I am using LowLevelAPI (I know HighLevel is recommended but this is a older app and the code is there).
Using the following code -
[left]
XmlElement samlResponseXml = samlResponse.ToXml();
…
SAMLMessageSignature.Generate(samlResponseXml, x509CertificateIdp.PrivateKey, x509CertificateIdp);
IdentityProvider.SendSAMLResponseByHTTPPost(Response, ssoState.assertionConsumerServiceURL, samlResponseXml, ssoState.relayState);
[/left]
The
saml:signature is nested inside
saml:Issuer and not the
saml:Assertion tag. One of the Service Provider is saying that
saml:Signature should be inside
saml:Assertion. All the samples I can find on google also have
saml:Signature nested in
saml:Assertion. Is there a way to change this?
The code you have is signing the SAML response rather than the SAML assertion.
The following code outlines how to sign the SAML assertion and add it to the SAML response.
// Construct a SAML assertion – details not shown.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer(“www.idp.com”);
// Serialize to XML for XML signature generation.
XmlElement samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion using your private key.
X509Certificate2 x509Certificate = new X509Certificate2(“idp.pfx”, “password”, X509KeyStorageFlags.MachineKeySet);
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate);
// Add the signed SAML assertion to the SAML response.
SAMLResponse samlReponse = new SAMLResponse();
samlReponse.Assertions.Add(samlAssertionElement);
// Serialize to XML.
XmlElement samlResponseElement = samlResponse.ToXml();
Got it. Thank you so much. I now see that there are “Sign Message”, “Sign Assertion” and “Sign Message and Assertion” options in SAML.