I have setup Shibboleth as an IdP, using its default credentials (the certificates bundled with the installer). I think it is using the idp-signing.crt certificate to sign SAML responses. Using the LowLevelAPI ShibbolethSP example project, I have been able to login through the Shibboleth IdP, as long as I comment out the “Verify the response’s signature” code. I made sure I added in SHA-256 XML signature support in Global.asax.cs, Application_Start. The message signature verification always returns false, even when I copy the idp-signing.crt file into the example directory and load that as a X509Certificate2 object, passing that in:
bool retVal = SAMLMessageSignature.Verify(samlResponseXml, x509Certificate); // is false
It even returns false when I pass no second param in, using the key info included with the signature to perform the verification:
bool retVal = SAMLMessageSignature.Verify(samlResponseXml); // is false
I can’t figure out why this verification is failing. I’ve uploaded a SAML response that is posted back from Shibboleth (formatted by FOXE but otherwise unchanged) here:
http://pastebin.com/EKCTbb12
Can anyone tell me why the Verify method might always be returning false?
I can’t figure out why this verification is failing. I’ve uploaded the SAML response that is posted back from Shibboleth here:Can anyone tell me why Verify might always be returning false?
The XML signature is using SHA-256 so it might be possible that the SHA-256 support on your system hasn’t been properly enabled.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com, mentioning this topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace