I am using low-level APIs.
SAMLMessageSignature.Generate(samlAssertionXml, x509Certificate.PrivateKey, x509Certificate); works to sign the response, but doesn’t work to sign the Assertion.
The code looks like this:
SAMLAssertion samlAssertion = new SAMLAssertion();
…
… Code to add the AuthenStatement, Subject, Conditions, etc
…
var samlAssertionXml = samlAssertion.ToXml();
SAMLMessageSignature.Generate(samlAssertionXml, x509Certificate.PrivateKey, x509Certificate);
samlResponse.Assertions.Add(new SAMLAssertion(samlAssertionXml));
the exception I get is:
HResult: 0x80131600
Failed to generate XML signature.
inner exception:
HResult: 0x80131430
Malformed reference element.
I have similar code to sign the response. If I skip the assertion signing code, the rest works fine, but I need to sign the assertion also.
Any ideas? Am I using the wrong method to sign the assertion?
You need to call SAMLAssertionSignature.Generate to generate an XML signature over the SAML assertion.
The following code outlines what you need to do.
// Construct a SAML assertion - details not shown.
var samlAssertion = new SAMLAssertion();
// Serialize to XML.
var samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion XML
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate);
// Add the signed SAML assertion XML to the SAML response.
samlResponse.Assertions.Add(samlAssertionElement);
Note that typically you sign either the SAML response or the SAML assertion but not both. The signature across the SAML response includes the SAML assertion.
Wow, Thank you so much. That was exactly the problem.