This project is read-only.
1
Vote

SAML2.Saml20Exception: Unknown identity provider

description

I am randomly getting this unhandled exception, SAML2.Saml20Exception: Unknown identity provider, when my users try to log out after having previously logged in. Here's the Stack Trace:
SAML2.Saml20Exception: Unknown identity provider ""
   at SAML2.Protocol.Saml20LogoutHandler.Handle(HttpContext context)
   at SAML2.Protocol.Saml20AbstractEndpointHandler.ProcessRequest(HttpContext context)
   at SAML2.Protocol.Saml20LogoutHandler.Handle(HttpContext context)
   at SAML2.Protocol.Saml20AbstractEndpointHandler.ProcessRequest(HttpContext context)
For the "logout" link, I am simply setting the HREF to the /Logout.ashx URL, which goes through the SAML2 handler and then redirects to the configured logout url (see config below).

I cannot seem to reproduce this and was hoping you could shine a light on where I can start looking to debug this issue.

Not sure what all additional information could be helpful, but here's my web.config showing the forms and the SAML configuration:
 <system.web>
    <customErrors mode="Off" />
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <authentication mode="Forms">
      <forms loginUrl="/Login.ashx" />
    </authentication>
  </system.web>

<system.webServer>
    <handlers>
      <!-- SAML2 lib handlers -->
      <remove name="SAML2.Protocol.Saml20SignonHandler" />
      <remove name="SAML2.Protocol.Saml20LogoutHandler" />
      <remove name="SAML2.Protocol.Saml20MetadataHandler" />
      <add name="SAML2.Protocol.Saml20SignonHandler" verb="*" path="Login.ashx" type="SAML2.Protocol.Saml20SignonHandler, SAML2" />
      <add name="SAML2.Protocol.Saml20LogoutHandler" verb="*" path="Logout.ashx" type="SAML2.Protocol.Saml20LogoutHandler, SAML2" />
      <add name="SAML2.Protocol.Saml20MetadataHandler" verb="*" path="Metadata.ashx" type="SAML2.Protocol.Saml20MetadataHandler, SAML2" />
      
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>

<saml2>
    <serviceProvider id="urn:Foo" server="https://foo/">
      <signingCertificate findValue="[redacted]" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
      <endpoints>
        <endpoint localPath="Login.ashx" type="SignOn" redirectUrl="/" />
        <endpoint localPath="Logout.ashx" type="Logout" redirectUrl="/" />
        <endpoint localPath="Metadata.ashx" type="Metadata" />
      </endpoints>
    </serviceProvider>
    <identityProviders metadata="Metadata/Dev">
      <add id="foo">
        <endpoints>
          <endpoint type="SignOn" url="https://foo/login.aspx" binding="Redirect" />
          <endpoint type="Logout" url="https://foo/logout.aspx" binding="Redirect" />
        </endpoints>
      </add>
    </identityProviders>
    <logging loggingFactory="SAML2.Logging.Log4Net.Log4NetLoggerFactory, SAML2.Logging.Log4Net" />
  </saml2>

comments

tafs7 wrote Nov 10, 2016 at 2:32 AM

I think I may have tracked this down to the user having had their ASP.NET Session expired on the server, and when the SAML2 Logout handler tries to access session data to find the identity provider, it is no longer available.

Not sure what the best way to handle this behavior more elegantly for my users. Should I provide a "shim" logout action that check session before redirecting to the Logout.ashx handler?

Any other thoughts?

Anyone??

Bueler??