Spring til login

Digitaliser.dk

Sektioner

Aktuel side

Gruppens profilbillede

OIOSAML

305 medlemmer | Medlemsskab via fri tilmelding (Bliv medlem - kræver login )

OIOSAML.NET version 1.7.6

Ansvarlig: Claus Hemberg Jørgensen
Version: 1.7.6 - Publiceret: 31.05.2012 09:19
Type: Software

OBS! Der findes en nyere version af den valgte ressource. Klik her for at se den nyeste version.

Releasedate: 31. May 2012

Releasenote

Implemented missing logging required according to “Logningspolitik for den fællesoffentlige log-in-løsning”.

The major parts of the logging has been implemented in the oiosaml.net framework. Please note though, that some of the logging is implemented in the "WebSiteDemo" service provider, since oiosaml.net does not have the needed information (for example local user id). The same kind of logging must be implemented in each service provider using oiosaml.net, in order to be compliant with the logging requirements in the document mentioned above.

Flere oplysninger

Udvid boks
Operativsystem
  • Windows
Programmeringssprog
  • C#
Producent(er)
  • Digitaliseringsstyrelsen
  • Trifork A/S

Artefakter

Filer og referencer
Titel Type
oiosaml_net_1.7.6.zip application/octet-stream Download Vis supplerende information ...
Net SAML2 Service Provider Framework.pdf pdf Download Vis supplerende information ...

Klassifikationer

Indlæg til ressource

Profilens billede

Hvilke claims i NemID indeholder (altid) data?

Stephan Thierry - 11.06.2013 11:54

Vi har en række live løsninger der tilbyder login via NemID. Men vi bliver ind i mellem spurgt - "Når en bruger logger ind med personligt NemID / Medarbejder NemID - kender systemet så se X-data om brugeren?"

Hvor i dokumentationen kan jeg finde en samlet oversigt over hvilke data (hvilke claims) der tilbyder data for de forskellige login typer - jeg tænker specielt på Personligt NemID og Medarbejder NemID. Der findes enkelte liste på nettet med OIO claims men ofte uden nærmere forklaing. F.eks. Kaldenavn er det f.eks. fornavn eller noget historisk der ikke længere bruges eller noget helt 3.

F.eks.:

NemID personligt:

Claim                         FriendlyName     Beskrivelse
urn:oid:2.5.4.3          Kaldenavn          "Indeholder brugerens Fornavn"
urn:.... 

Jeg har kigget i "OIO Web SSO Profile V2 09.pdf", men det er en 86 siders generel snak om emnet. Jeg har ikke kunnet identificere en "to-the-point" liste der klart viser hvad der er tilbydes i de forskellige login former.

Hvem ligger inde med sådanne oversigter?

Vh
Stephan Thierry

Kommentarer (1)

Profilens billede 1
Brian Nielsen - 12.06.2013 13:56

Hej Stephan

Det er korrekt at der ikke er nogen shortlist i specifikationen, men omvendt drejer det sig om kun om 7 sider (side 43-50) under kapitel 8 OCES Attribute Profile.

Jeg har hurtigt taget dem ud her (på overskrifter), og mener faktisk det giver det som du efterspørger (Bemærk at pkt. 8.1.4 ikke findes i specifikationen :-):

8.1.1 Requirements for the Subject Element
8.1.2 Certificate Serial Number (Mandatory)
8.1.3 Organization Name (Mandatory for Employees / Companies)
8.1.5 Organization Unit (Optional)
8.1.6 Title (Optional)
8.1.7 Postal Address (Optional)
8.1.8 OCES Pseudonym (Optional)
8.1.9 OCES Youth Certificate (Mandatory)
8.1.10 User Certificate (Optional)
8.1.11 PID Number Attribute (Mandatory for Persons)
8.1.12 CPR Number Attribute (Optional)
8.1.13 CVR Number (Mandatory for Employees and Companies)
8.1.14 Employee Number / RID (Mandatory for Employees)
8.1.15 Uid Core Attribute
8.1.16 Certificate Issuer Attribute (Mandatory)
8.1.17 Production Unit (Optional – employees only)
8.1.18 SE Number (Optional – employees only)
8.1.19 User Administrator (Optional – employees only)

Med venlig hilsen
Brian Nielsen, DIGST 

Profilens billede

Critical Problem regarding use of Dictionary in OIOSAML

Jesper Niedermann - 12.03.2013 10:23

Hi,

We have recently occasionaly experienced the CPU maxing out on our Web servers. A hang dump showed that the problem was in OIOSAML in the IDPEndpoints.Refresh() method.

Turns out the problem is the use of one of the Dictionaries _fileInfo or _fileToEntity. This blogpost describes the problem:

http://blogs.msdn.com/b/tess/archive/2009/12/21/high-cpu-in-net-app-using-a-static-generic-dictionary.aspx?PageIndex=2

The dictionaries are not static as described, but they are members of a static variable which is in effect the same.

Apparently when several threads access a Dictionary (which is not thread safe) it can result in an endless loop.

We suggest that you update the OIOSAML code by using locks or a ConcurrentDictionary in order to fix this problem. Since this will probably be experienced by everybody using OIOSAML.NET if several users try to login at the same time.

Most will never know what hit them, and just recycle the AppPool, thus just treating the symptom and not the cause.

By the way while you are at it you could improve the code by using a FileWatcher to get the changed metadata files in stead of the  method used.

Hopes this helps you helping us all :)

Regards Jesper

Kommentarer (1)

Profilens billede 1
Brian Nielsen - 12.03.2013 10:42

Hej Jesper

Thank you for reporting the problem and solution. We are still working on planning a new release of OIOSAML.NET and this will be added to that.

Brgds Brian Nielsen

Profilens billede

The certificate that was used has a trust chain that cannot be verified

Jan Løve Sørensen - 18.12.2012 13:06

Jeg kan ikke få hele login proceduren til at virke.

Jeg kommer fint ind på login siden og indtaster bruger navn og pwd. Det går for så vidt godt nok. Men jeg får exception :

{"The X.509 certificate CN=IdentityProvider, O=NITA, C=DK chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.\r\n"}

I dk.nita.saml20.Specification.DefaultCertificateSpecification.IsSatisfiedBy(X509Certificate2 certificate).

Hvis jeg sætter
defaultCertificateValidator = X509CertificateValidator.None;
i ovenstående metode så kan jeg bare ikke læse brugernavn osv.

Miljøet er windows 2008 R2 Service Pack 1.

Nogen ide om hvad det er jeg mangler?

/jan

Kommentarer (5)

Profilens billede 1
Brian Nielsen - 18.12.2012 13:31

Hej Jan

Prøv lige og se om der er noget i denne tråd du kan bruge:

http://digitaliser.dk/forum/2323777

Med venlig hilsen
Brian Nielsen, DIGST 

Profilens billede 2
Jan Løve Sørensen - 18.12.2012 14:54

Hej Brian,

Tak for hurtigt svar.

5.1 2d er ok
Måske er det min webconfig.... den har flg

    
IDPEndPoints metadata="C:\spdata\
  add id="http://infk2udv03:80/idp/"
    CertificateValidation
       add type="dk.nita.saml20.Specification.DefaultCertificateSpecification, dk.nita.saml20"
    CertificateValidation
  add
 IDPEndPoints
        
      
   

Ser det ikke OK ud?

/jan

Profilens billede 3
Brian Nielsen - 18.12.2012 15:06

Hej Jan

Ift. denne første test er formålet 'bare' at få det det at virke. Jeg vil foreslå at du anvender følgende til certifikat validering som angivet i den anden tråd:

dk.nita.saml20.Specification.SelfIssuedCertificateSpecification

Jeg antager at de test certifikater der følger med eller genereres er selfsigned?

Mvh. Brian

Profilens billede 4
Jan Løve Sørensen - 18.12.2012 15:29

Hej Brian,

Yes, Så er den hjemme Takker.

Jeg måtte desuden udkommentere

if (int.Parse(Saml20Identity.Current["dk:gov:saml:attribute:AssuranceLevel"][0].AttributeValue[0]) < 3)

i MyPage.aspx filen fordi der ikke er noget indhold for dk:gov:saml:attribute:AssuranceLevel ...... kan du give en kort forklaring eller link til hvad det er?

Så bliver det alligevel jul
/Jan

Profilens billede 5
Brian Nielsen - 18.12.2012 16:08

Hej Jan

Congrats. 

Helt grundlæggende signalerer Level of Assurance (LoA) hvilket sikkerhedsniveau der har været for autenticitetssikringsprocessen.

Se yderligere i vores vejledning Vejledning vedrørende niveauer af autenticitetssikring. Se f.eks. "2.4 Niveauer af autenticitetssikring og risikoprofiler. Beskrivelse og eksempler". 

Ifølge release noten til OIOSAML.NET 1.7.5 skulle der være "Test option in SP page for AssuranceLevel", men jeg har ikke selv prøvet det.

Glædelig jul.

Profilens billede

IAction.LogoutAction isn't executed during logout

Simon Ingeson - 16.11.2012 11:00

In order to clear the session objects I currently need to use a custom HTTP handler that calls FormsAuthentication.SignOut and clears the necessary session objects (including objects that should be cleared by SamlPrincipalAction.LogoutAction).

I know that IAction.LoginAction works, otherwise my login attempts would fail. I've also confirmed this by debugging a custom IAction and hitting a breakpoint in its LoginAction. I cannot hit any breakpoints in its LogoutAction.

My guess is that this is because the identity provider doesn't redirect back to the service after a logout have been initiated (the IdP simply tells the user to close the browser, which of course is a good habit in this case but shouldn't be expected on our part). Am I correct or is there be another reason?

Any ideas of what I could try to find the cause or improve my solution?

Kommentarer (1)

Profilens billede 1
Brian Nielsen - 16.11.2012 12:54

Hi Simon

First thing I would do is track the HTTP traffic to see if get send back to your SP. Pick your favortie tool for this like fiddler, TamperData and WireShark.

Judging from a quick google search in our svn it looks like the IActions should be logged out in dk.nita.saml20.protocol.Saml20LogoutHandler:

private void DoLogout(HttpContext context, bool IdPInitiated)

Best regards
Brian Nielsen 

Profilens billede

Problemer med .net 4.5

Steinar Herland - 17.08.2012 18:41

Hei,

Vi erfarer problemer med bruk av biblioteket ved installasjon av .net 4.5

Alle servere vi har installert .net 4.5 på kan ikke lenger åpne/lese metadata-filene, men får feilen nedenfor.

Dette oppleves som ganske alvorlig, siden kundene våre trolig kommer til å ta dette i bruk nokså raskt.

Kan noen som kjenner til lasting av metadatadokumentene verifisere dette? NB: Vær forsiktig, det må trolig kjøres en avinstallasjon av .net 4.5 og deretter en repair av .net 4.0 for å få det til å virke igjen.

Unhandled Exception: System.InvalidOperationException: There is an error in XML document (4, 6).
---> System.Xml.XmlException: Unexpected node type Element. ReadElementString method can only be called on elements with simple or empty content. Line 4, position 6.
   at System.Xml.XmlReader.ReadElementString()
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderEntityDescriptor.Read44_IDPSSODescriptor(Boolean isNullable, Boolean checkType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderEntityDescriptor.Read46_EntityDescriptor(Boolean isNullable, Boolean checkType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderEntityDescriptor.Read47_EntityDescriptor()
   --- End of inner exception stack trace ---
   at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
   at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader)
   at dk.nita.saml20.Utils.Serialization.Deserialize[T](XmlReader reader) in ...

Kommentarer (16)

Profilens billede 1
Brian Nielsen - 20.08.2012 09:03

Hi Steinar

Thanks for sharing your finding. I've not heard of problems related to 4.5, but maybe a minor change to the libraries provoked this. Can you send me the metadata file that gave you that error (send to brian@digst.dk) then I'll try and reproduce it here. 

Best regards
Brian Nielsen 

Profilens billede 2
Jesper Niedermann - 20.08.2012 17:32

Unfortunately we also have the same problem. The problem is on the SP side in the Login handler. We discovered it because some developers installed VS2012 even though the SP code is still in VS2010. VS2012 installs .NET 4.5

Today I have confirmed that this is in fact the problem. I installed Win7 + VS2010 in a Virtual Machine. And confirmed that the SP Site worked.

Then I Installed VS2012 and made no other change. Then I opened the site in VS2010 as normal. But now the parsing of the Metadata fails as described by Steinar Herland.

Profilens billede 3
Brian Nielsen - 21.08.2012 09:50

Hi Jesper

Thank you for following up and help pinning the problem. Have any of you tried fiddeling with the metadata file to find what part/markup trigger the parsing problem? That will be needed in going further and either finding another way to implement it or reporting it as a bug to Microsoft.

Brgds Brian

Profilens billede 4
Jesper Niedermann - 21.08.2012 13:07

I have pinpointed the problem to one XML Attribute.

If I remove the attribute protocolSupportEnumeration from the element

IDPSSODescriptor

The Parsing of the Xml succeeds. But what is the purpose of this attribute and why does it fail in .NET 4.5 ?

(OBS: The exception occurs when newing up the Saml20MetadataDocument in the ParseFile method. In the constructor of the Saml20MetaDocument the metadata is deserialized and this fails)

I have a distilled the problem into a ConsoleApp

Profilens billede 5
Jesper Niedermann - 21.08.2012 13:21

Turns out I can solve the problem without changing the metadata by changing

protocolSupportEnumeration in the RoleDescriptor class to be a string instead of a string[]

Is this an OK solution ? Why was it an array in the first place ?

 

Profilens billede 6
Steinar Herland - 21.08.2012 13:37

Hei,

The following program works with .net 4.0, but fails after installing .net 4.5:

Testet with metadata from (norwegian) feide:

Production: https://idp.feide.no/simplesaml/saml2/idp/metadata.php

Test: https://idp-test.feide.no/simplesaml/saml2/idp/metadata.php

Hopefully somebody can look into this realy soon...

Best regards,

Steinar Herland

--

class Program
    {
        static void Main(string[] args)
        {
            var metadataDirectory = new DirectoryInfo(Path.Combine(Directory.GetCurrentDirectory(), "Metadata"));
            foreach (var file in metadataDirectory.GetFileSystemInfos("*.xml"))
            {
                try
                {
                    Console.WriteLine("Loading metadata from " + file.FullName);
                    var xml = LoadFromFile(file.FullName);
                    var entity = Serialization.DeserializeFromXmlString(xml);
                }
                catch(Exception ex)
                {
                    Console.WriteLine("Error loading metadata from file " + file.Name + ": \n" + ex.Message);
                }
            }

            Console.WriteLine("Press any key to continue...");
            Console.ReadKey();
        }

        private static string LoadFromFile(string metadataFilename)
        {
            var entityDescriptor = new XmlDocument { PreserveWhitespace = true };
            entityDescriptor.Load(metadataFilename);
            var xml = entityDescriptor.OuterXml;
            return xml;
        }
    }

Vedhæftede filer
Profilens billede 7
Brian Nielsen - 21.08.2012 13:41

Great work Jesper. 

Before making any conclusions, just a little ground work on what the standard says.
First the XML format, where the xml attribute protocolSupportEnumeration is defined in xsd for SAML Metadata as:

<attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
<simpleType name="anyURIListType">
<list itemType="anyURI"/>
</simpleType>

and this make it reasonable that it's mapped to an array (XML Schema list Element).

The specification OASIS Security Assertion Markup Language (SAML) V2.0 (PDF) describes it with

protocolSupportEnumeration [Required]
A whitespace-delimited set of URIs that identify the set of protocol specifications supported 
by the role element. For SAML V2. entities, this set MUST include the SAML protocol namespace URI,
urn:oasis:names:tc:SAML:2.0:protocol. Note that future SAML specifications might share the
same namespace URI, but SHOULD provide alternate "protocol support" identifiers to ensure
discrimination when necessary.

So to keep the SAML compliance this will be kept as an collection/array.

Profilens billede 8
Brian Nielsen - 21.08.2012 13:57

My current (best) guess is that the way the (de)serializing has been implemented in oiosaml.net somehow has depended on undocumented or overseen documentation aspects. The relevant classes seem to be:

dk.nita.saml20.Saml20MetadataDocument (ViewVC)

dk.nita.saml20.Schema.Metadata.RoleDescriptor (ViewVC)

and I almost foregot

dk.nita.saml20.Utils.Serialization

public static T DeserializeFromXmlString<T>(string xml)

Profilens billede 9
Jesper Niedermann - 21.08.2012 15:18

So if the protocolSupport attribute is still going to be a string[] what then would be the workaround ?

As I (and Steinar too) have shown the deserialization fails in .NET 4.5.

But this can be solved by making the protocolSupport of the RoleDescriptor a string instead of a string[].

Even though the spec. reads otherwise I don't see a problem with this in the current code, since there is never more than one element in the array.

Profilens billede 10
Jesper Niedermann - 21.08.2012 15:18

So if the protocolSupport attribute is still going to be a string[] what then would be the workaround ?

As I (and Steinar too) have shown the deserialization fails in .NET 4.5.

But this can be solved by making the protocolSupport of the RoleDescriptor a string instead of a string[].

Even though the spec. reads otherwise I don't see a problem with this in the current code, since there is never more than one element in the array.

Profilens billede 11
Jesper Niedermann - 21.08.2012 15:33

BTW: In the spec. you quote in comment 7 it says: "A whitespace-delimited set of URIs" this must mean that there is only one attribute but it can contain several URIS this must mean that this attribute should be split in code using the .NET split method instead of during the deserialization.

I will change our code to use a single string until the OIOSAML.NET is updated to reflect my suggestion (or something similar)

Profilens billede 12
Brian Nielsen - 21.08.2012 15:49

Hi Jesper

I'm no .NET whizz, but I would be surprised if .NET 4.5 cant handler XSD ListType. Maybe the class can be augmented more precisely with Attributes?

Having a closer look it seem to me that the wrong value has been used in the attribute

[XmlAttributeAttribute(DataType="anyURI")]
public string[] protocolSupportEnumeration {

it should be list instead of anyURI, BUT XmlAttributeAttribute.DataType Property does not support it :-) So I guess it would be better to have it but a string and then tokenize it when setting the property. That should work right?

The other way round it's also set as a string array

private void ConvertToMetadata(SAML20FederationConfig config, KeyInfo keyinfo)

I am aware that it probably wont make any difference for OIOSAML usage (though not sure), but the toolkit is also used for other (non OIO)SAML scenarios. 

Profilens billede 13
Brian Nielsen - 21.08.2012 15:52

Hi

Jesper, sry I didn't see your last comment before I posted - yes, we agree (since .NET does support it directly).

Profilens billede 14
Jesper Niedermann - 21.08.2012 16:23

Fine :). Have you alerted the folks who update OIOSAML.NET about the problem ?

Profilens billede 15
Suhas Gupta - 30.08.2012 21:41

After installing .Net 4.5 in my system, I am also getting the same error message. Is there a solution or workaround for this issue?

Will there be a new version of the software released?

I really appreciate any help in solving this issue.

Thanks,

Suhas

Profilens billede 16
Brian Nielsen - 31.08.2012 07:22

Hi Jesper and Suhas

We are right now making the list of changes/features that'll go into the next release and this issue is on that list. It will take some time before it'll get into a release, so until then you can pull the source from trunk, make the small change and build your own dll (it's the same we are going todo since it's OSS :-)

Best regards
Brian Nielsen 

Profilens billede

Minor, very minor software commentary

Thomas Ekman - 15.08.2012 21:11

I compared our previously downloaded version of OIOSAML.NET, to verify which version we are using, in order to produce a technical document of the entire system we delivered, which unfortunately fell on my shoulders. The documentation is getting quite large by now...

I noted at row 131 of Saml20SignonHandler.cs, that the version I downloaded today differs only from our version by the introduction of an unnecessary semicolon at the end of the "if" statement.

I thought I'd just like you to know...

 

BR

/Thomas J. Ekman
SWEDEN

Kommentarer (1)

Profilens billede 1
Brian Nielsen - 16.08.2012 08:45

Hi Thomas

Thank you for the tip. I see not that it's line 133 in Saml20SignonHandler.cs (ViewVC on our SVN).

Profilens billede

Not able to redirect to Demo site from IDP site

Balaji Rajandran - 04.07.2012 15:30

Hi,

   I am facing the issue of redirection from IDP to demo site page. I have downloaded the above files and followed the steps which is defined in pdf. I downloaded the metadata from demo site and saved in temp location. In SPSSODescriptor, i have SingleLogout Service and AssertionConsumerService. And then i tried to download the metadata and put it in C:\metadata(specified in web.config).In IDPSSODescriptor, I have SingleLogoutService and SingleSignOnService and I dont have any assertionconsumerservice. After selected the provider and given the credentials, i got this error message : "does not have a SSO endpoint that supports the POST binding". I am assuming there is no assertioncosumerservice in idpssodescriptor. why i am getting this error and please suggest how to resolve this.

Kommentarer (2)

Profilens billede 1
Brian Nielsen - 04.07.2012 23:09

Hi Balaji 

I'd guess the Service Provider is not configured for SSO reponse with POST binding. Can you please write the URL where you get the error? Have you turned up for logging and what's in the logs?

Best regards
Brian Nielsen 

Profilens billede 2
Balaji Rajandran - 05.07.2012 11:50

Hi,

  Thanks for your reply. I got the assertionservice and I wrongly uploaded the metadata. Now i got the output. I have tested all the functionality from visual studio. Now I am trying with IIS and I got the certificate validation issue. "The X.509 certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.". I have tried both default and selfservice certificate settings in config, but still i am getting the same error. Please help me to fix this issue.

 

Profilens billede

Not able to redirect to Demo site from IDP site

Balaji Rajandran - 04.07.2012 15:30

Hi,

   I am facing the issue of redirection from IDP to demo site page. I have downloaded the above files and followed the steps which is defined in pdf. I downloaded the metadata from demo site and saved in temp location. In SPSSODescriptor, i have SingleLogout Service and AssertionConsumerService. And then i tried to download the metadata and put it in C:\metadata(specified in web.config).In IDPSSODescriptor, I have SingleLogoutService and SingleSignOnService and I dont have any assertionconsumerservice. After selected the provider and given the credentials, i got this error message : "does not have a SSO endpoint that supports the POST binding". I am assuming there is no assertioncosumerservice in idpssodescriptor. why i am getting this error and please suggest how to resolve this.

Ønsker du at skrive indlæg eller blot kommentere indlæg,
skal du være oprettet som bruger og logget ind.

Opret dig som Ny bruger    eller Log ind    

Tilføj fil(er)

En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.

Tags

Tilføj dine egne tags

- (kræver login)

Andre brugeres tags til ressourcen

Der er ikke tilknyttet tags fra andre brugere

Minimér boks
Versioner
Version Dato
1.7.9 26.02.2014 09:41 Vis supplerende information ...
1.7.8 08.11.2013 13:26 Vis supplerende information ...
1.7.7 11.09.2013 11:04 Vis supplerende information ...
1.7.6 (valgte) 31.05.2012 09:19 Vis supplerende information ...
1.7.5 04.04.2012 14:29 Vis supplerende information ...
1.7.4 01.12.2011 14:54 Vis supplerende information ...
1.7.3 11.08.2011 12:47 Vis supplerende information ...
1.7.2 31.05.2011 11:48 Vis supplerende information ...
1.7.11 25.09.2014 13:52 Vis supplerende information ...
1.7.10 27.06.2014 12:49 Vis supplerende information ...
1.7 06.12.2010 15:13 Vis supplerende information ...
1.6 03.09.2010 14:46 Vis supplerende information ...
1.5 03.09.2010 14:37 Vis supplerende information ...
1.4+ 03.09.2010 14:33 Vis supplerende information ...
1.4 03.09.2010 14:30 Vis supplerende information ...
1.1 03.09.2010 14:20 Vis supplerende information ...
1.0 RC1 03.09.2010 14:14 Vis supplerende information ...
1.0 03.09.2010 14:17 Vis supplerende information ...

Digitaliseringsstyrelsen