Hi Team,
I’m getting SAML Response from Azure Active Directory to one of my SSO application where I’m using Component Space dll to verify the Response. Though the Message is signed in but while checking, the sso app throws an error says that “The XML doesn’t contain Signature”. Then I noticed that the Signature tag is inside the assertion tag, so manually altered the message and tested with VerifySAML.exe this time the sso app able to pass the IsSigned step and throws the exception while verify the Message.
Is there any alternative method to Check SignedIn or Verify Message if the Signature is inside the assertion tag?
Please let me know.
Regards,
Vasanth.
Hi Vasnath
We support the SAML response or SAML assertion being signed. By default, Microsoft signs the SAML assertion.
If you’re using the SAML high-level API it’s a simple configuration change to specify whether the response or assertion should be signed.
For the , either set WantSAMLResponseSigned or WantAssertionSigned to true. In this case you would set WantAssertionSigned to true.
If you’re using the SAML low-level API then your code should be similar to the following.
However, please note that we recommend the use of the SAML high-level API wherever possible to avoid having to make this type of code change.
// Get the signed assertion.
XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0];
// Verify the XML signature – loading the IdP’s X.509 certificate is not shown.
if (!SAMLAssertionSignature.Verify(samlAssertionXml, x509Certificate)) {
// Handle signature verification failure
}
// Construct the SAML assertion from the XML
SAMLAssertion samlAssertion = new SAMLAssertion(samlAssertionXml);
[quote][/quote]
Hi Vasnath
We support the SAML response or SAML assertion being signed. By default, Microsoft signs the SAML assertion.
If you're using the SAML high-level API it's a simple configuration change to specify whether the response or assertion should be signed.
For the , either set WantSAMLResponseSigned or WantAssertionSigned to true. In this case you would set WantAssertionSigned to true.
If you're using the SAML low-level API then your code should be similar to the following.
However, please note that we recommend the use of the SAML high-level API wherever possible to avoid having to make this type of code change.
// Get the signed assertion.
XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0];
// Verify the XML signature – loading the IdP's X.509 certificate is not shown.
if (!SAMLAssertionSignature.Verify(samlAssertionXml, x509Certificate)) {
// Handle signature verification failure
}
// Construct the SAML assertion from the XML
SAMLAssertion samlAssertion = new SAMLAssertion(samlAssertionXml);
We support the SAML response or SAML assertion being signed. By default, Microsoft signs the SAML assertion.
If you're using the SAML high-level API it's a simple configuration change to specify whether the response or assertion should be signed.
For the , either set WantSAMLResponseSigned or WantAssertionSigned to true. In this case you would set WantAssertionSigned to true.
If you're using the SAML low-level API then your code should be similar to the following.
However, please note that we recommend the use of the SAML high-level API wherever possible to avoid having to make this type of code change.
// Get the signed assertion.
XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0];
// Verify the XML signature – loading the IdP's X.509 certificate is not shown.
if (!SAMLAssertionSignature.Verify(samlAssertionXml, x509Certificate)) {
// Handle signature verification failure
}
// Construct the SAML assertion from the XML
SAMLAssertion samlAssertion = new SAMLAssertion(samlAssertionXml);
Hi,
Thanks for the update. I have changed the code as per your suggestion. But still I'm getting the same error that can't be verified. Is that something related to Algorithm, please refer the below error logs,
ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to verify the XML
SignatureDescription could not be created for the signature algorithm supplied.
Thanks,
Vasanth.
The error “SignatureDescription could not be created for the signature algorithm supplied” most likely means that it’s a SHA-256 XML signature.
To support SHA-256 signatures you need to be using the .NET framework v4.0 or later as well as the ComponentSpace.SAML2 DLL built for the .NET framework v4.0. You’ll find this DLL in the Bin\dotNET40 folder under the installation folder.
Earlier versions of the .NET framework and the ComponentSpace.SAML2 DLL built for the .NET framework v2.0 do not support SHA-256 signatures.
You will also need a recent version of the ComponentSpace.SAML2 DLL.
If there’s still an issue, please enable SAML trace and send the generated log file to our support email address, mentioning this topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
[quote][/quote]
The error "SignatureDescription could not be created for the signature algorithm supplied" most likely means that it's a SHA-256 XML signature.
To support SHA-256 signatures you need to be using the .NET framework v4.0 or later as well as the ComponentSpace.SAML2 DLL built for the .NET framework v4.0. You'll find this DLL in the Bin\dotNET40 folder under the installation folder.
Earlier versions of the .NET framework and the ComponentSpace.SAML2 DLL built for the .NET framework v2.0 do not support SHA-256 signatures.
You will also need a recent version of the ComponentSpace.SAML2 DLL.
If there's still an issue, please enable SAML trace and send the generated log file to our support email address, mentioning this topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
To support SHA-256 signatures you need to be using the .NET framework v4.0 or later as well as the ComponentSpace.SAML2 DLL built for the .NET framework v4.0. You'll find this DLL in the Bin\dotNET40 folder under the installation folder.
Earlier versions of the .NET framework and the ComponentSpace.SAML2 DLL built for the .NET framework v2.0 do not support SHA-256 signatures.
You will also need a recent version of the ComponentSpace.SAML2 DLL.
If there's still an issue, please enable SAML trace and send the generated log file to our support email address, mentioning this topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Thanks a lot.
Its worked!.
Regards,
Vasanth.
Thanks Vasanth.