ReceiveSSO throws error while authenticating with ADFS (SAML 2.0) running on AWS EKS

Aster_Veigas · December 16, 2021, 2:26am

Hi Team,
I’m using the licensed library of Component Space (ComponentSpace.SAML2.dll v3.7.0). My server runs on ASP.NET Core 3.1. We have been trying to integrate your library in our project to support SAML 2.0 requests.
I have tried our application with 2 providers ADFS & Okta. The API’s we use are InitiateSsoAsync() and ReceiveSsoAsync(). This works perfectly when the server is running in Windows, Ubuntu and MicroK8s (Running on Ubuntu). When I run this inside a pod on AWS EKS, ReceiveSsoAsync() is throwing an exception as follows

131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at System.Security.Cryptography.RSAOpenSsl.TryDecrypt(SafeRsaHandle key, ReadOnlySpan data, Span destination, RsaPadding rsaPadding, RsaPaddingProcessor rsaPaddingProcessor, Int32& bytesWritten)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.XmlSecurity.Encryption.XmlEncryption.Decrypt(XmlElement encryptedElement, IEnumerable encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlProvider.DecryptXml(XmlElement encryptedElement, IEnumerable encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
131 ~ 2021-12-14 10:18:29 @ PlutoApp.Middleware.Windows.SAML+d__14::MoveNext::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
at HandleSAMLResponse(String id, ISamlServiceProvider samlServiceProvider)

I tried two ways of passing the ADFS certificate.

In AbstractSamlConfigurationResolver → GetLocalServiceProviderConfigurationAsync() → localServiceProviderConfiguration.LocalCertificates = new List() { new Certificate() { String = cert.Item1, Password = cert.Item2 } };
Implement ICertificateManager methods GetLocalServiceProviderSignatureCertificatesAsync() and GetLocalServiceProviderEncryptionCertificatesAsync()

In case of #2, we get the certificate from our DB and return as follows

return new X509Certificate2(Certificate, strPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

This code works fine with ASP.NET where we had used the licensed version of your library.

I also checked the OpenSSL version of my Linux machine & AWS EKS pod. Linux machine running on OpenSSL 1.1.1f 31 Mar 2020 whereas the pod was running OpenSSL 1.1.1d 10 Sep 2019

I also went through another question posted on the forum. But wasn’t sure if my issue was identical.

https://www.componentspace.com/forums/9891/Certificate-error-when-running-in-Docker-container

Request your team to help us out resolve this issue as its impacting our release.

Regards,
Aster Veigas

ComponentSpace · December 16, 2021, 3:27am

Often padding errors are the result of a certificate mismatch. Please ensure the private key used to decrypt the SAML assertion matches the public key used to encrypt the SAML assertion. For ADFS, the certificate under the encryption tab of the relying party’s properties should be your SP’s public key/certificate. The local certificate in your SP’s SAML configuration is the corresponding private key (eg you PFX file).

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

Aster_Veigas · December 16, 2021, 7:55am

[quote]

ComponentSpace - 12/16/2021

Often padding errors are the result of a certificate mismatch. Please ensure the private key used to decrypt the SAML assertion matches the public key used to encrypt the SAML assertion. For ADFS, the certificate under the encryption tab of the relying party's properties should be your SP's public key/certificate. The local certificate in your SP's SAML configuration is the corresponding private key (eg you PFX file).

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

[/quote]

Reconfigure my ADFS server based on your suggestion and my app worked just fine without any code changes :) Thank you team...

ComponentSpace · December 16, 2021, 1:05pm

You’re welcome. Thanks for the update.

marko_gaja · January 21, 2022, 3:49am

[quote]

ComponentSpace - 12/16/2021

Often padding errors are the result of a certificate mismatch. Please ensure the private key used to decrypt the SAML assertion matches the public key used to encrypt the SAML assertion. For ADFS, the certificate under the encryption tab of the relying party's properties should be your SP's public key/certificate. The local certificate in your SP's SAML configuration is the corresponding private key (eg you PFX file).

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

[/quote]

Reconfigure my ADFS server based on your suggestion and my app worked just fine without any code changes :) Thank you team...[/quote]

Hello, I think I'm reproducing the same problem. Can you explain in more detail what additional settings you made? Thanks!

ComponentSpace · January 21, 2022, 1:38pm

For ADFS, check that the certificate under the encryption tab of the relying party’s properties is your SP’s public key/certificate.

The local certificate in your SP’s SAML configuration is the corresponding private key (eg you PFX file).

For example, if the SP’s local certificate with private key is sp.pfx then the corresponding sp.cer should be configured under the relying party’s encryption tab.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

pratheek · May 20, 2024, 10:37am

i have been facing the same issue as well.i have given my .cer file in the ADFS server and .pfx file in my local. still i am facing this issue

ComponentSpace.Saml2.Exceptions.SamlEncryptionException: Failed to decrypt XML. —> ComponentSpace.Saml2.Exceptions.SamlEncryptionException: An error occurred attempting to decrypt the XML. —> Interop+Crypto+OpenSslCryptographicException: error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error at Interop.Crypto.RsaDecrypt(SafeEvpPKeyHandle pkey, ReadOnlySpan1 source, RSAEncryptionPaddingMode paddingMode, IntPtr digestAlgorithm, Span1 destination) at System.Security.Cryptography.RSAOpenSsl.Decrypt(SafeEvpPKeyHandle key, ReadOnlySpan1 data, Span1 destination, RSAEncryptionPadding padding) at System.Security.Cryptography.RSAOpenSsl.Decrypt(Byte[] data, RSAEncryptionPadding padding) at System.Security.Cryptography.RSAOAEPKeyExchangeDeformatter.DecryptKeyExchange(Byte[] rgbData) at System.Security.Cryptography.Xml.EncryptedXml.DecryptKey(Byte[] keyData, RSA rsa, Boolean useOAEP) at ComponentSpace.Saml2.XmlSecurity.Encrypt

ComponentSpace · May 20, 2024, 7:02pm

Make sure your certificate file is listed under the relying party’s encryption tab.

For example, if the certificate configured in your service provider’s SAML configuration were sp.pfx, the corresponding sp.cer would be configured under the encryption tab.

If there’s still an issue, please email us a screenshot of the ADFS relying party’s encryption tab showing the certificate’s details. Also, enable the SAML trace in your service provider and include this in the email.

pratheek · May 21, 2024, 6:37am

This works fine in my local machine.Not on the server.
initially when i upload the .pfx file on my SP Server,it was decrypted and stored in sql.during the saml assertion i again took the values from sql and create a pfx certificate to decrypt the saml response.

this the code i used for creating the certificate
new X509Certificate2(Certificate, strPassword,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

i also kept one log to check the certificate private key

X509Certificate2 pfx = GetCertificate(localServiceProviderConfiguration.Description);
if (!pfx.HasPrivateKey)
{
LoserLog.Log(“SsoCertificateManager : The certificate does not contain a private key.”);
}
else
{
LoserLog.Log(“SsoCertificateManager : The certificate contain a private key.”);
}

in my local machine.its prints that certificate has private key ,where as in the server it doesnt have the private key

ComponentSpace · May 21, 2024, 6:15pm

This is a different issue. It might be a permissions problem.

As an administrator, try running Microsoft’s CertUtil.exe or Powershell to dump the PFX file to see if it includes a private key.

Also, do you see the same problem if you test with the sp.pfx that we ship?

pratheek · May 21, 2024, 8:16pm

you were referring once it as PFX file and again as sp.pfx .both were same right?
yes it does includes private key

ComponentSpace · May 22, 2024, 4:27am

If there are no issues with SP.PFX but there is with your PFX file, perhaps there’s an issue with how your PFX was created.

You could take a look at the CreateSelfSignedCert project we include under the Examples\Certificate folder to see how we created SP.PFX etc. Perhaps use CreateSelfSignedCert to create your own PFX file and use this instead.