asp.net-mvcsingle-sign-onsaml-2.0

SAML SSO failure - "Reason: Destination is invalid."


I'm using SSOCircle and have my metadata imported and a valid redirect request executing. I am not getting any errors in my AuthnRequest (I was, but I corrected that). However, when I execute the redirect I receive the error:

Reason: Destination is invalid.

Not sure what I am missing.

My Authn looks like this:

<samlp:AuthnRequest ID="_ID_" Version="2.0" IssueInstant="2016-02-25T16:20:04.869Z" Destination="http://localhost:9000/saml/service" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/saml/assert" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER_ID</saml:Issuer>

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="_ID_">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>_DIGEST_</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>_SIGNATURE_VALUE_</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>_CERTIFICATE_STRING_</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>

  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="MY_ISSUER_ID" AllowCreate="true" />

  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>

</samlp:AuthnRequest>

I am sending the redirect to:

https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle

The library I am using is from ComponentPro (which I am pretty happy with).


Solution

  • The problem is that your Destination attribute in the AuthnRequest is set to http://localhost:9000/saml/service and your are actually sending it to https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle.

    The destination attribute must be the same as the actual destination.