SAML SP for ASP.NET troubleshooting

Error: @Address is invalid

If the following error is shown in the browser window:

Ubisecure.SAML2.Core.ValidationException
SubjectConfirmationData/@Address is invalid. Value: xxx.xxx.xxx.xxx

This indicates that the IIS server is not sending the matching host address. When using IIS with multiple virtual hosts, the Host Headers values must be set correctly. In IIS7.5, host headers are known as 'bindings'. Set host headers / bindings to match the hostname of the address used in Listing 1 at SAML SP for ASP.NET service provider configuration.

Configuration for IIS5 is shown in Figure 1 and Figure 2. Configuration for IIS7 is shown in Figure 3 and Figure 4.

Figure 1. IIS6 Multiple Web Site Configuration


Figure 2. IIS6 Host Header Name Confiiguration


Figure 3. IIS7.5 Bindings


Figure 4. IIS7.5 Host Name Binding Confiiguration

404 Not Found Error: "spsso.ashx?ReturnUrl=<return url>"

If this error is shown in the browser window when redirection happens from application to SSO, it might be that you are using SAML SP for ASP.NET with an ASP.NET MVC application.

You need to create empty file named spsso.ashx into your MVC application folder.

Also to open access to myWebAppURL/spsso.ashx/saml2/metadata.xml you need update routing configuration of the application by adding for example:

App_Start/RouteConfig.cs file

routes.Ignore("spsso.ashx/{*pathInfo}"); 

Insert the line at the beginning of the RegisterRoutes method. Example code for the method looks like this

public static void RegisterRoutes(RouteCollection routes)
{
	routes.Ignore("spsso.ashx/{*pathInfo}");
	routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
	....