Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to verify the XML signature

Hello,
One of the partners is getting the error message below. The cert is embedded in the body.

Can you explain if its related to the partner’s cert being expired or something?

ComponentSpace.SAML2 Verbose: 0 : 6760/49: 3/5/2020 11:03:25 AM: The X.509 certificate with subject name CN=*** and serial number 065B485D29F4EDE9737ED855FE0DB73C is embedded in the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 6760/49: 3/5/2020 11:03:25 AM: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to verify the XML signature. —> System.Security.Cryptography.CryptographicException: An internal error occurred.

at System.Security.Cryptography.NCryptNative.OpenStorageProvider(String providerName)
at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider)
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPublicKey(X509Certificate2 certificate)
at System.Security.Cryptography.X509Certificates.X509CertificateExtensions.GetAnyPublicKey(X509Certificate2 c)
at System.Security.Cryptography.Xml.SignedXml.GetPublicKey()
at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey)
at ComponentSpace.SAML2.Utility.XmlSignature.Verify(XmlElement xmlElement, AsymmetricAlgorithm signingKey, ISignedXmlFactory signedXmlFactory, Boolean clone, Boolean declareAllNamespaces) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 364
at ComponentSpace.SAML2.Utility.XmlSignature.Verify(XmlElement xmlElement, AsymmetricAlgorithm signingKey, ISignedXmlFactory signedXmlFactory) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 860
— End of inner exception stack trace —

That exception isn’t related to the certificate being expired etc.

There’s an issue attempting to load the public key. Unfortunately the Windows Crypto API error reporting is a bit terse. The “internal error” could result from a number of issues.

Please try each of the following, one at a time.

1. Restart IIS.
2. Confirm the CNG Key Isolation Windows service is running.
3. Under the advanced settings for the application pool in IIS, ensure Load User Profile is set to true.
4. Under the advanced settings for the application pool in IIS, change the Identity to ApplicationPoolIdentity.
5. If the certificate is stored on the file system, confirm that the account under which the application is running has read permission to the certificate file.
6. Import the certificate into the Windows Certificate store and then export it as a base-64 encoded certificate file. Use the exported certificate file.

I suggest trying each of the above individually and retesting before moving onto the next so you can identify which step resolved the issue.

Let us know which, if any, of these steps resolved the issue.

If none of these suggestions help, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Thanks for the update. I’m not sure what the issue was either but I’m glad the IIS restart resolved it.