Receiving a 400 erorr when being redirected back to the AssertionConsumerService

Question

I am using the ITFoxtec SAML 2.0 .net core Nuget packages in my application. I have the test IdpCore project running and i integrated my .net core application with this Idp. The application redirects to Idp, gets the SAML response back with a status success (looked at this through Fiddler), however it always fails with a 400 error, does not hit the AssertionConsumerService action in the controller. Is there something else i need to check here? I verified my metadata is setup with the correct url

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e7345657-1449-4d52-81fa-127d2ccffc9c" Version="2.0" IssueInstant="2023-07-07T07:03:08.834Z" Destination="https://localhost:5001/Saml2Auth/AssertionConsumerService" InResponseTo="_7bddec34-696b-4bad-9039-ec176493f0de">
  <saml:Issuer>itfoxtec-testidpcore</saml:Issuer>
    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <saml:Assertion ID="_b937d729-3755-483d-a2f6-86be69f6086f" IssueInstant="2023-07-07T07:03:08.839Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>itfoxtec-testidpcore</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">abcd</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData InResponseTo="_7bddec34-696b-4bad-9039-ec176493f0de" NotOnOrAfter="2023-07-07T07:08:08.840Z" Recipient="https://localhost:5001/Saml2Auth/AssertionConsumerService" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2023-07-07T07:03:08.839Z" NotOnOrAfter="2023-07-07T08:03:08.839Z">
      <saml:AudienceRestriction>
        <saml:Audience>itfoxtec-testwebappcore</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
        <saml:AttributeValue>abcd@email.test</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <saml:AttributeValue>abcd@someemail.test</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthnStatement AuthnInstant="2023-07-07T07:03:08.839Z" SessionIndex="aad7bf52-9bfa-4169-8847-e8c0d76d790b">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>

Answer 1

There are probably a small detail missing or incorrect. You can compare your .NET application with the code in .NET Core MVC sample and probably locate de differens.

Answer 2

I had to set the attribute [IgnoreAntiforgeryToken] on my action method and it solved the problem