Getting started with SAML2.0

Question

Hello,

I'm attempting my first SSO integration using SAML 2.0. I've been using:

http://www.codeproject.com/KB/aspnet/DotNetSamlPost.aspx?msg=3562384

as an example for myself.

Presently I'm just trying to successfully post to their url. The site we're connecting to is quite large and uses a solution from ping-identity to manage their sso which often seems to give me less than helpful errors. I've worked through a few but this one has me stumped:

UnknownBindingException: Request contains insufficient information to determine the protocol binding (did you type a protocol endpoint URL directly into the location bar of your browser?).

Does anyone have any idea what might cause this, my saml that I'm posting looks like this:

<Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_3b052151-fb4f-4e10-89bd-d65ef5141e9d" Version="2.0" IssueInstant="2010-08-20T20:36:02.8093696Z" Destination="https://******/sp/ACS.saml2" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">www.******.org</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="#_3b052151-fb4f-4e10-89bd-d65ef5141e9d">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>****</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>*******</SignatureValue>
  </Signature>
  <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </Status>
  <Assertion Version="2.0" ID="_d0f34b54-cf0b-49c7-9a50-f60842b7e0d2" IssueInstant="2010-08-20T20:36:02.8103697Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>www.*******.org</Issuer>
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">adamb</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData NotOnOrAfter="2010-08-20T20:41:02.8103697Z" Recipient="https://*****.com:9031/sp/ACS.saml2" />
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2010-08-20T20:36:02.8103697Z" NotOnOrAfter="2010-08-20T20:41:02.8103697Z">
      <AudienceRestriction>
        <Audience>*****</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2010-08-20T20:36:02.8103697Z">
      <AuthnContext>
     <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</Response>

Any help is much appreciated,

Thanks.

Answer 1

Sounds like you are either A) Sending the Assertion via GET method instead of a POST or 2) You have not properly formatted the HTML Form that contains the Assertion that is being sent to your partner.

Ian

Answer 2

As I read your question your application is going to be a ServiceProvider (SP) in a SAML2 federation where Ping is the IdentityProvider (IdP). And you've tagged the question c#, so I'm assuming that your SP is implemented in .Net

Which SAML2 framework are you using, or are you rolling your own? If you're doing your own SAML2 framework, I'd recommend using OIOSAML.net which is open source under the Mozilla License (free to use for any purpose). You can check out the source here: http://view.svn.softwareborsen.dk/cgi-bin/index.cgi/Softwareborsen/oiosaml.net/branches/ (all documentation is in English).

It's actively maintained by the Danish government, and it has been interop tested with Ping, ADFSv2, SimpleSamlPhp, and many other SAML2 IdP's. It's currently used by hundreds of Danish web sites in a federation with Ping as IdP.

Regarding the exception you're receiving, which binding are you intending to use: HTTP Redirect, or something else? Assuming it's HTTP redirect, I recommend reading the relevant section starting on p15 in SAML2 binding specification: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

Answer 3

If you are just getting started with SAML 2.0, you can complete a free POC with SSO Easy's SAML 2.0 product in about 1 hour. Going into production typically takes a few hours, with no coding. All SAML function and integration / platform support comes out of the box.

Pricing for SSO Easy's SAML product solution starts as low as $1,000.

http://www.ssoeasy.com/home

Considering the countless hours that will be spent learning, building, testing, debugging, supporting and maintaining a custom-built SAML solution, the ROI leans heavily toward buying the turnkey SAML product.