saml - SAML 2.0 "Stale Request"
问题描述
We need to integrate an ASP.NET Web Forms application with login authenticated through our client's SAML 2.0 . (Yes, I know both techs are old, it is what it is.) I'm using AspNetSaml to generate the SAML and (eventually) consume the response.
I am attempting to test with samltest.id just to get all the code up and working properly. I've uploaded my metadata through their upload.php page, and they said they successfully loaded it and trust my service provider.
However every single request that I try to submit to samltest.id's IdP I receive Web Login Service - Stale Request, and it doesn't show a login screen, or call back to our Consumer URL. The extended text on the page says to click the button below to see the IdP logs for more information. So I did that, thinking it would show log results for my transaction that I just submitted. But it seems to just be a running log of EVERYONE testing against their IdP, and my request never seems to actually show up in the logs anywhere, so they are no help.
Here is the metadata we are providing to them (just with the domain info changed):
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2120-11-12T17:15:27Z" entityID="https://myapp.ourdomain.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myapp.ourdomain.com/saml/callback.aspx" index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">My, Inc.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">My, Inc.</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.ourdomain.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>My Support</md:GivenName>
<md:EmailAddress>support@ourdomain.com</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>My Support</md:GivenName>
<md:EmailAddress>support@ourdomain.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The URL I am using : https://samltest.id/idp/profile/SAML2/POST/SSO
And here is the form that I am posting to the URL :
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
</title></head>
<body>
<form id="frmSAML" method="post" action="https://samltest.id/idp/profile/SAML2/POST/SSO">
<input name="SAMLRequest" type="hidden" id="SAMLRequest" value="fZJdT8IwF ... redacted ... rYFjEh6sv1/iPQX" />
</form>
</body>
<script type="text/javascript">
window.onload = function () { frmSAML.submit(); }
</script>
</html>
Using the tool at https://www.samltool.com/decode.php , I have verified that the value passed in for SAMLRequest does decode/inflate back to the original XML properly.
And I've used the tool at https://www.samltool.com/validate_authn_req.php to verify that the XML itself is actually proper and valid.
Here is the generated XML for the request (domain info changed to match metadata above)...
<samlp:AuthnRequest
ID="_623bea96-ec13-4df6-8546-413ac51b7ee4"
Version="2.0"
ForceAuthn="1"
IssueInstant="2020-11-13T17:41:15Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://myapp.ourdomain.com/saml/callback.aspx"
Destination="https://samltest.id/idp/profile/SAML2/POST/SSO"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myapp.ourdomain.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>
解决方案
推荐阅读
- react-native - 我可以使用 reanimated 2.0 或原生驱动程序来为 react-native-raw-bottom-sheet 的高度设置动画吗?
- android - 在 livedata 中更改列表项值的正确方法
- postgresql - Postgres - 创建对 VIEW 而不是底层 TABLE 具有只读访问权限的用户
- python - 我尝试将其转换为 int 也同样的错误
- express - 如何使用 ws 库将 websocket 会话保存到 redis?
- sql - 如何在 DB2 中存储长十进制值
- swift - 无法在当前上下文 RxSwift 中推断闭包参数的类型
- java - 将功能分成几部分对内存管理有好处吗?
- ios - 收到“[FIRAuth auth] signInAnonymouslyWithCompletion”错误
- asp.net - 禁止 DetailsView 显示历史输入列表