SAML 2.0 "Stale Request" - saml

We need to integrate an ASP.NET Web Forms application with login authenticated through our client's SAML 2.0 . (Yes, I know both techs are old, it is what it is.) I'm using AspNetSaml to generate the SAML and (eventually) consume the response.
I am attempting to test with samltest.id just to get all the code up and working properly. I've uploaded my metadata through their upload.php page, and they said they successfully loaded it and trust my service provider.
However every single request that I try to submit to samltest.id's IdP I receive Web Login Service - Stale Request, and it doesn't show a login screen, or call back to our Consumer URL. The extended text on the page says to click the button below to see the IdP logs for more information. So I did that, thinking it would show log results for my transaction that I just submitted. But it seems to just be a running log of EVERYONE testing against their IdP, and my request never seems to actually show up in the logs anywhere, so they are no help.
Here is the metadata we are providing to them (just with the domain info changed):
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2120-11-12T17:15:27Z" entityID="https://myapp.ourdomain.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myapp.ourdomain.com/saml/callback.aspx" index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">My, Inc.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">My, Inc.</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.ourdomain.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>My Support</md:GivenName>
<md:EmailAddress>support#ourdomain.com</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>My Support</md:GivenName>
<md:EmailAddress>support#ourdomain.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
The URL I am using : https://samltest.id/idp/profile/SAML2/POST/SSO
And here is the form that I am posting to the URL :
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
</title></head>
<body>
<form id="frmSAML" method="post" action="https://samltest.id/idp/profile/SAML2/POST/SSO">
<input name="SAMLRequest" type="hidden" id="SAMLRequest" value="fZJdT8IwF ... redacted ... rYFjEh6sv1/iPQX" />
</form>
</body>
<script type="text/javascript">
window.onload = function () { frmSAML.submit(); }
</script>
</html>
Using the tool at https://www.samltool.com/decode.php , I have verified that the value passed in for SAMLRequest does decode/inflate back to the original XML properly.
And I've used the tool at https://www.samltool.com/validate_authn_req.php to verify that the XML itself is actually proper and valid.
Here is the generated XML for the request (domain info changed to match metadata above)...
<samlp:AuthnRequest
ID="_623bea96-ec13-4df6-8546-413ac51b7ee4"
Version="2.0"
ForceAuthn="1"
IssueInstant="2020-11-13T17:41:15Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://myapp.ourdomain.com/saml/callback.aspx"
Destination="https://samltest.id/idp/profile/SAML2/POST/SSO"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myapp.ourdomain.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>

Related

Shibboleth integration

currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.

Publishing to Azure Mobile Service with Lets Encrypt certificate gives Runtime Error

I have set up a new Azure Mobile App Service instance which has been working fine. The only thing I can think that I've done to the server side configuration is add a Lets Encrpyt certificate to provide SSL support using the Lets Encrypt Azure Extension.
Now, when I publish, I get a Runtime Error. Looking in the Azure streaming logs, I can see the following every time I hit the application URL:
2017-06-29T13:54:07 Welcome, you are now connected to log-streaming service.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS Detailed Error - 500.0 - Internal Server Error</title>
</head>
<body>
<div id="content">
<div class="content-container">
<h3>HTTP Error 500.0 - Internal Server Error</h3>
<h4>The page cannot be displayed because an internal server error has occurred.</h4>
</div>
<div class="content-container">
<fieldset><h4>Most likely causes:</h4>
<ul> <li>IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.</li> <li>IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li> <li>IIS was not able to process configuration for the Web site or application.</li> <li>The authenticated user does not have permission to use this DLL.</li> <li>The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.</li> </ul>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>Things you can try:</h4>
<ul> <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.</li> <li>Check the event logs to see if any additional information was logged.</li> <li>Verify the permissions for the DLL.</li> <li>Install the .NET Extensibility feature if the request is mapped to a managed handler.</li> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. </li> </ul>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>Detailed Error Information:</h4>
<div id="details-left">
<table border="0" cellpadding="0" cellspacing="0">
<tr class="alt"><th>Module</th><td> AspNetInitializationExceptionModule</td></tr>
<tr><th>Notification</th><td> BeginRequest</td></tr>
<tr class="alt"><th>Handler</th><td> ExtensionlessUrlHandler-Integrated-4.0</td></tr>
<tr><th>Error Code</th><td> 0x00000000</td></tr>
Has anyone come across this problem before?
OK< bit of an obscure and edge case one this, but thought I'd leave it here with the answer in case it helps someone.
I created the site and published it with it all working fine. I then changed the assembly name to fit in with my project naming standards and re-published, without selecting 'DELETE ALL FILES' becuase it would wipe out the Lets Encrypt extension settings. However, this lef the old DLL's hanging around in the \bin directory meaning there were two OWIN startup classes being found!
Deleting the old one fixed the issue.

Test Dynamics CRM 2011 OnPremise with SoapUI - 'Script is disabled' response

thanks to all for reading about this.
I'm testing Dynamics CRM 2011 Endpoint with SOAP, and after configuring a test suite with SOAPUi the response from the request is coming back as web page that reads: "Script is disabled. Click Submit to continue."
It' seems that both authentication and request is correct and I tried to change different parameters in SOAPUi following experiences from other users but anything had worked for me.
It's a SOAPUi misconfiguration? Or it came from the service Endpoint?
I've also checked this article from Technet: http://social.technet.microsoft.com/wiki/contents/articles/1425.ad-fs-2-0-script-is-disabled-click-submit-to-continue.aspx
I'm calling a Dynamics CRM 2011 On Premise SOAP Endpoint
SOAPUi Test Request
Headers:
SOAPAction http://schemas.microsoft.com/xrm/2011/Contracts/Services/IOrganizationService/Retrieve
Accept application/xml, text/xml, */*
Content-Type text/xml; charset=utf-8
Request URL: http://myserver/XRMServices/2011/Organization.svc/web
Authentication: NTLM (with user, password and domain)
Request:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ser="http://schemas.microsoft.com/xrm/2011/Contracts/Services" xmlns:con="http://schemas.microsoft.com/xrm/2011/Contracts" xmlns:arr="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<soap:Header/>
<soap:Body>
<ser:entityName>contact</ser:entityName>
<ser:id>91A6E0D1-1182-E511-B589-5EF3FC563A99</ser:id>
<ser:columnSet>
<con:AllColumns>false</con:AllColumns>
<con:Columns>
<arr:string>fullname</arr:string>
</con:Columns>
</ser:columnSet>
</ser:Retrieve>
</soap:Body>
</soap:Envelope>
Response: (I've cleared some private information)
<html>
<head>
<title>Working...</title>
</head>
<body>
<form method="POST" name="hiddenform" action="http://myserver:444/">
<input type="hidden" name="wa" value="wsignin1.0"/>
<input type="hidden" name="wresult" value="*here was my security token*"/>
<input type="hidden" name="wctx" value="rm=1&id=40167dd3-3ac9-4961-a476-3b7ada5a6395&ru=%2fmyorganization%2fXRMServices%2f2011%2fOrganization.svc%2fweb"/>
<noscript>
<p>Script is disabled. Click Submit to continue.</p>
<input type="submit" value="Submit"/>
</noscript>
</form>
<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
</body>
</html>

.NET AdaptivePayment SDK: PaymentDetails() is throwing a ConnectionException (404)

I am calling the AdaptivePaymentService.PaymentDetails() to get the payment details for a payment, and it is throwing a ConnectionException indicating 404. In order to debug the issue, I downloaded the source for the AdaptivePayment SDK as well as the Core SDK and stepped through the code, specifically, right where the HttpRequest is executed in Paypal.HttpConnection.Execute().
It appears as if all configuration variables are being read from the web.config:
The address in the underlying httpRequest looks correct:
The payload looks correct:
However, a WebException is thrown with the following response:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /cgi-bin/ppapi was not found on this server.</p>
<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache Server at api.sandbox.paypal.com Port 443</address>
</body></html>
Any help would be greatly appreciated.
Since you have configured both ClientId/Secret and 3-token credentials (API username, password, signature) in your configuration, the endpoint has been detected incorrectly, giving the REST API higher preference. Please remove the client id / secret configuration and you should see the endpoint set correctly to https://svcs.sandbox.paypal.com/AdaptivePayments/PaymentDetails

Stumped with trying to consume a SOAP API using ColdFusion

I am working with an API that has two different URLs for specific types of functions. The first, is a transactional API that supports either JSON or SOAP requests. I have called all of the functions I need within this API using exclusively JSON calls and everything appears to be working perfectly fine.
The second is a reporting API used to locate and/or download reports. This API works exclusively with SOAP. I have not been able to get any function in this API working properly. I have attempted to contact the company's support group, but they do not have anybody who can assist me with API calls in ColdFusion. I have attempted two different ways to interface with this API and get access to the functions and have come up empty. Below are my examples and as much information as I can provide; our service provider's API and associated documentation are confidental, but I can answer some questions related to specific things that have to do with my code.
Way 1: Creating a webservice object.
The first way I tried to create this SOAP call was through a webservice object. Using the metadata exchange point URL, I passed it into the createObject function like this:
<cfset argStruct = structNew() />
<cfset argStruct['username'] = 'myusername' />
<cfset argStruct['password'] = 'mypassword' />
<cfset testSvc = createObject('webservice','https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex',argStruct) />
When I run this code, I get the following error message:
Cannot generate stub objects for web service invocation. Name: https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex. WSDL: https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex. javax.wsdl.WSDLException: WSDLException (at /wsdl:definitions/wsdl:import): faultCode=OTHER_ERROR: Unable to resolve imported document at 'https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex?wsdl=wsdl1', relative to 'brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/': java.io.IOException: Server returned HTTP response code: 401 for URL: https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex?wsdl=wsdl1
Since 401 errors are typically bad authorizations, I double-checked the address by calling the URL directly in the browser, where I was prompted with a UN/PW. I entered in my values, and was allowed to access the URL, recieving this XML in return:
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ReportingAPI" targetNamespace="https://https://brandnameapi.serviceprovider.com/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:tns="https://https://brandnameapi.serviceprovider.com" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:i0="https://https://brandnameapi.serviceprovider.com/ReportingAPI/soapBinding" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<wsdl:import namespace="https://https://brandnameapi.serviceprovider.com/ReportingAPI/soapBinding" location="https://https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex?wsdl=wsdl1"/>
<wsdl:types/>
<wsdl:service name="ReportingAPI">
<wsdl:port name="BasicHttpBinding_IReportingAPI" binding="i0:BasicHttpBinding_IReportingAPI">
<soap:address location="https://https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/soap"/>
</wsdl:port>
</wsdl:service>
This is about as far as I've gotten. When I call the URL with my browser and pass the authentication information, I'm allowed to access the XML. When I try to do so with ColdFusion, I get 401 errors.
Way 2: cfhttp request calls
When I switched to using cfhttp, I seemed to get a little further. When I use this:
<cfhttp url="https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/mex"
username="myusername" password="mypassword" method="get" result="httpResponse"
timeout="300">
</cfhttp>
httpResponse return appropriate page information, and httpResponse.filecontent returns the same XML I recieved when I called it directly in my browser.
Going one step further, I took the SOAP URL and attempted to call a function in the API that returns a list of available report files. I used the same known-working process I used for all of my JSON calls in the transaction API:
<cfhttp url="https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/soap/queryAvailableReportFiles"
username="myusername" password="mypassword" method="post"
result="httpResponse" timeout="300">
<cfhttpparam type="formfield" name="typeOfReport" value="DailyCSVFile" />
</cfhttp>
When I run this code, I get a status code of 415 and an error of, 'Cannot process the message because the content type 'application/x-www-form-urlencoded' was not the expected type 'multipart/related; type="application/xop+xml"'
When I add this line between my cfhttps:
<cfhttpparam type="header" name="Content-Type" value='multipart/related; type="application/xop+xml"' />
I get the same error as directly above, but the status code changes to 400. I have not included everything I've tried to do, only where I'm at right now. I will answer as many questions as I can and will reperform steps as directed to find a solution to this problem.
Update: As requested, I have changed the cfhttp call to attempt to pass XML instead of a form field. My XML code is ripped directly from the API documentation that has an example of a raw data for a request from the API for a different function:
<cfsavecontent variable="soapBody">
<cfoutput>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<queryAvailableReportFiles
xmlns="https://brandnameapi.sandbox.serviceprovider.com/contract">
<fileName>DailyCSVFile</fileName>
</queryAvailableReportFiles>
</s:Body>
</s:Envelope>
</cfoutput>
</cfsavecontent>
<cfhttp url="https://prismproapi.sandbox.koretelematics.com/4/ReportingAPI.svc/soap/queryAvailableReportFiles" username="vfapi" password="bPzqQyK3" method="post" result="httpResponse" timeout="300">
<cfhttpparam type="xml" value="#trim(soapBody)#" />
</cfhttp>
To be fair, I have no idea if I'm doing that right. The error message that returns from it is, "The message with To https://prismproapi.sandbox.koretelematics.com/4/ReportingAPI.svc/soap/queryAvailableReportFiles cannot be processed at the receiver, due to an AddressFilter mismatch at the EndpointDispatcher. Check that the sender and receiver's EndpointAddresses agree." I also get a 500 error.
Here is an example of how I typically compose and execute my SOAP requests. Note that you will need to modify the SOAP body to fit your API's needs. Hopefully this will help lead you in the right direction.
By the way, Ben Nadel has an excellent right up on Making SOAP Web Service Requests With ColdFusion And CFHTTP
Here is my sample code:
<!--- Compose SOAP message to send to Web Service --->
<cfsavecontent variable="soapRequest">
<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:example="http://www.domain.com/soap/example/">
<soapenv:Header/>
<soapenv:Body>
<example:ReportAPI>
<typeOfReport>DailyCSVFile</typeOfReport>
</example:ReportAPI>
</soapenv:Body>
</soapenv:Envelope>
</cfsavecontent>
<!--- Send SOAP request to the Web Service --->
<cfhttp url="https://brandnameapi.sandbox.serviceprovider.com/vernum/ReportingAPI.svc/soap/queryAvailableReportFiles" username="myusername" password="mypassword" method="post" result="httpResponse" timeout="300">
<cfhttpparam type="header" name="content-type" value="text/xml" />
<cfhttpparam type="header" name="content-length" value="#Len(Trim(soapRequest))#" />
<cfhttpparam type="header" name="charset" value="utf-8" />
<cfhttpparam type="xml" name="message" value="#Trim(soapRequest)#" />
</cfhttp>
There was a problem with their API. No code change would have addressed this issue.