Hi,
We are using SAML 2 ASP.NET component and doing SP-Initiated SSO with customer. Our side is SP and customer side is IDP.
For both SP and IDP sides, we are using self-signed SHA256 certificate generated using Openssl. But IDP side always got exception
“Failed to generate the XML signature…Invalid algorithm specified” when trying to log into SP side.
I have tried following cases:
SP (Self-signed certificate 1) - IDP (Self-signed IDPcertificate 2) → doesn’t work : “Failed to generate the XML signature…Invalid algorithm specified”
SP (Self-signed certificate 1) - IDP (Componentspace example certificate) → works
SP (Self-signed certificate 2) - IDP (Componentspace example certificate) → works
SP (Componentspace example certificate) - IDP (Self-signed IDPcertificate 2) → doesn’t work : “Failed to generate the XML signature…Invalid algorithm specified”
SP (Componentspace example certificate) - IDP (Self-signed IDPcertificate 1) → doesn’t work : “Failed to generate the XML signature…Invalid algorithm specified”
For me, it seems that IDP can’t use the self-signed certificate.
Do you have idea what could be the problem?
I have followed this possible solution but it didn’t work.
http://stackoverflow.com/questions/41261221/componentspace-saml2-0-library-invalid-algorithm-specified-certificate-algori
Please check that the correct cryptographic service provider (CSP) has been specified.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Thanks for your reply. The previous issue was solved by re-signing it with specifying correct CSP.
But i got new error. This time it comes from SP side:
- ExceptionMessage: The SAML response signature failed to verify.
- StackTrace: at ComponentSpace.SAML2.InternalSAMLServiceProvider.VerifySAMLResponseSignature(XmlElement samlResponseElement) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement
- ...
- ExceptionType: SAMLSignatureException
Do you have any idea why?
It’s most likely the wrong certificate is configured to verify the signature.
If it looks like the correct certificate is configured, please email a log file as mentioned above.
Hi, thanks for your help.
I am not sure that the certificate is correct or not.
The question is that it works now when I am using latest sample IDP application to test against our producation SP.
That means the IDP will be http://localhost:50320/MvcExampleIdentityProvider which is local.
My production will be like https://xxxx.com/.....
But when our customer use same certificate in their production system. We as SP side got error:
- BaseExceptionType: CryptographicException
- ExceptionMessage: Failed to verify the XML signature.
- ExceptionType: SAMLSignatureException
- BaseExceptionMessage: SignatureDescription could not be created for the signature algorithm supplied.
Do you think the successful test case with test IDP and production SP can prove that the certificate is correct?
If yes, why it didn't work for the production.
More background information:
1. We suggested our customer to buy Componentspace (Good for you guys). So they used the latest version of componentspace.
but we are using older version 2.5.0.19.
2. The certificate from IDP side is self-signed SHA1 certificate while the one from SP site is self-signed SHA256 certificate.
The exception “SignatureDescription could not be created for the signature algorithm supplied” means that your system doesn’t support SHA-256 signatures.
You need version 2.6.0.8 or later to support SHA-256 signatures.
You also need to be running ASP.NET v4.0 or later.
Please contact us to discuss upgrading.
Alternatively, you can request the IdP revert to SHA-1 signatures.
You need version 2.6.0.8 or later to support SHA-256 signatures.
You also need to be running ASP.NET v4.0 or later.
Please contact us to discuss upgrading.
Alternatively, you can request the IdP revert to SHA-1 signatures.
Hi, thanks for your reply.
First as I said in my last post, IDP is using SHA1 certificate. It is SP (me) to use SHA256.
I understand your point.
But my question is that previously it worked well with other customers when we as SP uses SHA256 certificate (We have .pfx file and customer uses our .pem file) and do SP-initiated SSO.
The difference is that previously we didn't ask Customer (IDP) to create certificate so it means "WantSamlResponseSigned = false".
Could you explain why my older version works with SHA256 if i don't start to set "WantSamlResponseSigned = true" for IDP?
I need to understand the necessity to upgrade Componentspace.
Thanks.
I may not be understanding your question.
Please enable logging as requested above and send us the log file as an email attachment mentioning this forum post.
As I said, if you’re seeing the exception “SignatureDescription could not be created for the signature algorithm supplied” this means that your system doesn’t support SHA-256 signatures.
If you haven’t been verifying signatures from IdPs (ie WantSamlResponseSigned and WantAssertionSIgned are both false) or the IdPs have been generating SHA-1 signatures, you won’t have run into this issue.
If the IdP is signing the SAML response using a SHA-256 signature this explains why you’re now seeing this exception.
Also, make sure you don’t confuse SHA-1 vs SHA-256 XML signatures with the algorithm used to sign the actual certificate.
A certificate may be signed by the certificate issuer using either SHA-1 or more typically these days SHA-256.
The algorithm used by the issuer to sign the certificate has no impact on whether or not the certificate may be used to generate or verify SHA-256 signatures.
Please enable logging as requested above and send us the log file as an email attachment mentioning this forum post.
As I said, if you're seeing the exception "SignatureDescription could not be created for the signature algorithm supplied" this means that your system doesn't support SHA-256 signatures.
If you haven't been verifying signatures from IdPs (ie WantSamlResponseSigned and WantAssertionSIgned are both false) or the IdPs have been generating SHA-1 signatures, you won't have run into this issue.
If the IdP is signing the SAML response using a SHA-256 signature this explains why you're now seeing this exception.
Also, make sure you don't confuse SHA-1 vs SHA-256 XML signatures with the algorithm used to sign the actual certificate.
A certificate may be signed by the certificate issuer using either SHA-1 or more typically these days SHA-256.
The algorithm used by the issuer to sign the certificate has no impact on whether or not the certificate may be used to generate or verify SHA-256 signatures.
Thanks a lot for explanation.
I have been certainly confused by XML signature algorithm and certificate signing algorithm.
That can explains why even i am using SHA1 certificate for both sides. But still got same error.
I can't give the log file since i have problem to enable trace in our system like the example code you provide about changing web.config.
But we have solved this issue by following this post: http://www.componentspace.com/Forums/5316/SHA1-vs-SHA256-XML-signatures
</ahref="http:>So IDP will change into SHA1 as xml signature algorithm for SP. <br/><br/>I know this is not perfect. But we are considering to purchase new version of Componentspace SAML 2 component. :)<br/><br/>One more question:<br/><br/>If we are using IDP initiated SSO, why do we need certificate from SP. In the example MVC applications, <br/>IDP needs: idp.pfx and sp.cer while SP needs sp.pfx and idp.cer. Could you explain this in detail?<br/><br/><br/>
For IdP-initiated SSO you don’t need a certificate from the SP unless the SAML assertion is to be encrypted.
For SP-initiated SSO, if the SP signs the authn request, you will need the SP certificate so you can verify the signature.
As the IdP you will sign either the SAML response or assertion using your IdP private key. The SP will verify the signature using the IdP public key.
If the SAML assertion has to be encrypted it will be encrypted using the SP public key and the SP will decrypt it using the SP private key.