I’m using the provided Example project as an IdP for testing against my SP. I’ve run into a problem and need to understand if this will be a problem when integrating with clients.
If I generate a self-signed cert using the makecert utility, using Provider Type 24, while also using the provided IdP cert in the Example project (which is Provider Type 24), I have no problems. I can do IdP Initiated SSO and SLO, as well as SP Initiated SSO and SLO.
If I use an certificate I purchased, that is using Provider Type 12, while using the provided IdP cert from the Example project (Type 24), I run into a problem against one of the scenarios. I can do IdP Initiated SSO and SLO, but I only can do SP Initiated SLO. If I try to do SP Initiated SSO I get the following error:
System.Web.HttpUnhandledException (0x80004005): Exception of type ‘System.Web.HttpUnhandledException’ was thrown. —> ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate signature —> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
Does this mean that the IdP and SP certs need to be the same Provider Type? Or do all certs need to be Provider Type 24? Could you please provide some clarification for me?
[quote][/quote]
I'm using the provided Example project as an IdP for testing against my SP. I've run into a problem and need to understand if this will be a problem when integrating with clients.
If I generate a self-signed cert using the makecert utility, using Provider Type 24, while also using the provided IdP cert in the Example project (which is Provider Type 24), I have no problems. I can do IdP Initiated SSO and SLO, as well as SP Initiated SSO and SLO.
If I use an certificate I purchased, that is using Provider Type 12, while using the provided IdP cert from the Example project (Type 24), I run into a problem against one of the scenarios. I can do IdP Initiated SSO and SLO, but I only can do SP Initiated SLO. If I try to do SP Initiated SSO I get the following error:
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate signature ---> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
Does this mean that the IdP and SP certs need to be the same Provider Type? Or do all certs need to be Provider Type 24? Could you please provide some clarification for me?
If I generate a self-signed cert using the makecert utility, using Provider Type 24, while also using the provided IdP cert in the Example project (which is Provider Type 24), I have no problems. I can do IdP Initiated SSO and SLO, as well as SP Initiated SSO and SLO.
If I use an certificate I purchased, that is using Provider Type 12, while using the provided IdP cert from the Example project (Type 24), I run into a problem against one of the scenarios. I can do IdP Initiated SSO and SLO, but I only can do SP Initiated SLO. If I try to do SP Initiated SSO I get the following error:
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate signature ---> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
Does this mean that the IdP and SP certs need to be the same Provider Type? Or do all certs need to be Provider Type 24? Could you please provide some clarification for me?
I believe I figured out the issue. I needed to specify the 'SignatureMethod' in the saml.config file to match 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', which would be the type of the SP certificate. It must be that the system is defaulting to 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' which is why it was failing as it was trying to sign the SP SSO using the wrong encryption algorithm, which fits the error :)
That’s correct. We now default to SHA-256 signatures but you can through configuration or programatically specify SHA-1.
If you purchase a certificate and the cryptographic service provider (CSP) type isn’t 24, you can use openssl to change the CSP type to 24.
This doesn’t affect the certificate in any other way.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
[quote][/quote]
That's correct. We now default to SHA-256 signatures but you can through configuration or programatically specify SHA-1.
If you purchase a certificate and the cryptographic service provider (CSP) type isn't 24, you can use openssl to change the CSP type to 24.
This doesn't affect the certificate in any other way.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
If you purchase a certificate and the cryptographic service provider (CSP) type isn't 24, you can use openssl to change the CSP type to 24.
This doesn't affect the certificate in any other way.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
Awesome, thanks for that tid-bit.
You’re welcome.