Error generating XML signature

Carlos · January 20, 2020, 3:25am

Hello, I’m using your product to perfrom SAML authentication with Azure ADFS,
last week we upgraded the .net version to 4.7.2 and the “generation of the XML signature” stoped working.

my guess is that it has to do with a breaking change in the .net 4.7.1 where the defualt algorithm change from SHA1 to SHA256. now I’m no expert in .net programing I could use some help on making this work,

here is the error stack

[1] Failed to generate XML signature.
 at ssiDP.RssExtensionComponentSpace.MssSendAuthRequest(HeContext heContext, String inParamRelayState, Byte[] inParamCertificateSP, String inParamDestination, String inParamIssuer, String inParamPassword, String inParamBinding, String& outParamErrorMessage)
 at ssiDP.Flows.FlowAuth.ScrnDoLogin.Preparation(HeContext heContext)
 at ssiDP.Flows.FlowAuth.ScrnDoLogin.Page_Load(Object sender, EventArgs e)
 at System.Web.UI.Control.OnLoad(EventArgs e)
 at System.Web.UI.Control.LoadRecursive()
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[2] Invalid algorithm specified.
 at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
 at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
 at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
 at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
 at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)

and here is the implementation for the class

/// 
/// 
/// SP Certeficate
/// 
/// 
/// Certeficate Password
/// Redirect or Post
public void MssSendAuthRequest(string ssRelayState, byte[] ssCerteficate, string ssDestination, string ssIssuer, string ssPassword, string ssBinding) {
    // Create the authentication request.
    AuthnRequest authnRequest = new AuthnRequest();
    authnRequest.Destination = ssDestination;
    authnRequest.Issuer = new Issuer(ssIssuer);
    authnRequest.ForceAuthn = false;
    authnRequest.NameIDPolicy = new NameIDPolicy(null, null, true);
    // Serialize the authentication request to XML for transmission.
    XmlElement authnRequestXml = authnRequest.ToXml();
    // Sign the authentication request.
    X509Certificate2 x509Certificate = new X509Certificate2(ssCerteficate, ssPassword, X509KeyStorageFlags.MachineKeySet);
    switch (ssBinding.ToLower())
    {
      case “redirect”:
       ServiceProvider.SendAuthnRequestByHTTPRedirect(HttpContext.Current.Response, ssDestination, authnRequestXml, ssRelayState, x509Certificate.PrivateKey);
       break;
      case “post”:
       SAMLMessageSignature.Generate(authnRequestXml, x509Certificate.PrivateKey, x509Certificate);
       ServiceProvider.SendAuthnRequestByHTTPPost(HttpContext.Current.Response, ssDestination, authnRequestXml, ssRelayState);
       HttpContext.Current.Response.End();
       break;
    }
} // MssSendAuthRequest

Help is appreciated.
Best regards,
Carlos Rocha

ComponentSpace · January 20, 2020, 4:54pm

Hi Carlos,

It’s the SAML library rather than the .NET framework that specifies SHA-256 as the default algorithm so I don’t think that’s the issue.

Are you using the same X.509 certificate as you were previous to the .NET framework upgrade?

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace