Hello,
I’m hoping someone here will be able to assist me with the following.
I’m getting ComponentSpace.Saml2.Exceptions.SamlSignatureException: The authn request signature failed to verify. exception when receiving a SAML request from out Service Provider.
I have verified the public key provided to the SP a number of times as well as our IDP certificate per the following post (https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type)
I’ve enabled tracing in our IDP code but the only two messages I see in the log are:
Receiving an SSO request from a partner service provider has failed.
followed by
"ComponentSpace.Saml2.Exceptions.SamlSignatureException: The authn request signature failed to verify. at ComponentSpace.Saml2.SamlIdentityProvider.VerifyAuthnRequestSignatureAsync(XmlElement authnRequestElement, String signatureAlgorithm, String signature) at ComponentSpace.Saml2.SamlIdentityProvider.ProcessAuthnRequestAsync(XmlElement authnRequestElement, String signatureAlgorithm, String signature) at ComponentSpace.Saml2.SamlIdentityProvider.ReceiveSsoAsync()
Here is the request that contains the signature that’s failing to verify.
SAMLRequest=fZFBa4NAFIT%2FiuxdzRqjZlEhNBSElpZaeuilbPSZLOhbu28NaX99jUlK0kOPO8wws99LSXZtL1aD3eELfA5A1inWGfvgYd2EmyBym4DP3TCJa3fJo7nLQSZVGIdxHDXMeQNDSmPGAm%2FGnIJogALJSrSjNONLdxa5nL%2FyRASRWCTeInhnznosUSjtFNxZ25PwfTuKHtQGem0seUBeD9KQRq%2FSnW%2BkL1G2X99ggIbWkl8q3LZQqi0%2BYQlmrypgzr02FUx%2FyVgjW4LjpmdJpPbwq6yIwBzL7zTS0IE5xwus4TDOHh3WGrUZLJwcY9OthTPn0LVIYoKXscGg0JIUCZQdkLCVKFePD2KEInqjra50y%2FL06BYTI3OV%2Fz8uL2NZfkPqjOEC5Q%2Bv1L%2Fqyk%2Bv2yPnPw%3D%3D&RelayState=3fc2d3c2-8a4f-44c6-9862-8a68cc127180&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=DHbYog1a7lnwbh8HHpnOMUJPr%2Ft4V7OO0rKyV3xW8OabGpsN96HjscNgOTqRrPBsEbO2%2F4%2FclZf2MA7WKXVLAV5RpdHTaYmdkvSZ87oEN2mJ7il7XVNCsF1bNo02djocLTbktN%2FucvxuMyVIu0KarWniSRPLC%2FbQrNpXOw6UcHQvdnwdZkDBxfabdQJk8YM9bMuaIKklrKqEJRD94TimWUpNrpc%2F9Fcf2IZ68pTAOmgIwJL84LJi5Whh4ta0Tl5%2FA5abhzvSMC3zKr%2FHc4Woq4T8t7u1Loyk1xD%2BALMSVhUP2jee3hAuUTv9AwF0UFlF9uxPBXk%2FCkID1xXDrp1%2FrA%3D%3D
Here are the idp.pfx attributes:
Bag Attributes
localKeyID: 7F 94 D7 E7 B2 62 5B BF 1F 88 2D 79 5A D7 75 C9 1C 26 2C 41
Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
Is there anything else I can look at to determine why the exception?
I’m using .net core 2.2 and the trial version of ComponentSpace SAML
This is my ComponentSpace config logic:
private void ConfigureSaml(SamlConfigurations samlConfigurations)
{
string certPassword = Configuration[“CertPassword”];
string decryptedPassword = DataProtector.DecryptString(certPassword);
samlConfigurations.Configurations = new List()
{
new SamlConfiguration()
{
LocalIdentityProviderConfiguration = new LocalIdentityProviderConfiguration()
{
Name = Configuration[“LocalIdentityProviderConfiguration:Name”],
Description = “My Identity Provider”,
SingleSignOnServiceUrl = Configuration[“LocalIdentityProviderConfiguration:SingleSignOnServiceUrl”],
SingleLogoutServiceUrl = Configuration[“LocalIdentityProviderConfiguration:SingleLogoutServiceUrl”],
ArtifactResolutionServiceUrl = Configuration[“LocalIdentityProviderConfiguration:ArtifactResolutionServiceUrl”],
LocalCertificates = new List()
{
new Certificate()
{
FileName = “certificates/idp.pfx”,
Password = decryptedPassword
}
}
},
PartnerServiceProviderConfigurations = new List()
{
new PartnerServiceProviderConfiguration()
{
Name = Configuration[“PartnerServiceProviderConfigurations:Name”],
Description = “xxService”,
WantAuthnRequestSigned = true,
SignSamlResponse = true,
SignAssertion = true,
AssertionConsumerServiceUrl = Configuration[“PartnerServiceProviderConfigurations:SPAuthProxyUrl”],
SingleLogoutServiceUrl = Configuration[“PartnerServiceProviderConfigurations:SPAuthProxyUrl”],
ArtifactResolutionServiceUrl = Configuration[“PartnerServiceProviderConfigurations:SPAuthProxyUrl”],
PartnerCertificates = new List()
{
new Certificate()
{
FileName = “certificates/spSense.cer”
}
}
}
}
}
};
}
Thank you,
The signature will attempt to be verified using certificates/spSense.cer. The SP must signed the authn request using the corresponding private key.
You mentioned the public key provided to the SP and your IdP PFX file. The certificates/idp.pfx is used to sign the SAML response or assertion sent to the SP.
The SP will use the corresponding public key (ie .cer file) to verify the signature.
Please double check with the SP that the certificates/spSense.cer is the correct certificate/public key for verifying their signature.