Issue with Decrypting the SAML Assertion

When the Identity Provider (IDP) uses the AES256-GCM encryption algorithm, our application, acting as the Service Provider, fails with the error: “Unsupported data encryption method XML Security WG namespaces” Please provide steps to enable our application (Service Provider) to properly decrypt the assertion.

Using ComponentSpace SAML 2 for ASP.NET Application

AES-GCM support isn’t included in the .NET framework and therefore isn’t part of the main ComponentSpace.Saml2.Net package.

However, we also provide a ComponentSpace.Saml2.Net.Extension.AesGcm package which you’ll find in the product’s bin folder. This package makes use of the BouncyCastle library and supports the following algorithms:

To include this support, add a reference to the trial ComponentSpace.Saml2.Net.Extension.AesGcm or licensed ComponentSpace.Saml2.Net.Extension.AesGcm.Licensed NuGet package.

In your application’s startup code, add the following:

using ComponentSpace.SAML2.Extension.AesGcm;

// Add AES-GCM.
AesGcmXmlEncryptionExtension.Register();

You should now be able to decrypt AES-GCM encrypted SAML assertions.

Please note that Register() method is not available at AesGcmXmlEncryptionExtension class.

I tried with XmlEncryptionExtensions.DataEncryptionExtensions[“XML Security WG namespaces”] = new AesGcmXmlEncryptionExtension(); but this one also not working. As we are using ASP.NET application , so added in Application_Start method of Global.asax.

Kindly help me out on priority.

It sounds like you’re using an older version of the ComponentSpace.Saml2.Net.Extension.AesGcm NuGet package.

I’ll send you a download link to the latest version via email.

Hi Team,

With using new latest Library and implementing the code as mentioned below, Started getting this error “Failed to decrypt XML.” now.

Please note that, Added new latest ComponentSpace.SAML2.Extension.AesGcm.dll at project Reference level and added the following line in Global.asax.cs
using ComponentSpace.SAML2.Extension.AesGcm;

and called Register method in the following method of Global class.

void Application_Start(object sender, EventArgs e)
{

    // Add AES-GCM.
    AesGcmXmlEncryptionExtension.Register();

}

Is there any other setting we need to do in order to decrypt successfully.

Kindly help on priority…

That’s all that’s required.

Please check that the identity provider is using the correct certificate to encrypt the SAML assertion. Encryption is performed using your SP public key and decryption is performed using the corresponding SP private key.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.

Hi Team,

Certificate is valid and there’s no issue with Certificate.

Getting following error that i captured in log file as mentioned below:

25440/13: 8/5/2024 2:48:26 PM: Exception: ComponentSpace.SAML2.Exceptions.SAMLEncryptionException: Failed to decrypt XML. —> System.IO.FileNotFoundException: Could not load file or assembly ‘BouncyCastle.Cryptography, Version=2.0.0.0, Culture=neutral, PublicKeyToken=072edcf4a5328938’ or one of its dependencies. The system cannot find the file specified.
at ComponentSpace.SAML2.Extension.AesGcm.AesGcmXmlEncryptionExtension.DecryptData(Byte[] key, EncryptedData encryptedData)
at ComponentSpace.SAML2.XmlSecurity.Encryption.XmlEncryption.Decrypt(XmlElement encryptedElement, XmlNodeList encryptedKeysNodeList, AsymmetricAlgorithm keyDecryptingKey, EncryptionMethod keyEncryptionMethod, EncryptionMethod dataEncryptionMethod)
— End of inner exception stack trace —

Hope, It helps.

Kindly help me out on priority please. Thanks !

Your application references the ComponentSpace.SAML2.Extension.AesGcm NuGet package which in turn references the BouncyCastle.Cryptography NuGet package. When your application is published, it should include the corresponding DLLs.

Make sure the BouncyCastle.Cryptography DLL is included in your application’s bin folder when it’s deployed.