How to authenticate with SAML in ASP.NET Core and C#

David Kintgen


This is a great tutorial. However, I am running into the same issue as James Gardner mentioned where I am getting a DTD processing error:

XmlException: For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

I am not quite sure what James means by his description of how he solved it; can you provide any guidance on how to fix this issue?


I was having the same issue. I have resolved it by copying the URL of the Identity Provider Metadata into IIdPMetadata in the appsettings.json.

Nguyen The Binh

Hi Nick,

It is a great tutorial!

I have created a web app using ASP.NET CORE 3.1, Visual Studio 2019. I have followed the tutorial to connect Saml1 (Okta) with my web app. It works well on my laptop. Below is my appsettings.json:

“Logging”: {
“LogLevel”: {
“Default”: “Information”,
“Microsoft”: “Warning”,
“Microsoft.Hosting.Lifetime”: “Information”
“Saml2”: {
“IdPMetadata”: “https://dev-27134298.okta.c…”,
“Issuer”: “…”,
“SignatureAlgorithm”: “…”,
“CertificateValidationMode”: “ChainTrust”,
“RevocationMode”: “NoCheck”
“AllowedHosts”: “*”

and below is launchSettings.json:

“iisSettings”: {
“windowsAuthentication”: false,
“anonymousAuthentication”: true,
“iisExpress”: {
“applicationUrl”: “http://localhost:36236”,
“sslPort”: 0
“profiles”: {
“IIS Express”: {
“commandName”: “IISExpress”,
“launchBrowser”: true,
“environmentVariables”: {
“AttendanceStaffSite”: {
“commandName”: “Project”,
“launchBrowser”: true,
“environmentVariables”: {
“sqlDebugging”: false,
“dotnetRunMessages”: “true”,
“nativeDebugging”: false,
“applicationUrl”: “https://localhost:5001;http://localhost:5000”,
“jsWebView2Debugging”: false

I use “AttendanceStaffSite” when running from Visual Studio 2019. Everything works well in localhost.

However, when I publish it into webserver (IIS) and run, it has error as below:

HTTP Error 500.30 - ANCM In-Process Start Failure
Common solutions to this issue:
The application failed to start
The application started but then stopped
The application started but threw an exception during startup
Troubleshooting steps:
Check the system event log for error messages
Enable logging the application process’ stdout messages
Attach a debugger to the application process and inspect
For more information visit:…

Please note that I have published a default web app using ASP.NET CORE 3.1, Visual Studio 2019 on that server and It works well.

I do not know why it does not work. I feel that the Saml2 (Okta) now cannot connect to the web app after publishing on the web server.

Does anyone face the same issue? Any ideas/suggestions would be appreciated.


Hy i am also facing the issue of DTD i.e. Error : XmlException: For security reasons DTD is prohibited in this XML document. Was some one able to solve it?

The DTD error was driving me crazy, and I finally pieced it together. I put the solution it in this SO answer:

I am getting an error:

SecurityTokenValidationException: Invalid X509 certificate chain. Certificate name:‘, CN=dev-16078540, OU=SSOProvider, O=Okta, L=San Francisco, S=California, C=US’ and thumbprint:‘2D0BEADBDB45B556437570F30533A4C23F4465CC’. Chain Status:'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Do I need to trust the cert locally or is there an additional step in the OKTA configuration that I need to do to trust my local app

When I try to run the demo app at work using my google login it keep redirecting me to the OKTA Developer dashboard not back to my local app

Great article. When I tried running in IIS however it didn’t work so well. Are there any other guides available for use when not running Kestrel?

Hi Nick,
Need your urgent assistance. I am using your project from GitHub. But it gives me below error when controls comes in AssertionConsumerService() action method while reading below line
binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);

Below is the error:

An unhandled exception occurred while processing the request.

SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: ‘[PII of type ‘System.String’ is hidden. For more details, see Bing]’. Did not match: validationParameters.ValidAudience: ‘[PII of type ‘System.String’ is hidden. For more details, see Bing]’ or validationParameters.ValidAudiences: ‘[PII of type ‘System.String’ is hidden. For more details, see Bing]’.

Below is the data populated when control reaches at the particular line where issue cropps up.

Appsettings.Json code as below :
“Saml2”: {
“IdPMetadata”: “”,
“Issuer”: “Okta_SAML_Example1”,
“SignatureAlgorithm”: “xmldsig-more namespace”,
“CertificateValidationMode”: “ChainTrust”,
“RevocationMode”: “NoCheck”

OKTA Set up :

In Saml2 config set the issuer value to match ‘Identity Provider Issuer’ (from Okta setup screen that you’ve referenced)


I have used the code mentioned in the post to create a solution with the .NET 7.0 framework.
Once I click on the login button, I get the below exception :slight_smile:

NullReferenceException: Object reference not set to an instance of an object.
System.Security.Cryptography.Xml.SignedXml.IsKeyTheCorrectAlgorithm(AsymmetricAlgorithm key, Type expectedType)
System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, bool verifySignatureOnly)
ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(XmlElement xmlElement)
ITfoxtec.Identity.Saml2.Saml2Request.Read(string xml, bool validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2Response.Read(string xml, bool validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(string xml, bool validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature)
ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName)
ITfoxtec.Identity.Saml2.Saml2Binding.Unbind(HttpRequest request, Saml2Response saml2Response)
SAMLSample.Controllers.AuthController.AssertionConsumerService() in AuthController.cs
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);

Not able to figure out why this exception and how to resolve it.

Any help would appreciated.


Found the solution for the problem, the downloaded the certificate from the okta and imported in the Trusted root certification authorities.

Thanks for updating the post with your solution!

Hello, I am almost able to complete the Signin process.
When I am redirected back to my site it shows the message below:-
I cant figure out whats going on !

(Should I be redirecting to
https://localhost:{port}/ ? or
http://localhost:{port}/ )

This site can’t be reached

The connection was reset.



Hi, Thanks for this tutorial. One question: There’s any way to generate a Service Provider Metadata? I need the IdP metadata and SP metadata. I appreciate it if anyone can help me.