Detail Error: IDX13102: Exception thrown while reading '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' for Saml2SecurityToken. Inner exception: '[PII of type 'System.ArgumentNullException' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
I've got a problem and I'm not sure it came from IdP or not. After IdP authenticated user and verified the authorization, the IdP generates the SAML assertion, that have format like this:
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="..."
Version="2.0"
IssueInstant=""
Destination="des..."
InResponseTo="..."
>
<saml:Issuer>https://idp.domain</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#...">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="_26df0e27-891c-4c9c-abec-ddb87a888543"
Version="2.0"
IssueInstant=""
>
<saml:Issuer>https://idp.domain</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter=""
Recipient="des..."
InResponseTo="..."
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=""
NotOnOrAfter=""
>
<saml:AudienceRestriction>
<saml:Audience>https://www.valid.audience</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=""
SessionNotOnOrAfter=""
SessionIndex=""
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="or_email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
<saml:Attribute Name="login_id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string">example</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>````
In subject tag, you can see this: **<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />** and I wonder: Does this reason cause errors?
Thank you for your helps!
I tried to compare this assertion with the others, which was succeeded and I think **<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />** is the problem. In the successful assertions, this tag goes like **<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">{some-thing-like-this}</saml:NameID>**
.NET default hide the cause of such security errors. You can add this line of code in the startup to find the cause:
Like this https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Startup.cs#L33