ReceiveSSO throws error while authenticating with ADFS (SAML 2.0) running on AWS EKS

SAML for ASP.NET Core
1

Hi Team,
I’m using the licensed library of Component Space (ComponentSpace.SAML2.dll v3.7.0). My server runs on ASP.NET Core 3.1. We have been trying to integrate your library in our project to support SAML 2.0 requests.
I have tried our application with 2 providers ADFS & Okta. The API’s we use are InitiateSsoAsync() and ReceiveSsoAsync(). This works perfectly when the server is running in Windows, Ubuntu and MicroK8s (Running on Ubuntu). When I run this inside a pod on AWS EKS, ReceiveSsoAsync() is throwing an exception as follows

131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at System.Security.Cryptography.RSAOpenSsl.TryDecrypt(SafeRsaHandle key, ReadOnlySpan data, Span destination, RsaPadding rsaPadding, RsaPaddingProcessor rsaPaddingProcessor, Int32& bytesWritten)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.XmlSecurity.Encryption.XmlEncryption.Decrypt(XmlElement encryptedElement, IEnumerable encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlProvider.DecryptXml(XmlElement encryptedElement, IEnumerable encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
131 ~ 2021-12-14 10:18:29 @ GlobalHelper::CurrentDomain_FirstChanceException::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
131 ~ 2021-12-14 10:18:29 @ PlutoApp.Middleware.Windows.SAML+d__14::MoveNext::0 - ComponentSpace.Saml2.Exceptions.SamlEncryptionException - Failed to decrypt XML. ~ caused by ~ ComponentSpace.Saml2.Exceptions.SamlEncryptionException - An error occurred attempting to decrypt the XML. ~ caused by ~ Interop+Crypto+OpenSslCryptographicException - error:04065072:rsa routines:rsa_ossl_private_decrypt:padding check failed
131 ~ 2021-12-14 10:18:29 @ at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
at HandleSAMLResponse(String id, ISamlServiceProvider samlServiceProvider)

I tried two ways of passing the ADFS certificate.

  1. In AbstractSamlConfigurationResolver → GetLocalServiceProviderConfigurationAsync() → localServiceProviderConfiguration.LocalCertificates = new List() { new Certificate() { String = cert.Item1, Password = cert.Item2 } };
  2. Implement ICertificateManager methods GetLocalServiceProviderSignatureCertificatesAsync() and GetLocalServiceProviderEncryptionCertificatesAsync()
In case of #2, we get the certificate from our DB and return as follows
return new X509Certificate2(Certificate, strPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

This code works fine with ASP.NET where we had used the licensed version of your library.
I also checked the OpenSSL version of my Linux machine & AWS EKS pod. Linux machine running on OpenSSL 1.1.1f 31 Mar 2020 whereas the pod was running OpenSSL 1.1.1d 10 Sep 2019

I also went through another question posted on the forum. But wasn’t sure if my issue was identical.
https://www.componentspace.com/forums/9891/Certificate-error-when-running-in-Docker-container

Request your team to help us out resolve this issue as its impacting our release.

Regards,
Aster Veigas

2

Often padding errors are the result of a certificate mismatch. Please ensure the private key used to decrypt the SAML assertion matches the public key used to encrypt the SAML assertion. For ADFS, the certificate under the encryption tab of the relying party’s properties should be your SP’s public key/certificate. The local certificate in your SP’s SAML configuration is the corresponding private key (eg you PFX file).

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

3
[quote]
ComponentSpace - 12/16/2021
Often padding errors are the result of a certificate mismatch. Please ensure the private key used to decrypt the SAML assertion matches the public key used to encrypt the SAML assertion. For ADFS, the certificate under the encryption tab of the relying party's properties should be your SP's public key/certificate. The local certificate in your SP's SAML configuration is the corresponding private key (eg you PFX file).

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace
[/quote]

Reconfigure my ADFS server based on your suggestion and my app worked just fine without any code changes :) Thank you team...
4

You’re welcome. Thanks for the update.

5
[quote]
ComponentSpace - 12/16/2021
Often padding errors are the result of a certificate mismatch. Please ensure the private key used to decrypt the SAML assertion matches the public key used to encrypt the SAML assertion. For ADFS, the certificate under the encryption tab of the relying party's properties should be your SP's public key/certificate. The local certificate in your SP's SAML configuration is the corresponding private key (eg you PFX file).

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace
[/quote]

Reconfigure my ADFS server based on your suggestion and my app worked just fine without any code changes :) Thank you team...[/quote]

Hello, I think I'm reproducing the same problem. Can you explain in more detail what additional settings you made? Thanks!
6

For ADFS, check that the certificate under the encryption tab of the relying party’s properties is your SP’s public key/certificate.

The local certificate in your SP’s SAML configuration is the corresponding private key (eg you PFX file).

For example, if the SP’s local certificate with private key is sp.pfx then the corresponding sp.cer should be configured under the relying party’s encryption tab.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace