ADFS Malformed reference element


I’m trying to Verify a Signature in a SAML Response, but when I call the Verify Method I’m getting the following error.

Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to verify the XML signature. —> System.Security.Cryptography.CryptographicException: Malformed reference element.

I’ve not found any other topics that seem to relate to this, I’ve take the liberty of turning on Logging and attached the output.

Any Ideas on how to sort this would be appreciated.



Thanks Paul for the log. I see there’s a SAML response containing a SAML assertion. The SAML response isn’t signed but the SAML assertion is. From the exception it appears you are calling SAMLMetadataSignature.Verify. Instead, you should be calling SAMLAssertionSignature.Verify.
The following section of code demonstrates how to verify the SAML assertion signature using the low-level SAML API.

//Extract the signed assertion from the SAML response.
XmlElement samlAssertionElement = samlResponse.GetSignedAssertion();

//Verify the SAML assertion signature using IdP’s public key.
//The x509CertificateIdP is assumed to have been loaded with the IdP’s certificate.
if(!SAMLAssertionSignature.Verify(samlAssertionElement, x509CertificateIdP)) {
// Handle error – not shown here.

//Parse the SAML assertion XML
SAMLAssertion samlAssertion = new SAMLAssertion(samlAssertionElement);

However, unless there’s a good reason for using the low-level API, you’re better off using the SAML high-level API as it handles signature verification etc automatically.


Thanks for the Response, I’m still struggling with the whole concept but I’ve put the following code together and it is still giving me the same message, I’m using low level due to this being deployed against a Multi-Tennat application and each Client will be able to specify their own Identity Provider.

I’ve put the following, sorry for the VB

If (SAMLMessageSignature.IsSigned(oSAMLResponseXML)) Then
If (Not SAMLMessageSignature.Verify(oSAMLResponseXML, identityProvider.Certificate)) Then
’ Error
End If
End If

That bit is fine, because as you said the Response is not signed

If (oSAMLResponseXML.GetElementsByTagName(“Assertion”) IsNot Nothing) Then
Dim oAssertionXML As XmlElement = CType(oSAMLResponseXML.GetElementsByTagName(“Assertion”).ItemOf(0), XmlElement)
If (SAMLAssertionSignature.IsSigned(oAssertionXML)) Then
If (Not SAMLAssertionSignature.Verify(oAssertionXML, identityProvider.Certificate)) Then
’ Error
End If
End If
End If

It still seems to complain about the Reference part, which I assume is

<ds:Reference URI=“#_16577807-9e57-45bf-8f3b-bf976cf34e4f”>
<ds:Transform Algorithm=“”>"/>
<ds:Transform Algorithm=“”>“/>
<ds:DigestMethod Algorithm=”“>”/>

Is this not what the Assertion should contain or is it not formed correctly?


Are you still getting the same error (ie No XML element was found with a metadata ID of …)? Your code shouldn’t produce this error.
Instead of calling GetElementsByTagName I suggest you call samlResponse.GetSignedAssertion instead. Please see my previous example code.
If there’s still an issue, please include the updated code and another log file.
Please note that the high-level API supports multi-tenancy. Each tenant has its own separate SAML configuration. I suggest taking a look at this to see if it meets your requirements as this most likely will be easier than using the low-level API.