I am trying to authenticate a user coming from AD Federation Service. The Saml Configuration used for this has partnerIdentityProviderConfiguration.UseEmbeddedCertificate set to true. so the AuthResponse include the embedded certificate to verify the SAML Assertions. But when i try to login using this ADFS user, the following error message is logged…
fail: ComponentSpace.Saml2.SamlServiceProvider[100]
Receiving an SSO response from a partner identity provider has failed.
System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPublicKey[T](X509Certificate2 certificate, Predicate matchesConstraints)
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPublicKey(X509Certificate2 certificate)
at ComponentSpace.Saml2.SamlProvider.VerifyXmlSignature(XElement signedElement, X509Certificate2 x509Certificate)
at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignature(XElement samlAssertionElement, IList x509Certificates)
at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignature(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertion(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponse(XElement samlResponseElement)
at ComponentSpace.Saml2.SamlServiceProvider.d__6.MoveNext()
In order to investigate, i de-compiled and looked in to the source code behind the implementation and from what i saw, when partnerIdentityProviderConfiguration.UseEmbeddedCertificate is set to true, the certificate passed to the VerifyXmlSignature() method is null. Basically the code does not include a way to load the embedded certificate and use that to verify the SAML Assertion. You would see this if you look at VerifySamlAssertionSignature() method in SamlServiceProvider.cs in ComponentSpace.Saml2 namespace.
In the VerifySamlAssertionSignature() method;
IList x509Certificates = (IList) null;
if (!this.partnerIdentityProviderConfiguration.UseEmbeddedCertificate)
x509Certificates = this.GetPartnerProviderSignatureCertificates();
else
LoggerExtensions.LogDebug((ILogger) this.logger, “The embedded certificate is being used for the signature verification.”, Array.Empty());
if (!this.VerifySamlAssertionSignature(assertionListItem.SignedAssertion, x509Certificates))
throw new SamlSignatureException(“The SAML assertion signature failed to verify.”);
x509Certificates variable will always be null if this.partnerIdentityProviderConfiguration.UseEmbeddedCertificate is true. Therefore VerifySamlAssertionSignature() method will also pass a null value in to VerifyXmlSignature() method where there suppose to be a certificate. and in the VerifyXmlSignature() method;
bool flag = this.XmlSignature.Verify(signedElement, (AsymmetricAlgorithm) x509Certificate.GetRSAPublicKey());
this line will throw the ArgumentNullException. How can i workaround this situation where an embedded certificate is used? Is using Embedded Certificates not allowed in this implementation. I would be thankful for some guidance regarding this.
My apologies. This is a bug that has been fixed in v1.0.3.
If you’d like to receive a beta version of this release please contact support@componentspace.com.
Please note that our recommendation is to use configured certificates rather than embedded certificates.
The UseEmbeddedCertificate setting is intended for testing purposes only.
Thank you. I would like to receive the v.1.0.3-beta to continue the work i am doing until the stable version arrives. I will send an email to the above mentioned email address. Thank you for the prompt response.
You’re welcome.
Hi, Is there any expected release date for version 1.0.3?
I am experiencing the same issue, and I can test the beta version, but I would appreciate if you have a target date for this bugfix.
This was a migration project from old saml component to the .net core equivalent, and that’s the reason we already have multiple configurations in production relying on the UseEmbeddedCertificate setting.
Many thanks,
Marlon.
Hi Marlon
Please contact support@componentspace.com if you’d like to receive the beta.
The official release is scheduled for next week.
Hi…
I’d really like to know a timeline for the release of Nuget v.1.0.3. Because we are waiting on the release of the v.1.0.3 to move it to our live environments.
Coincidentally it was released today. Please email support to receive the update.
Great to hear that :) Thanks a lot.
You’re welcome.