.net-6.0saml-2.0shibbolethitfoxtec-identity-saml2

Error when connecting to a SAML 2.0 IdP that uses shibboleth

I am using the ITfoxtec Identity SAML 2.0 library with .Net 7 project to connect to a SAML 2.0 IdP.

I tested it first using Okta SAML and it worked great!

However, when I try another SAML 2.0 IdP that uses SAML 2.0 and shibboleth, I am getting the following error:

Error: UnableToDecode


400 Bad Request
https://physics.lab.xxx.edu/idp/profile/Shibboleth/SSO?SAMLRequest=
kjrtgtboMwDIZfBeUOCSmDNgKkar1U2rRpTDvsMgUwIhIkWWykPf7Sbof1sqNtff79uUa9
LtKr40azfYHPDZCSr3WxqH4mDduCVU6jQWX1Cqhoo96nrg16TCgfHLnBLewv8z%2BiES
GQcZYl51PDPnKYoNqLPp32UqSFFHnaT9UuHcShlGN5EJwhtrIGASPTsLgigogbnC2Sth
RbQso0l6koX%2bhuyt3dlZncHd5Zcoo2xupLWsNmIo%2BKcx8v8C5Q5g1RBuPGzeh5NJ
nMArybTd%2B7BWjmXffE2vqqpK6JoX2OyMXk3lkLA7lQ85v5b3n7z%2FYbAAD%2F%2Fw
MA&RelayState=ReturnUrl%3D%252F

When I step through my app in Visual Studio, it errors out at the end of this controller login method:

[Route("Login")]
public IActionResult Login(string returnUrl = null)
{
    var binding = new Saml2RedirectBinding();
    binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl ?? Url.Content("~/") } });

    return binding.Bind(new Saml2AuthnRequest(config)).ToActionResult();
}

This is the metadata used by my app:

appsettings.json:

"Saml2": {
"IdPMetadata": "https://physics.lab.xxx.edu/idp/shibboleth",
"Issuer": "SSOLoginApp",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"CertificateValidationMode": "None",
"RevocationMode": "NoCheck"
}

The only thing I can think of is it maybe because this IdP uses shibboleth?

Decoded SAML 2.0:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="_2efe780b-f120-4201-bf73-c0962d690701" Version="2.0" 
IssueInstant="2022-12-06T16:42:56.239Z" 
Destination="https://physics.lab.xxx.edu/idp/profile/Shibboleth/SSO">
  <saml2:Issuer>LabLoginApp</saml2:Issuer>
</saml2p:AuthnRequest>
Solution

  • Maybe the IdP expect you to use a PostBinding?

    I can't decode the SAMLRequest you are sending either

    Try to decode on https://www.foxids.com/tools/Saml enter image description here