Hi there,
I’m having problems trying to get the MvcExampleServiceProvider example (VS2015, SAML2, .NET 4) working with Azure AD.
I have changed the Azure AD provider config to include my actual guid and to use SHA-256 signatures:
<PartnerIdentityProvider Name=“<a href=“https://sts.windows.net/my-guid/” “=””><a href=“https://sts.windows.net/my-guid/” “=”“><a href=“https://sts.windows.net/my-guid/” “=””><a href=“https://sts.windows.net/my-guid/” “=”“><a href=“https://sts.windows.net/my-guid/””>https://sts.windows.net/my-guid/“
Description=“Azure AD”
SignLogoutRequest=“true”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantLogoutResponseSigned=“true”
UseEmbeddedCertificate=“true”
SignatureMethod=”<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"”>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
SingleSignOnServiceUrl=“<a href=“https://login.microsoftonline.com/my-guid/saml2” “=””><a href=“https://login.microsoftonline.com/my-guid/saml2” “=”“><a href=“https://login.microsoftonline.com/my-guid/saml2” “=””><a href=“https://login.microsoftonline.com/my-guid/saml2” “=”“><a href=“https://login.microsoftonline.com/my-guid/saml2"”>https://login.microsoftonline.com/my-guid/saml2”
SingleLogoutServiceUrl=“”=“”>“=”“>”=“”>“=”“>”>https://login.microsoftonline.com/my-guid/saml2"/>
I have also changed the “PartnerIdP” value in web.config to use the above provider.
When I try running the example application I am taken to the Azure SSO screen and then returned to the AssertionConsumerService() method in the SAMLController.
When I get to the following line:
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl);
I get an exception as follows:
[CryptographicException: Malformed reference element.]
System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList) +1020
System.Security.Cryptography.Xml.SignedXml.CheckDigestedReferences() +154
System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key) +73
System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey) +74
System.Security.Cryptography.Xml.SignedXml.CheckSignature() +13
ComponentSpace.SAML2.Utility.XmlSignature.Verify(XmlElement xmlElement, AsymmetricAlgorithm signingKey, SignedXml signedXml) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:698
[SAMLSignatureException: Failed to verify the XML signature.]
ComponentSpace.SAML2.Utility.XmlSignature.Verify(XmlElement xmlElement, AsymmetricAlgorithm signingKey, SignedXml signedXml) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:727
ComponentSpace.SAML2.Utility.XmlSignature.Verify(XmlElement xmlElement, X509Certificate2 x509Certificate, SignedXml signedXml) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:671
ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Verify(XmlElement xmlElement, X509Certificate2 x509Certificate) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Protocols\SAMLMessageSignature.cs:455
ComponentSpace.SAML2.AbstractSAMLProvider.VerifySAMLMessageSignature(XmlElement xmlElement, IList x509Certificates) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\AbstractSAMLProvider.cs:119
ComponentSpace.SAML2.InternalSAMLServiceProvider.VerifySAMLAssertionSignature(Object samlAssertion) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:317
ComponentSpace.SAML2.InternalSAMLServiceProvider.GetSAMLAssertion(SAMLResponse samlResponse, XmlElement samlResponseElement) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:331
ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:576
ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:769
ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:250
ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, IDictionary& attributes, String& relayState) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:230
MvcExampleServiceProvider.Controllers.SAMLController.AssertionConsumerService() in C:\Program Files (x86)\ComponentSpace SAML v2.0 for .NET\Examples\SSO\HighLevelAPI\MVC\MvcExampleServiceProvider\Controllers\SAMLController.cs:37
lambda_method(Closure , ControllerBase , Object[] ) +61
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +30
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary parameters) +215
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary parameters) +46
System.Web.Mvc.Async.AsyncControllerActionInvoker.InvokeSynchronousActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary parameters) +30
System.Web.Mvc.Async.<>c__DisplayClass42.b__41() +35
System.Web.Mvc.Async.<>c__DisplayClass8.b__7(IAsyncResult _) +27
System.Web.Mvc.Async.WrappedAsyncResult.End() +59
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +68
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass39.b__33() +77
System.Web.Mvc.Async.<>c__DisplayClass4f.b__49() +230
System.Web.Mvc.Async.<>c__DisplayClass37.b__36(IAsyncResult asyncResult) +27
System.Web.Mvc.Async.WrappedAsyncResult.End() +59
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +68
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass2a.b__20() +43
System.Web.Mvc.Async.<>c__DisplayClass25.b__22(IAsyncResult asyncResult) +123
System.Web.Mvc.Async.WrappedAsyncResult.End() +59
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +30
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +29
System.Web.Mvc.<>c__DisplayClass1d.b__18(IAsyncResult asyncResult) +27
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +35
System.Web.Mvc.Async.WrappedAsyncResult.End() +59
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +30
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +21
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +35
System.Web.Mvc.Async.WrappedAsyncResult.End() +59
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +30
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +21
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +24
System.Web.Mvc.<>c__DisplayClass8.b__3(IAsyncResult asyncResult) +31
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +35
System.Web.Mvc.Async.WrappedAsyncResult.End() +59
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +30
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +21
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +29
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +23
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9744373
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Additional logging:
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: Enabling support for SHA-256, SHA-384 and SHA-512 signatures.
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: Verifying the SAML assertion signature.
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: The embedded certificate is being used for the signature verification.
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: No XML element was found with a message ID of _7ceadf6b-0de8-4f6b-ac3e-46537c514d09 in the document
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: XML signature method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: The X.509 certificate with subject name CN=accounts.accesscontrol.windows.net and serial number 40D5EB9B384B3785469545C3602453DF is embedded in the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 4664/6: 29/06/2016 09:30:58: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to verify the XML signature. —> System.Security.Cryptography.CryptographicException: Malformed reference element.
Can somebody please advise what might be going wrong?
Thanks in advance!
Chris
Hi Chris
My apologies but this looks like a bug. Please email our support and we’ll get you an update.
Hi ComponentSpace team,
We are encountering the issue of SAML signature failure. The issue exception is below.
We verified the certificate file and that seems to be correct. What can cause this issue ?
Also what is the difference between <saml2p:Response> and <samlp:Response ID=>
relayState=ComponentSpace.SAML2 Verbose: 0 : 3:35:58 PM: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to verify the XML signature. —> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
at ComponentSpace.SAML2.Utility.XmlSignature.Verify(XmlElement xmlElement, AsymmetricAlgorithm signingKey, SignedXml signedXml)
It might be that the XML signature is using SHA-256 and you are using an older version of the ComponentSpace.SAML2 DLL which doesn’t include automatic support for this.
To check this, could you please enable SAML trace and send the generated log file to our support email address, mentioning your forum post?
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Also mention which version of the DLL you are using.
http://www.componentspace.com/Forums/31/Determining-the-Component-Version-and-License
The saml2p:Response and samlp:Response are essentially the same. They differ by namespace prefix only. What is important is the element names and namespace declarations. The prefixes can be anything. The samlp prefix is suggested by the SAML v2.0 specification and is what we use. However, any prefix may be used. This won’t affect the XML signature.
The XML signature generated by the Idp, would be using latest version of ComponentSpace dlls that support SHA256 ?
If the IdP is using our product then it’s most likely a recent version that automatically supports SHA-256 XML signatures.
The simplest solution is to upgrade to the latest version to pick up support for SHA-256.