I am using Rsk.DynamicAuthenticationProviders with my project, and serving up a sample OpenIdConnect and Saml account using Auth0.
We recently changed our local domain so that we could test scenarios we would be seeing in prod environments, (we no longer use localhost as the domain URL), and I thought that I had set all the correct values in both my own code that configures my Saml options, and in my settings in Auth0 for the same application.
However, when I inspect the SamlResponse, I am still seeing that the Audience is for the former localhost URL, instead of our current domain url.
Is there somewhere I should be re-setting that in Auth0 app settings, or is this a “me” issue, (I am missing something in my own code that sends the request)?
Here is a snippet from the SamlResponse:
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">{identifier}
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-08-06T20:17:36.361Z"
Recipient="https://localhost:44311/saml"
InResponseTo="_34a55ee80c654fc6ae8055da928eb3e1"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-08-06T19:17:36.361Z" NotOnOrAfter="2020-08-
06T20:17:36.361Z">
<saml:AudienceRestriction>
<saml:Audience>http://localhost:44311/saml</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
Note the http://localhost:44311 references, these are incorrect
Hey @jason.ward, have you configured Auth0 as IDP in this case for the SAML connection?
if this is the case you can check/add the audience in the Application-> AddOns → SAML2 WEB APP → settings → audience
Let me know if this helps.
Here is the settings I have:
{
"audience": "urn:uplink-dev-local.auth0.com",
"recipient": "https://dev-local.management-portal.io",
"mappings": {
"user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"groups": "http://schemas.xmlsoap.org/claims/Group"
},
"createUpnClaim": true,
"passthroughClaimsWithNoMapping": true,
"mapUnknownClaimsAsIs": false,
"mapIdentities": true,
"signatureAlgorithm": "rsa-sha1",
"digestAlgorithm": "sha1",
"destination": "https://dev-local.management-portal.io",
"lifetimeInSeconds": 3600,
"signResponse": false,
"typedAttributes": true,
"includeAttributeNameFormat": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
"logout": {
"callback": "http://dev-local.management-portal.io/logout",
"slo_enabled": true
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
Additionally, I am still experiencing the same problem.
@jason.ward, let me check if I can see something in the HAR file of the Complete SAML login transaction with Auth0 as IDP,
Can you DM me one ?
@sidharth.chaudhary, I actually tried to resolve this and wound up with another error, so here is my updated settings in auth0 and both the request and response, and I will DM you a HAR file from that request as well:
System.Exception: Invalid SAMLResponse issuer
settings:
{
“audience”: “https://app.dev-local.identity-service.io”,
“recipient”: “https://app.dev-local.identity-service.io”,
“mappings”: {
“user_id”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“given_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”,
“family_name”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”,
“upn”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“groups”: “http://schemas.xmlsoap.org/claims/Group”
},
“createUpnClaim”: true,
“passthroughClaimsWithNoMapping”: true,
“mapUnknownClaimsAsIs”: false,
“mapIdentities”: true,
“signatureAlgorithm”: “rsa-sha1”,
“digestAlgorithm”: “sha1”,
“destination”: “https://app.dev-local.identity-service.io/saml”,
“lifetimeInSeconds”: 3600,
“signResponse”: false,
“typedAttributes”: true,
“includeAttributeNameFormat”: true,
“nameIdentifierFormat”: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”,
“nameIdentifierProbes”: [
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”
],
“authnContextClassRef”: “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”,
“logout”: {
“callback”: “https://app.dev-local.identity-service.io/logout”,
“slo_enabled”: true
},
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
}
@jason.ward, Had a look at the HAR file shared by you, The Auth0 IDP is POSTing the SAML response Token on the following destination: "https://app.dev-local.identity-service.io/saml ", which is correct based on your destination settings. But this URL is throwing 500 error and does not seem to except the SAML response token. Is this URL able to handle a SAML Response POST? Is the custom domain : “app.dev-local.identity-service.io” hosted on your own application or it’s a Auth0 managed custom domain?