Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NullReferenceException in Saml2Response Constructor on missing Version attribute #1055

4nd3r5 opened this issue Jan 17, 2019 · 2 comments


None yet
2 participants
Copy link

commented Jan 17, 2019

  1. What nuget packages are you using
  • Sustainsys.Saml2.AspNetCore2 (2.2.0)
  • IdentityServer 4 (2.2.0)
  1. What is the expected behaviour
    We are trying to enable SAML2 as a Identityprovider for an api.
    We can successfully authenticate with, but when we try to use our own demo idp (OIOSAML 2.0.1) we get the exception below
    The saml token is processed on callback
  2. What happens instead.
    We get a null reference exception

We can add SAML2 request and responses but would rather not submit it here.

Additional info

Project is using

  • net472
  • Asp.Net core 2.1.3

This comment has been minimized.

Copy link

commented Jan 17, 2019

As you suspect, the SAML2 response that causes this would help to find out what is happening. Obviously there is something the library expects that isn't there and there is not correct error handling.
Can you please mail the repsonse to You can obfuscate any sensitive data - I will be looking for what elements and attributes are present.

@AndersAbel AndersAbel added the bug label Jan 17, 2019

@AndersAbel AndersAbel changed the title NullReferenceException in Saml2Response Constructor NullReferenceException in Saml2Response Constructor on missing Version attribute Jan 17, 2019

@AndersAbel AndersAbel added enhancement and removed bug labels Jan 17, 2019


This comment has been minimized.

Copy link

commented Jan 17, 2019

I got a sample response from @4nd3r5 and the problem is a missing Version attribute:

<q1:Response Destination=""  InResponseTo="ida1cecfda7a2546a09794238731ae587f"  xmlns:q1="urn:oasis:names:tc:SAML:2.0:protocol">

The version is a Required attribute in the SAML2 specification, so there is not any checks for the case when it is entirely missing.

The best solution to this is of course go get the Idp to include the Version. But getting Idps to do what they should is sometimes hard. A solution in the library could be a CompatibilitySetting that skips the check for the Version. I'm also retagging this is an enhancement rather than a bug since a compatibility flag is an enhancement (although it is to fix a bug in the Idp).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.