Skip to content

Signature is invalid #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wiltodelta opened this issue May 17, 2017 · 5 comments
Closed

Signature is invalid #10

wiltodelta opened this issue May 17, 2017 · 5 comments

Comments

@wiltodelta
Copy link

wiltodelta commented May 17, 2017
edited
Loading

Hi!

I tried to validate the SAML Response and exception thrown:

Message = Signature is invalid.
StackTrace =  at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature() in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 226
   at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 198
   at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 53
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 210
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 107
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 102
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 73
   at Sso.Web.Controllers.Mvc.Saml2Controller.<Consume>d__9.MoveNext() in C:\Projects\backend\Sso.Web\Controllers\Mvc\Saml2Controller.cs:line 164

Code:

var saml2Configuration = new Saml2Configuration
{
    CertificateValidationMode = X509CertificateValidationMode.None,
    SignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
    Issuer = new Uri("https://lastpass.com/saml/idp"),
    SingleSignOnDestination = new Uri("https://lastpass.com/saml/login/8891192/be56"),
};

saml2Configuration.AllowedAudienceUris.AddRange(Uri("https://dev.findo.io"));
byte[] signatureValidationCertificateBytes = Convert.FromBase64String("MIIDZTCCAk2gAwIBAgIJANsL5+qkMHjmMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wIBcNMTcwNTE1MTIxNTU4WhgPMzAxNjA5MTUxMjE1NThaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jXMqw9iLGBSX0DhKlPO8qx3srgAEiOw4PMOxMGNJUBOsRnvYp95Zf+YW7Qlq/1gBn1co+zBayMV9kpvPomUeOvatKzsC9A7R4Q1V1MSG4uBcaWmTjYo24bCrHAeX/A38m5bceDmYmlqNpt5Pmg5A4Dce6q9oL942H5kZYsV2o2PF9DmgENTabsL3r7NuFfcsrQXGPnKUk9Z4xFLU8FsFH13M9Lh3SMMu8c8p9IbfCcCUQekj537fPpFki/1rSBlTtfNNLrE3om/EcRDMzdPYnkaDsnFeNoXjLwjJZ06SQixTkArG/SL8ePmBId1Zi9ekgRJhogKftlsI8z7xbrY/AgMBAAGjUDBOMB0GA1UdDgQWBBSP1nSgrO/+ysfTPtaXE9yifbDXoTAfBgNVHSMEGDAWgBSP1nSgrO/+ysfTPtaXE9yifbDXoTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASfx3UbkinTplQC76Y3aUalRWJF+XzbZ188GRcZDtAF4E5XGkkfgXqtu8/49HLksMtPWatIMBxumD9D4JI4K68wFsafYQe1ZPT/eX6uxZL0K+exjzqP9BNVRlGeLvkEtIcjAzuTtMerNPYmIuFpZZzfS+nPAYZli9EFQDmSU3iW3aWKmQ+mEaikGj3EwuS3nxskaNdziMJ4LQAApqFW8cOHBfOV7hSC6MvWlgDOhfznUcYaqtDI4CnD3pyXb6zZfqjnqK+jO+r84H5PmopMUGM34jY7KUPkpvtZH0HRZr2niBysOpBVuflpUCFWYl1VJLTlHUUG66nGQq3hlW+BB+q");
saml2Configuration.SignatureValidationCertificates.Add(new X509Certificate2(signatureValidationCertificateBytes));

var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(saml2Configuration);
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);

SAMLResponse:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJwZnhmNDkzZTE5Ni05MTE2LTZmZGYtNjYxNC1iZDMzMzQ3MmM3YTkiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE3LTA1LTE3VDE0OjMwOjU1WiIgRGVzdGluYXRpb249Imh0dHBzOi8vZTI3NTdjYmYubmdyb2suaW8vU2FtbDIvQ29uc3VtZSIgSW5SZXNwb25zZVRvPSJfMWJjODU5ODMtZWE0Mi00NTE1LTgwYmEtOWRlNTg0MDExOGI2Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9sYXN0cGFzcy5jb20vc2FtbC9pZHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhmNDkzZTE5Ni05MTE2LTZmZGYtNjYxNC1iZDMzMzQ3MmM3YTkiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjJldG9pRE5pU09kOUVyYy85YVdGSkJKTW9Rbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cWVOTnI5NTUyS21BUjRZcUxWWVVwYm5wL0wwZ2xkZkxaM29SdnhsWkNWcVJWdVR3WWZQWEc3MnlKVkx0RFQvZlN4dm15UGlxaGMwcElYYjBJQUlMdU9HUmt6MVBtR0d0MkVYL2xCaE1PajUzWmN3eTdCQ29vaDhvK2wzZGxpSGtpZkpTeXAxYlhTMUdJR3FzM2ZPc25tY0x3bERMKzZzTlhsUTAyVnU5eXptUWplQnZaNzNjQS9sdHBJSU03V3cybUxkZE1CaGFkbHc3U3lwWXZ4UUtzRDlVeXU5b2xKZnBQYnhPeVBMbnZPK0ZrVjlsaGpBOG53cnFtZkdUZmMyRzlyYWRTTjEwV3FmUCt6NUFJck9WcmpseGkyUE9qUnZYekFFY0ZKaFhqUzBjTTM2VnN6TXlKUkRDekYwUmltUzZZbkdEanJYVXRPRHpBQU5FZ1BaYjFBPT08L2RzOlNpZ25hdHVyZVZhbHVlPgo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEWlRDQ0FrMmdBd0lCQWdJSkFOc0w1K3FrTUhqbU1BMEdDU3FHU0liM0RRRUJDd1VBTUVneEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbmFXNXBZVEVQTUEwR0ExVUVCd3dHVm1sbGJtNWhNUlV3RXdZRFZRUUREQXhNWVhOMFVHRnpjeTVqYjIwd0lCY05NVGN3TlRFMU1USXhOVFU0V2hnUE16QXhOakE1TVRVeE1qRTFOVGhhTUVneEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbmFXNXBZVEVQTUEwR0ExVUVCd3dHVm1sbGJtNWhNUlV3RXdZRFZRUUREQXhNWVhOMFVHRnpjeTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2alhNcXc5aUxHQlNYMERoS2xQTzhxeDNzcmdBRWlPdzRQTU94TUdOSlVCT3NSbnZZcDk1WmYrWVc3UWxxLzFnQm4xY28rekJheU1WOWtwdlBvbVVlT3ZhdEt6c0M5QTdSNFExVjFNU0c0dUJjYVdtVGpZbzI0YkNySEFlWC9BMzhtNWJjZURtWW1scU5wdDVQbWc1QTREY2U2cTlvTDk0Mkg1a1pZc1YybzJQRjlEbWdFTlRhYnNMM3I3TnVGZmNzclFYR1BuS1VrOVo0eEZMVThGc0ZIMTNNOUxoM1NNTXU4YzhwOUliZkNjQ1VRZWtqNTM3ZlBwRmtpLzFyU0JsVHRmTk5MckUzb20vRWNSRE16ZFBZbmthRHNuRmVOb1hqTHdqSlowNlNRaXhUa0FyRy9TTDhlUG1CSWQxWmk5ZWtnUkpob2dLZnRsc0k4ejd4YnJZL0FnTUJBQUdqVURCT01CMEdBMVVkRGdRV0JCU1AxblNnck8vK3lzZlRQdGFYRTl5aWZiRFhvVEFmQmdOVkhTTUVHREFXZ0JTUDFuU2dyTy8reXNmVFB0YVhFOXlpZmJEWG9UQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU2Z4M1Via2luVHBsUUM3NlkzYVVhbFJXSkYrWHpiWjE4OEdSY1pEdEFGNEU1WEdra2ZnWHF0dTgvNDlITGtzTXRQV2F0SU1CeHVtRDlENEpJNEs2OHdGc2FmWVFlMVpQVC9lWDZ1eFpMMEsrZXhqenFQOUJOVlJsR2VMdmtFdEljakF6dVR0TWVyTlBZbUl1RnBaWnpmUytuUEFZWmxpOUVGUURtU1UzaVczYVdLbVErbUVhaWtHajNFd3VTM254c2thTmR6aU1KNExRQUFwcUZXOGNPSEJmT1Y3aFNDNk12V2xnRE9oZnpuVWNZYXF0REk0Q25EM3B5WGI2elpmcWpucUsrak8rcjg0SDVQbW9wTVVHTTM0alk3S1VQa3B2dFpIMEhSWnIybmlCeXNPcEJWdWZscFVDRldZbDFWSkxUbEhVVUc2Nm5HUXEzaGxXK0JCK3E8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBJRD0icGZ4MDRjMDY1MGEtM2I4ZS0yYTBhLTc3NTQtYTgxN2I4ODU2OGUwIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0wNS0xN1QxNDozMDo1NVoiPjxzYW1sOklzc3Vlcj5odHRwczovL2xhc3RwYXNzLmNvbS9zYW1sL2lkcDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0YzA2NTBhLTNiOGUtMmEwYS03NzU0LWE4MTdiODg1NjhlMCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+Z2NkaEY4aVJiK09VQ3RubFFYL3ByVVM0Nk5ZPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5EaksxVGM1dG01L2tVMDMrWDJlRFJReFJqa1g0QldPSWJlWWFxcTJDSm9KTDZ4YXYxVTR4VW1qMkZnTEF4bU8wOGN1d05pem85aWFodFBHZ2t5UktBU3NhTEhZVTUyUU9kQk8rV01pL2xWWmlPYmtJZU1CemJuUHorSmFUU2Q3NnJVeHkvalpDTmNIaEFJd204djdvNWNMaEdIeFlCOHd3TDZYaUdsbEVCaFZWWlpOTk80enBZSFl0VHFRVmdUQnJLVytjQTZ2KzZ6aFhSRXZDU3k2N2xHWWNXdmZkMGFKeUpYOWtTSzArb1p1Vi9rK0N0WlpmeG9qT2Y4RlZRRjhYUlp1WDZBZ3l2dlVyN1VzMnJKRFNiSDdXOFpKR1RBSnBIakpFTWZpYThjR0wzOTNCaEFLNkJxdlFxSkwyOTNXczUrZk5vMEVSSHI0d3F0bHdGUy9MZnc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURaVENDQWsyZ0F3SUJBZ0lKQU5zTDUrcWtNSGptTUEwR0NTcUdTSWIzRFFFQkN3VUFNRWd4Q3pBSkJnTlZCQVlUQWxWVE1SRXdEd1lEVlFRSURBaFdhWEpuYVc1cFlURVBNQTBHQTFVRUJ3d0dWbWxsYm01aE1SVXdFd1lEVlFRRERBeE1ZWE4wVUdGemN5NWpiMjB3SUJjTk1UY3dOVEUxTVRJeE5UVTRXaGdQTXpBeE5qQTVNVFV4TWpFMU5UaGFNRWd4Q3pBSkJnTlZCQVlUQWxWVE1SRXdEd1lEVlFRSURBaFdhWEpuYVc1cFlURVBNQTBHQTFVRUJ3d0dWbWxsYm01aE1SVXdFd1lEVlFRRERBeE1ZWE4wVUdGemN5NWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzZqWE1xdzlpTEdCU1gwRGhLbFBPOHF4M3NyZ0FFaU93NFBNT3hNR05KVUJPc1JudllwOTVaZitZVzdRbHEvMWdCbjFjbyt6QmF5TVY5a3B2UG9tVWVPdmF0S3pzQzlBN1I0UTFWMU1TRzR1QmNhV21UallvMjRiQ3JIQWVYL0EzOG01YmNlRG1ZbWxxTnB0NVBtZzVBNERjZTZxOW9MOTQySDVrWllzVjJvMlBGOURtZ0VOVGFic0wzcjdOdUZmY3NyUVhHUG5LVWs5WjR4RkxVOEZzRkgxM005TGgzU01NdThjOHA5SWJmQ2NDVVFla2o1MzdmUHBGa2kvMXJTQmxUdGZOTkxyRTNvbS9FY1JETXpkUFlua2FEc25GZU5vWGpMd2pKWjA2U1FpeFRrQXJHL1NMOGVQbUJJZDFaaTlla2dSSmhvZ0tmdGxzSTh6N3hiclkvQWdNQkFBR2pVREJPTUIwR0ExVWREZ1FXQkJTUDFuU2dyTy8reXNmVFB0YVhFOXlpZmJEWG9UQWZCZ05WSFNNRUdEQVdnQlNQMW5TZ3JPLyt5c2ZUUHRhWEU5eWlmYkRYb1RBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFTZngzVWJraW5UcGxRQzc2WTNhVWFsUldKRitYemJaMTg4R1JjWkR0QUY0RTVYR2trZmdYcXR1OC80OUhMa3NNdFBXYXRJTUJ4dW1EOUQ0Skk0SzY4d0ZzYWZZUWUxWlBUL2VYNnV4WkwwSytleGp6cVA5Qk5WUmxHZUx2a0V0SWNqQXp1VHRNZXJOUFltSXVGcFpaemZTK25QQVlabGk5RUZRRG1TVTNpVzNhV0ttUSttRWFpa0dqM0V3dVMzbnhza2FOZHppTUo0TFFBQXBxRlc4Y09IQmZPVjdoU0M2TXZXbGdET2hmem5VY1lhcXRESTRDbkQzcHlYYjZ6WmZxam5xSytqTytyODRINVBtb3BNVUdNMzRqWTdLVVBrcHZ0WkgwSFJacjJuaUJ5c09wQlZ1ZmxwVUNGV1lsMVZKTFRsSFVVRzY2bkdRcTNobFcrQkIrcTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9kZXYuZmluZG8uaW8iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj52aWN0b3JrQGZpbmRvLmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QxNDozNTo1NVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9lMjc1N2NiZi5uZ3Jvay5pby9TYW1sMi9Db25zdW1lIiBJblJlc3BvbnNlVG89Il8xYmM4NTk4My1lYTQyLTQ1MTUtODBiYS05ZGU1ODQwMTE4YjYiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0wNS0xN1QxNDozMDoyNVoiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QxNDozNTo1NVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9kZXYuZmluZG8uaW88L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE3LTA1LTE3VDE0OjI4OjU0WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QyMjozMDo1NVoiIFNlc3Npb25JbmRleD0iX2FkNzUxMGNjN2RkNDRhM2MyYjllODlhOWUxYzNlOGEyMmRiOTlhZjk0MSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj52aWN0b3JrQGZpbmRvLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

IdP EntityId: https://lastpass.com/saml/idp
SP EntityId: https://dev.findo.io
SP Consume Service Endpoint: https://e2757cbf.ngrok.io/Saml2/Consume

IdP X.509 certificate:

MIIDZTCCAk2gAwIBAgIJANsL5+qkMHjmMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wIBcNMTcwNTE1MTIxNTU4WhgPMzAxNjA5MTUxMjE1NThaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jXMqw9iLGBSX0DhKlPO8qx3srgAEiOw4PMOxMGNJUBOsRnvYp95Zf+YW7Qlq/1gBn1co+zBayMV9kpvPomUeOvatKzsC9A7R4Q1V1MSG4uBcaWmTjYo24bCrHAeX/A38m5bceDmYmlqNpt5Pmg5A4Dce6q9oL942H5kZYsV2o2PF9DmgENTabsL3r7NuFfcsrQXGPnKUk9Z4xFLU8FsFH13M9Lh3SMMu8c8p9IbfCcCUQekj537fPpFki/1rSBlTtfNNLrE3om/EcRDMzdPYnkaDsnFeNoXjLwjJZ06SQixTkArG/SL8ePmBId1Zi9ekgRJhogKftlsI8z7xbrY/AgMBAAGjUDBOMB0GA1UdDgQWBBSP1nSgrO/+ysfTPtaXE9yifbDXoTAfBgNVHSMEGDAWgBSP1nSgrO/+ysfTPtaXE9yifbDXoTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASfx3UbkinTplQC76Y3aUalRWJF+XzbZ188GRcZDtAF4E5XGkkfgXqtu8/49HLksMtPWatIMBxumD9D4JI4K68wFsafYQe1ZPT/eX6uxZL0K+exjzqP9BNVRlGeLvkEtIcjAzuTtMerNPYmIuFpZZzfS+nPAYZli9EFQDmSU3iW3aWKmQ+mEaikGj3EwuS3nxskaNdziMJ4LQAApqFW8cOHBfOV7hSC6MvWlgDOhfznUcYaqtDI4CnD3pyXb6zZfqjnqK+jO+r84H5PmopMUGM34jY7KUPkpvtZH0HRZr2niBysOpBVuflpUCFWYl1VJLTlHUUG66nGQq3hlW+BB+q

Thanks in advance!
@wiltodelta
Copy link
Author

wiltodelta commented May 17, 2017
edited
Loading

var assertionValidationResult = ValidateXmlSignature(assertionElement);
I think problem here CheckDigestedReferencesInvoker.

@Spksh
Copy link

Spksh commented Oct 12, 2017

Ran into this problem with a response from OpenAM. ADFS worked fine, but all OpenAM responses failed signature validation for the assertion.

From what I can tell, the issue is with canonicalization and the way SignedXml handles namespace prefixes in XmlElements when the context is the assertion element and not the full document.

e.g. OpenAM responds with a <ds:Signature /> node, whereas ADFS responds with a <Signature /> node.

Workaround is to throw the OpenAM assertion into its own document, and then validate the signature. You can do that by overloading GetAssertionElement() for Saml2AuthnResponse.

    public class OpenAmSaml2AuthnResponse : Saml2AuthnResponse
    {
        public OpenAmSaml2AuthnResponse(Saml2Configuration config) : base(config)
        {
        }

        protected override XmlElement GetAssertionElement()
        {
            XmlDocument assertionDocument = new XmlDocument
            {
                PreserveWhitespace = true
            };

            assertionDocument.LoadXml(base.GetAssertionElement().OuterXml);

            return assertionDocument.DocumentElement;
        }
    }

And then use the class in place of the base Saml2AuthnResponse:

            Saml2PostBinding requestBinding = new Saml2PostBinding();

            // OpenAM includes namespace prefix for signed elements inside the assertion
            // This causes SignedXml signature verification to fail
            // We use a special response class that extracts the assertion and runs it through a new XmlDocument so that .NET ends up with the right namespace declarations
            OpenAmSaml2AuthnResponse saml2AuthnResponse = new OpenAmSaml2AuthnResponse (requestConfig);

            requestBinding.Unbind(controller.Request.ToGenericHttpRequest(), saml2AuthnResponse);

@Revsgaard
Copy link
Member

Revsgaard commented Oct 26, 2017
edited
Loading

Fix added to 69810b0 by loading Assertion in new XmlDocument before signature validation.
Thank you for the contribution.

@martin-furness-io
Copy link

martin-furness-io commented Apr 11, 2023
edited
Loading

Fix added to 69810b0 by loading Assertion in new XmlDocument before signature validation. Thank you for the contribution.

Little confused, why is this fix only implemented for .NET Framework? Have hit this problem with ASP.NET Core 3.1 and found that @Spksh's suggested fix above was the answer. After digging a bit deeper realised the fix is in the codebase in the ToXmlDocument() extension method but in the Saml2AuthnResponse can see the compiler directive for NETFULL filters out using it as the only targets marked NETFULL in the project file are .NET Framework ones.

@Revsgaard
Copy link
Member

You are right it is resolved in commit b74bb9e and release in 4.8.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wiltodelta @Spksh @Revsgaard @martin-furness-io