08-15T21:53:37.9212248Z" 
    Destination="http://dev.mytest.com/sso/SSORedirect/metaAlias/RRC/idp" 
    AssertionConsumerServiceURL="http://localhost:60017/General/Account/AssertionConsumerService">
       <saml2:Issuer>http://dev.mytest.com:80/sso</saml2:Issuer>
       <saml2:Subject><saml2:NameID> https://localhost:60017</saml2:NameID></saml2:Subject>
       <saml2p:NameIDPolicy AllowCreate="true" 
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</saml2p:AuthnRequest>

2 questions, I have been asked from the ForgeRock

Can I use the samlp and saml tags instead of saml2p and saml2 tags in the request SAML
Binding is not mentioned in the auth request SAMLf

Error Message

HTTP 500 Error from ForgeRock

score 0 · Accepted Answer · answered Aug 18 '20 at 11:42

0

I'm a little in doubt about your question. If you are asking about XML namespace names. It is not possible to change XML namespace names in the XML the ITfoxtec Identity SAML 2.0 component generates.

It is probably correct to use a redirect binding.

You are sending ' https://localhost:60017' in the NameID tag with a space <saml2:NameID> https://localhost:60017</saml2:NameID>. It looks wrong? It should be the username for the user you want to be logged in.

answered Aug 18 '20 at 11:42

Anders Revsgaard

3,636
1
9
25

1

Thanks @Anders, oroginally we had the nameID tag as "TestUser" then suggestion was to change the localhost url so I modified. I tried but that still it did not help. The other question is in the SAML Request I do not see the binding Protocol at all. For example like this ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" – Kris R Aug 18 '20 at 15:16
The SAML 2.0 binding is mostly about using either HTTP GET or HTTP POST with some defined parameters and generally not about the XML. However, there is some differences regarding signing. – Anders Revsgaard Aug 20 '20 at 18:40
1

The issue was resolved, the issuer id was wrong with the SAML auth request after correcting that and IDp fixed the issue on their side, things are working fine. Thank you! – Kris R Aug 24 '20 at 20:13

Integration with ForgeRock

1 Answers1