I’m trying to implement ADFS SSO authentication for my ASP.NET Core app using sustainsys.saml2.
When I go to my login controller it redirects to the ADFS server and then I login via the adfs login page and get redirected back to my server. But my server throws
"Sustainsys.Saml2.UnsuccessfulSamlOperationException": The Saml2Response must have status success to extract claims.
(Saml2 Status code: responder).
I went to the ADFS server and viewed the logs, and I see the error:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSI0037: No signature verification certificate found for issuer "<my-application-url>".
My sustainsys configuration is:
options.SPOptions.EntityId = new EntityId("<my-application-url">);
options.SPOptions.PublicOrigin = new Uri("<my-application-url");
options.AuthenticaionRequestSigningBehavior = SigningBehavior.Always;
options.SPOptions.WantAssertionsSigned = true;
var certificate = new X509Certificate(certificatePath, secret);
IdentityProvider identityProvider = new IdentityProvider(
new EntityId("http://<adfs-server>/adfs/services/trust"), options.SPOptions)
{
MetadataLocation = "<adfs-metadata-url>",
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpRedirect,
WantAuthnRequestsSigned = true,
OutboundSigningAlogorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
};
identityProvider.SigningKeys.AddConfiguredKey(certificate);
options.IdentityProviders.Add(identityProvider);
ServicesCertificate serviceCertificate = new ServiceCertificate()
{
Certificate = certificate,
Use = CertificateUse.Signing
}
options.SPOptions.ServiceCertificates.Add(serviceCertificate);
I’ve tried every option I could find and the error still persists
You need to configure the ADFS server with the public part of your certificate. I guess ADFS can import a .cer if you generate that from your .pfx.