ADFS Authentication Issue in .Net 8
I have an existing ASP.NET MVC application that relies on ADFS authentication. I'm currently upgrading it to .NET 8. As part of the upgrade process, I prioritized implementing the authentication functionality first. However, I'm encountering an issue where the IsAuthenticated
property consistently returns false
.
builder.Services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddWsFederation(options =>
{
options.MetadataAddress = "https://example.com/FederationMetadata/2007-06/FederationMetadata.xml"; // Replace with your metadata URL
options.Wtrealm = "urn:DevDotNet"; // Replace with your URN
options.Wreply = "https://xyz.com/Home/Index";
}
Can you please help to identify the issue?
.NET
ASP.NET Core
Active Directory Federation Services
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-06T07:09:52.3933333+00:00 Hi @Vijayan, Neethu,
Could you kindly check this document Troubleshoot Active Directory Federation Services with events and logging?
Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-06T10:27:15.4533333+00:00 Hi Jason, I've already consulted with our IT team regarding the authentication issue. They couldn't find any authentication error logs in ADFS. Upon checking the SAML response using a browser plugin, it appears that the response status is 200. Does this indicate successful authentication from the server?
Additionally, our IT team has configured the NameID attribute as per the Microsoft documentation.
Could there be any other issues within the application aside from the provided code? I've attempted to log various events like WsFederationEvents (OnTicketReceived, OnAuthenticationFailed, OnSecurityTokenReceived, OnSecurityTokenValidated, etc.). However, the only event that seems to be triggered is OnRedirectToIdentityProvider. Despite this, I can see the SAML response in the browser extension. Does this imply that the authentication was successful, and any potential configuration issues lie within the code? It's worth noting that I'm using a sample application for testing purposes.
-
Vijayan, Neethu 0 Reputation points
2024-05-06T10:29:27.7533333+00:00 Hi Jason, I've already consulted with our IT team regarding the authentication issue. They couldn't find any authentication error logs in ADFS. Upon checking the SAML response using a browser plugin, it appears that the response status is 200. Does this indicate successful authentication from the server?
Additionally, our IT team has configured the NameID attribute as per the Microsoft documentation.
Could there be any other issues within the application aside from the provided code? I've attempted to log various events like WsFederationEvents (OnTicketReceived, OnAuthenticationFailed, OnSecurityTokenReceived, OnSecurityTokenValidated, etc.). However, the only event that seems to be triggered is OnRedirectToIdentityProvider. Despite this, I can see the SAML response in the browser extension. Does this imply that the authentication was successful, and any potential configuration issues lie within the code? It's worth noting that I'm using a sample application for testing purposes.
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-07T08:07:28.9033333+00:00 Hi @Vijayan, Neethu,
Upon checking the SAML response using a browser plugin, it appears that the response status is 200. Does this indicate successful authentication from the server?
SAML response status 200 usually indicates that the ADFS server has successfully completed the authentication.
Could you share the Program.cs file? And hide your sensitive information, many thanks.
Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-07T08:15:51.4433333+00:00 Thank you Jason,
Please find my program.cs file herewith
Program.txt -
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-07T08:25:52.1666667+00:00 Hi @Vijayan, Neethu,
You are missing
app.UseAuthentication();
, please add it like below for testing.app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseAuthentication(); app.UseAuthorization(); app.MapControllerRoute( name: "default", pattern: "{controller=Home}/{action=Index}/{id?}"); app.Run();
Best Regards
Jason
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-07T08:40:38.09+00:00 Hi @Vijayan, Neethu,
Please try the suggestion above and let me know the test result, thanks.
Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-07T08:53:49.73+00:00 Thank you Jason.
I've tested the updated code, but I encountered an error on my localhost: "Error details: MSIS7007: The requested relying party trust 'https://testdev.com/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details." When I deployed the same code to my IIS hosted site, it redirected to a URL https://testdev.com/signin-wsfed. Do I need to explicitly set the Wreply url to redirect to my Home page? I am not sure whether the authentication is successful or not.
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-07T09:04:17.6233333+00:00 Hi @Vijayan, Neethu,
app.UseAuthentication();
is needed, and now MSIS7007 error means you not configured the SAML relying party on ADFS or that you have but have not configured this endpoint.Please contact you IT team. Thanks for your patience.
Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-07T09:07:42.0833333+00:00 Thank you so mush for your support Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-07T09:08:42.46+00:00 Thank you so much for your support Jason
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-07T09:10:43+00:00 Hi @Vijayan, Neethu,
It's my pleasure, please let me know if the suggestion is useful to you.
Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-08T00:48:04.6366667+00:00 That was really helpful, Jason.
The authentication request works now. But the request seems failing.
I have tried logging in to my hosted website for which the relying party is already set up in ADFS. I can see that it's hitting the OnSecurityTokenReceived event. However, I'm encountering the error 'Microsoft.IdentityModel.Tokens.SecurityTokenException: No token validator or token handler was found for the given token'. I'm attaching the log file for your reference. sqs20240508.txt
Thanks
Neethu
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-08T06:19:39.86+00:00 Hi @Vijayan, Neethu,
From the error message, please try to add
TokenValidationParameters
like below..AddWsFederation(options => { options.MetadataAddress = "https://example.com/FederationMetadata/2007-06/FederationMetadata.xml"; options.Wtrealm = "urn:DevDotNet"; options.Wreply = "https://testdev.com/"; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidIssuer = "https://expected-issuer.com", // change to expected issuer ValidateAudience = true, ValidAudience = "urn:DevDotNet", // make sure it match with Wtrealm or you want ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5) }; ... });
And you also need to check the jwt token(online tool https://jwt.io), is it expected?
Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-08T06:57:04.9533333+00:00 Thank you, Jason.
I've tried the code provided above, but I'm still encountering the same error. I am attaching my program.cs and the error log for your reference(Program_v2.txt , sqs20240508.txt). I also attempted the solution mentioned in the last comment of this Stack Overflow thread (https://stackoverflow.com/questions/50743008/asp-net-microsoft-identitymodel-tokens-securitytokenexception-no-validator-foun), but it didn't resolve the issue.
Thanks
Neethu
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-08T07:59:13.3233333+00:00 Hi @Vijayan, Neethu,
The Stackoverflow link you shared is useful, have you checked the token by using
CustomSAMLTokenValidation
method in the link.Best Regards
Jason
-
Vijayan, Neethu 0 Reputation points
2024-05-09T04:40:38.11+00:00 Hi Jason,
I'm trying to implement custom validation as per the link, but I'm encountering the error "IDX10500: Signature validation failed. No security keys were provided to validate the signature." Setting
ValidateIssuerSigningKey = false
bypasses issuer validation, but it still requires the signing key.To validate the SAML signature, do I need to obtain certificate information from the IT team? If so, I'll request it accordingly. Is there any option to bypass this?
IssuerSigningKeys = new List<SecurityKey> { new X509SecurityKey(new X509Certificate2("path_to_certificate.pfx", "certificate_password")), },
-
JasonPan - MSFT 4,791 Reputation points • Microsoft Vendor
2024-05-09T13:12:25.3+00:00 Hi @Vijayan, Neethu,
As we know this issue is related to ADFS, ASP.NET Core and Certificate. It's hard for us to troubleshoot the issue in forum. The best way for you is raising a support ticket( if you have the permission ), then Microsoft Support Engineers can help you.
Here is the site: https://support.microsoft.com/en-US. You can find the Support for business in the middle.
Best Regards
Jason
Sign in to comment