时间戳

首页 > 解决方案 > SAML 2.0 "Stale Request"

saml - SAML 2.0 "Stale Request"

问题描述

We need to integrate an ASP.NET Web Forms application with login authenticated through our client's SAML 2.0 . (Yes, I know both techs are old, it is what it is.) I'm using AspNetSaml to generate the SAML and (eventually) consume the response.

I am attempting to test with samltest.id just to get all the code up and working properly. I've uploaded my metadata through their upload.php page, and they said they successfully loaded it and trust my service provider.

However every single request that I try to submit to samltest.id's IdP I receive Web Login Service - Stale Request, and it doesn't show a login screen, or call back to our Consumer URL. The extended text on the page says to click the button below to see the IdP logs for more information. So I did that, thinking it would show log results for my transaction that I just submitted. But it seems to just be a running log of EVERYONE testing against their IdP, and my request never seems to actually show up in the logs anywhere, so they are no help.

Here is the metadata we are providing to them (just with the domain info changed):

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2120-11-12T17:15:27Z" entityID="https://myapp.ourdomain.com">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myapp.ourdomain.com/saml/callback.aspx" index="1" />
  </md:SPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en-US">My, Inc.</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en-US">My, Inc.</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en-US">https://www.ourdomain.com</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:GivenName>My Support</md:GivenName>
    <md:EmailAddress>support@ourdomain.com</md:EmailAddress>
  </md:ContactPerson>
  <md:ContactPerson contactType="support">
    <md:GivenName>My Support</md:GivenName>
    <md:EmailAddress>support@ourdomain.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

The URL I am using : https://samltest.id/idp/profile/SAML2/POST/SSO

And here is the form that I am posting to the URL :

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>

</title></head>
<body>
    <form id="frmSAML" method="post" action="https://samltest.id/idp/profile/SAML2/POST/SSO">
        <input name="SAMLRequest" type="hidden" id="SAMLRequest" value="fZJdT8IwF ... redacted ... rYFjEh6sv1/iPQX" />
    </form>
</body>
<script type="text/javascript">
        window.onload = function () { frmSAML.submit(); }
</script>
</html>

Using the tool at https://www.samltool.com/decode.php , I have verified that the value passed in for SAMLRequest does decode/inflate back to the original XML properly.

And I've used the tool at https://www.samltool.com/validate_authn_req.php to verify that the XML itself is actually proper and valid.

Here is the generated XML for the request (domain info changed to match metadata above)...

<samlp:AuthnRequest 
    ID="_623bea96-ec13-4df6-8546-413ac51b7ee4" 
    Version="2.0" 
    ForceAuthn="1"
    IssueInstant="2020-11-13T17:41:15Z" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="https://myapp.ourdomain.com/saml/callback.aspx"
    Destination="https://samltest.id/idp/profile/SAML2/POST/SSO" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myapp.ourdomain.com</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>

标签: samlsaml-2.0samltest.id

解决方案

推荐阅读