I’m attempting my first SSO integration using SAML 2.0. I’ve been using:
http://www.codeproject.com/KB/aspnet/DotNetSamlPost.aspx?msg=3562384
as an example for myself.
Presently I’m just trying to successfully post to their url. The site we’re connecting to is quite large and uses a solution from ping-identity to manage their sso which often seems to give me less than helpful errors. I’ve worked through a few but this one has me stumped:
UnknownBindingException: Request contains
insufficient information to determine the protocol binding (did you type
a protocol endpoint URL directly into the location bar of your
browser?).
Does anyone have any idea what might cause this, my saml that I’m posting looks like this:
<Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_3b052151-fb4f-4e10-89bd-d65ef5141e9d" Version="2.0" IssueInstant="2010-08-20T20:36:02.8093696Z" Destination="https://******/sp/ACS.saml2" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">www.******.org</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_3b052151-fb4f-4e10-89bd-d65ef5141e9d">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>****</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>*******</SignatureValue>
</Signature>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</Status>
<Assertion Version="2.0" ID="_d0f34b54-cf0b-49c7-9a50-f60842b7e0d2" IssueInstant="2010-08-20T20:36:02.8103697Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>www.*******.org</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">adamb</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2010-08-20T20:41:02.8103697Z" Recipient="https://*****.com:9031/sp/ACS.saml2" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2010-08-20T20:36:02.8103697Z" NotOnOrAfter="2010-08-20T20:41:02.8103697Z">
<AudienceRestriction>
<Audience>*****</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2010-08-20T20:36:02.8103697Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</Response>
Any help is much appreciated,
Thanks.
As I read your question your application is going to be a ServiceProvider (SP) in a SAML2 federation where Ping is the IdentityProvider (IdP). And you’ve tagged the question c#, so I’m assuming that your SP is implemented in .Net
Which SAML2 framework are you using, or are you rolling your own? If you’re doing your own SAML2 framework, I’d recommend using OIOSAML.net which is open source under the Mozilla License (free to use for any purpose). You can check out the source here: http://view.svn.softwareborsen.dk/cgi-bin/index.cgi/Softwareborsen/oiosaml.net/branches/
(all documentation is in English).
It’s actively maintained by the Danish government, and it has been interop tested with Ping, ADFSv2, SimpleSamlPhp, and many other SAML2 IdP’s. It’s currently used by hundreds of Danish web sites in a federation with Ping as IdP.
Regarding the exception you’re receiving, which binding are you intending to use: HTTP Redirect, or something else? Assuming it’s HTTP redirect, I recommend reading the relevant section starting on p15 in SAML2 binding specification: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf