Hi,
I have got an IdP (adfs) and SP (a web form with multi-tenancy). I created a relying party in adfs and specified sp.cer in Signature and Encryption with SHA-1 Hash alogritham. And in SP I loaded the sp.pfx file in configuration as well as use sp.pfx to decrypt the encrypted assertions.
It works fine with above configuration in adfs and sp.cer but as soon as I use actual certificate I get below exception:
Invalid algorithm specified.
Is it definitely SHA-1?
Is the only change the certificate specified in ADFS and in the SP’s SAML configuration?
Could you send me a section of your SAML configuration where you specify partner identity provider?
What version of the SAML2 DLL are you using?
Hi,
I tried with both SHA-1 and SHA-256 but no luck.
Yes, I only changed the certificate.
Here is the configuration loading programmatically:
SAMLConfiguration tenantOneSamlConfiguration = new SAMLConfiguration();
tenantOneSamlConfiguration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration
{
Name = "https://tenant-one.com",
AssertionConsumerServiceUrl = "~/Sso/SAML/AssertionConsumerService",
LocalCertificateFile = "domain-certificate.pfx",
LocalCertificatePassword = "Password for that pfx"
};
tenantOneSamlConfiguration.AddPartnerIdentityProvider(new PartnerIdentityProviderConfiguration
{
Name = "http://sts.mmasood.com/adfs/services/trust",
SignAuthnRequest = true,
WantSAMLResponseSigned = false,
WantAssertionSigned = true,
WantAssertionEncrypted = true,
UseEmbeddedCertificate = true,
SingleSignOnServiceUrl = "https://sts.mmasood.com/adfs/ls/"
});
SAMLController.Configurations["tenant-1"] = tenantOneSamlConfiguration;
I am using latest dll.
Thanks,
Muhammad Masood
Hi,
Additional info, I am using wild card certificate.
Thanks,
Muhammad Masood
A wild carded certificate is fine.
It may be something to do with the cryptographic service provider specified by the private key.
Please take a look at the code in the following forum post.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Service-Provider-Types
If you run this code on your certificate, what is the provider name and type?
It may be that it doesn’t support signature generation.
It may be something to do with the cryptographic service provider specified by the private key.
Please take a look at the code in the following forum post.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Service-Provider-Types
If you run this code on your certificate, what is the provider name and type?
It may be that it doesn't support signature generation.
After running that code I got below:
![](https://www.componentspace.com/Forums/Uploads/Images/d3a6d96c-3640-40e5-8214-a032.png)
Thanks,
Muhammad Masood
The Microsoft RSA SChannel Cryptographic Provider supports SHA-1 signatures but not SHA-256.
In the latest release (v2.6.0.14) of the SAML2 DLL we now default to SHA-256 signatures in keeping with the general move to SHA-256.
For SHA-1, set the PartnerIdentityProvider.SignatureMethod to “<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” .”=“”><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” .“=”"><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1".">http://www.w3.org/2000/09/xmldsig#rsa-sha1”.
Alternatively, if you wanted to use SHA-256, you need to change the PFX to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
The following forum post explains how to use openssl to do this.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
In the latest release (v2.6.0.14) of the SAML2 DLL we now default to SHA-256 signatures in keeping with the general move to SHA-256.
For SHA-1, set the PartnerIdentityProvider.SignatureMethod to "http://www.w3.org/2000/09/xmldsig#rsa-sha1".
Alternatively, if you wanted to use SHA-256, you need to change the PFX to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
The following forum post explains how to use openssl to do this.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
Thanks for your reply. It works but now in AssertionConsumerService.aspx I am not getting any assertions.
Is there any settings I need to update in adfs?
Thanks,
Muhammad Masood
Is a SAML response being returned?
If so, what error is occurring?
If not, please take a look at the ADFS WIndows event log for the specific error.
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
I am using latest dll (but planning to use old version)
Thanks,
Muhammad Masood
In the relying party’s configuration in ADFS, under the advanced tab specify SHA-1.
I have already set SHA-1 in relying party but still not getting any assertions.
It worked. Thanks a lot.
You’re welcome.
Hi All,
We need modify SAMLAssertionSignature sha1 to sha256.For this we modify below changes still we facing issue can any help me to reslove the issue.
SAMLAssertionSignature.Generate(samlAssertionXml, vendorCertificate.PrivateKey, vendorCertificate, null, "<a href=“http://www.w3.org/2001/04/xmlenc#sha256",">http://www.w3.org/2001/04/xmlenc#sha256”, "<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”);
ComponentSpace.SAML2.Exceptions.SAMLSignatureException
HResult=0x80131600
Message=Failed to generate the XML signature.
Source=ComponentSpace.SAML2
StackTrace:
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
at ComponentSpace.SAML2.Assertions.SAMLAssertionSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
at ComponentSpace.SAML2.Assertions.SAMLAssertionSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate)
at WORKTERRA.BenAdmin.Areas.UserDetails.Controllers.UserDetailsController.CignaSSO() in D:\WT\Web\Web Projects\BenAdmin\Areas\UserDetails\Controllers\TechPartner\TechPartnerController.cs:line 745
at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary parameters)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary parameters)
at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass15.b__12()
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func continuation)
Inner Exception 1:
CryptographicException: Invalid algorithm specified.
SHA-256 signatures require underlying support from the operating system and the .NET framework. Windows 2012 R2 or more recent and .NET framework v4.0 or more recent are recommended.
It also requires the use of a cryptographic service provider (CSP) that supports the SHA-256 algorithm. The Microsoft Enhanced RSA and AES Cryptographic Provider is recommended. The private key includes a property that specifies which CSP to use.
If you run, certutil – dump <your.pfx>, does it show the provider as “Microsoft Enhanced RSA and AES Cryptographic Provider”?
For example:
certutil -dump sp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 0867a17dc9efeabe4ccbf7e7adb7c37a
Issuer: CN=www.sp.com
NotBefore: 22/11/2013 6:23 PM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=www.sp.com
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 427a3d5b39df593b1d44b769d3697aedf00fd83f
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.
If not, you can use openssl to specify the correct CSP as described in the article.
https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
Alternatively, if you have a recent version of the product, you can create a new private key (PFX file) and associated certificate (CER file) using the CreateSelfSignedCert console application that’s under the Examples\Certificate folder. This app ensures the “Microsoft Enhanced RSA and AES Cryptographic Provider” is specified. If you do create a new PFX you’ll have to supply the new CER to the partner provider.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace