I am struggling with setting up Sustainsys.Saml2 in combination with Gluu server. I am using Sustainsys.Saml2 2.2.0, Sustainsys.Saml2.Mvc 2.2.0 and Gluu 3.1.6. The application that I am using is a MVC application compiled against .NET 4.6.2. Here is the network traffic that occurs:
GET https://localhost:44300/Saml2/SignIn
GET https://lb/idp/profile/SAML2/Redirect/SSO
QueryString:
SAMLRequest = fZHBasMwDIbvhb6D8b2zlyVtItJCWC+FjkGz7rCbY6vUkNiZ5Yw9/tJsg/awXX/pE5+kklTXJj1UQzy7A74PSJF9dq0j+K6s+RAceEWWwKkOCaKGunraQ3InoQ8+eu1bfs38jygiDNF6x9luu+bWFMVS5U2Kic6aVOpTvlK5MphnS6OylTGcvWKgEVjzkR8pogF3jqJycYzkfbGQ+SJJXmQOqYRMvnG2HdewTsWJOsfYEwjRNsKaXozOJ9uiuBgl4oDGBtRR1PUzZ9Wv3KN3NHQYagwfVuPxsL+a47Vqz54ipOmDlKK+LC0qTXwznzFWTkeASTNs/oBKcdM1n/0Et5/YfAE=
RelayState = XyC...IDP login processing etc.
POST https://localhost:44300/Saml2/Acs
Body:
RelayState = XyC...
SAMLResponse = PD94...
Here is a screenshot of the complete network traffic:
https://i.stack.imgur.com/NvS20.png
The result at the end of the login process is the following exception:
Sustainsys.Saml2.Exceptions.NoSamlResponseFoundException: No Saml2 Response found in the http request
The strange thing is that if I refresh my application the exception vanishes and I am correctly logged in.
My Sustainsys.Saml2 configuration is as follows:
<sustainsys.saml2 entityId="https://localhost:44300" returnUrl="https://localhost:44300/Saml2/Acs" minIncomingSigningAlgorithm="SHA1">
<identityProviders>
<add entityId="https://lb/idp/shibboleth" signOnUrl="https://lb/idp/profile/SAML2/Redirect/SSO" logoutUrl="https://lb/idp/Authn/oxAuth/logout" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate storeName="TrustedPeople" storeLocation="LocalMachine" findValue="..." x509FindType="FindByThumbprint" />
</add>
</identityProviders>
<serviceCertificates>
<add storeName="My" storeLocation="LocalMachine" findValue="..." x509FindType="FindByThumbprint" />
</serviceCertificates>
</sustainsys.saml2>
Some more observations:
- The current application with Sustainsys.Saml2 that I am using works correctly when using either WSO2 or RedHat SSO as IDP. Just not with Gluu Server.
- When using the application found on https://github.com/mcguinness/saml-sp with Gluu Server the connection works without problems.
Any help is greatly appreciated!
This might be caused by a same site cookie issue. When the SAML response is posted to the ACS endpoint the validation code looks for a cookie matching the Relaystate in the received response. With modern browsers defaulting to samesite=none that cookie will note be sent by the client in the cross origin post from the Idp. If you do a manual refresh it will be sent though.
Please check if the SAML2.XYZ (where XYZ matches the relaystate param) is sent by the client in the first request. If not, this is a bug that needs to be fixed in the Sustainsys.Saml2.Mvc library. I know that we did fixes in the Sustainsys.Saml2.AspNetCore2 library - but it probably needs to be done in the MVC library too.
As a workaround, you could create an http module that alters the cookie headers after it has been set by the Sutainsys.Saml2.Mvc library to ensure that the Saml2.XYZ cookie has samesite=none.