ERR_HTTP2_PROTOCOL_ERROR after authentication is done

Question

I'm trying to use ITfoxtec.Identity.Saml2.MvcCore on a .NET Core 3.1 web application using an in-house IdP.

It works great on our test server (Windows Server 2012, hosted in the IIS) but I can't get it to work on any other server.

This is what happens:

The initial call to the website is correctly identified as a non authenticated call and the user is being sent to the IdP where the user logs in as usual. The SAML-token is then posted back to the web applications assertion consumer service where everything seems like it does what its supposed to, saml2AuthnResponse.Status has statuscode Saml2StatusCodes.Success and the logfile says "AuthenticationScheme: saml2 signed in". Then it reads the ReturnUrl-parameter and log something like "Executing RedirectResult" but then it just stops. Nothing in the logfile, nothing in the IIS-logs. The user is met by the message

This site can’t be reached ... ERR_HTTP2_PROTOCOL_ERROR

In short, every controller that has the [Authorize]-attribute gives the ERR_HTTP2_PROTOCOL_ERROR-error. When I remove all [Authorize]-attributes the application works great, although without authentication.

I've also tried the example TestWebAppCore-application from ITfoxtec.Identity.Saml2's github-page and it gives the same error. It works on our 2012 test-server but nowhere else.

Any ideas that I can try?

Answer 1

I think you need to trace the calls to see the actual http request and responses send between the browser and server. I usually use Fiddler for tracing the requests/response. Remember to enable Fiddler for https tracing.

My first thought is that the problem can have something to do with cookies. But it is only a guess...

Answer 2

You might be on to something, we disabled http/2 on the server and was greeted instead by this message:

Bad Request - Request Too Long
HTTP Error 400. The size of the request headers is too long.

It uses 5 cookie-chunks for the SAML-data for a total of 19941 bytes which is a bit to much. I've tried to make the application save the sessiondata in classic session objects instead but I cant seem to get it to work.

This is what I added to StartUp.cs:

In ConfigureService:

services.AddMvc()
    .AddSessionStateTempDataProvider();

services.AddSession(options =>
    options.Cookie.IsEssential = true
);

services.Configure<CookiePolicyOptions>(options =>
{
    options.CheckConsentNeeded = context => false;
    options.MinimumSameSitePolicy = SameSiteMode.None;
});

In Configure:

app.UseSession();

But it still fills up the header with cookies. What am I doing wrong? Is there a another way to make the session cookies smaller?