I need help tracking down the cause for an error we are getting when decrypting an assertion using ADFS 3.0 as an IdP. When decrypting an assertion we get the following error:
ComponentSpace.SAML2.Exceptions.SAMLEncryptionException: Failed to decrypt XML. —> System.Security.Cryptography.CryptographicException: The data to be decrypted exceeds the maximum for this modulus of 256 bytes.
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] data, RSAEncryptionPadding padding)
at ComponentSpace.SAML2.Utility.XmlEncryption.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
— End of inner exception stack trace —
at ComponentSpace.SAML2.InternalSAMLServiceProvider.DecryptSAMLAssertion(Object samlAssertion)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.GetSAMLAssertion(SAMLResponse samlResponse, XmlElement samlResponseElement)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
at OurAPI.Controllers.SamlAuthenticationController.AssertionConsumerService()"
Has anyone run into anything similar to this? We are successfully doing this in other implementations with ADFS but something is wrong in this particular implementation that we are unable to track down. Does it have to do with the size of the assertion?
Thanks for the help.
Hi Nathan
This type of error usually means the wrong certificate is being used for the encryption.
Please ensure that the certificate configured under the encryption tab of the relying party’s properties in ADFS matches the private key you are using for the decryption.
The key used for decryption is specified by the LocalCertificateFile in your saml.config.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
Also include a screenshot of the encryption tab.