Please help.
Getting error trying to process SSO request from testshib. Created the SP metadata using the provided MetadataExample project. Verified the metadata using the provided VerifySAML project. Used the provided certs. Using .NET 4.0. SHA-256 not possible currently. I am able to do SSO when not signing.
I have attached error log file and metadata file.
Error occurred while decoding OAEP padding.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Error occurred while decoding OAEP padding.
Source Error: Line 44: // Receive and process the SAML assertion contained in the SAML response.Line 45: // The SAML response is received either as part of IdP-initiated or SP-initiated SSO.Line 46: SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl); Line 47: Line 48: //Add additional info to the attribute list |
Config looks like below:
samlConfiguration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = “<a href=“
http://mayo.isrewards.dev:83”,”>
http://mayo.isrewards.dev:83",
AssertionConsumerServiceUrl = “~/SAML/Shared/AssertionConsumerService.aspx”,
LocalCertificateFile = @“SAML\Certs\sp.pfx”,
LocalCertificatePassword = “password”
};
samlConfiguration.AddPartnerIdentityProvider(
new PartnerIdentityProviderConfiguration()
{
Name = “<a href=“
https://idp.testshib.org/idp/shibboleth",">
https://idp.testshib.org/idp/shibboleth”,
SignAuthnRequest = false,
WantSAMLResponseSigned = false,
WantAssertionSigned = false,
WantAssertionEncrypted = false,
UseEmbeddedCertificate = true,
SingleSignOnServiceUrl = “<a href=“
https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO””>
https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO”
});
Attaching the error Log file.
OAEP padding issues almost invariably are the result of the public key used to encrypt the random symmetric key and the private key used to decrypt not matching.
It appears that testshib is configured to use the sp.cer test certificate and you are using the corresponding sp.pfx.
Please double check that this is the case.
Also, please take a look at the Shibboleth logs at the time the error occurs.
https://idp.testshib.org/cgi-bin/idplog.cgi?lines=300&logname=shibd.log
If there’s still an issue, let me know.
Hi,
Thank you for the reply. I am still having the issue.
Yes, I double checked. I have the metadata and config details above. Do you see anything wrong with it?
I have attached the testshib log.
One thing I do see is that in the metadata I uploaded, I specify <DigestMethod Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1” />. But in the shib log it is returning <ds:DigestMethod Algorithm=“.”>http://www.w3.org/2001/04/xmlenc#sha256"/>. Could this be an issue since I am using NET 4.0 and cannot handle sha256?
Ok, this turned out to be my mistake. I had a another metadata file uploaded to testshib with the same EntityID. That metadata file had a different cert. Testshib must have returned that cert.
Thank you for the help.
I’m glad you resolved the issue and thanks for letting me know.