Saml signature validation failed

SAML for ASP.NET
1

Well, by the subject it is a very broad question but I can further narrow down the details.

One of our client sends us Saml (either response signed or assertion signed), but the signature validation failed in both cases. The client claimed to use the same certificate to work with hundreds of clients successfully, now we begin to suspect the certificate failed to pass chain validation (the intermediate one).



However I used following code to test certificate, it passed the validation
Snippet

static void Main(string[] args){    var cert = new X509Certificate2(@“c:\temp\my.cer”);     VerifyCertificate(cert);}static void VerifyCertificate(X509Certificate2 primaryCertificate){    var chain = new X509Chain();    chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;    chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;     chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;     chain.Build(primaryCertificate);     if (chain.ChainStatus.Length != 0)    {        foreach (X509ChainStatus objChainStatus in chain.ChainStatus)        {            Console.WriteLine(objChainStatus.Status.ToString() + " - " + objChainStatus.StatusInformation);        }    }     var bVerif = primaryCertificate.Verify();}

I turned on the verbose tracing of ComponentSpace.Saml2 but there is not too much info I can get

ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:21 PM: The X.509 certificate with subject name ************** and serial number +++++ is being used to verify the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: Failed to verify the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: XML signature method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: The X.509 certificate with subject name ************** and serial number +++++ is embedded in the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: The asymmetric key type is RSACryptoServiceProvider.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: The asymmetric key’s associated cryptographic service provider supports SHA-256 signatures.

Is there a way I get get further info about the failure reason?

2

The certificate chain validation won’t affect the XML signature verification.
The certificate validation might fail (eg a certificate has expired or been revoked) but this won’t affect the XML signature verification.
For example, you could be using self-signed certificates in some circumstances.
Is the serial number of the certificate being used for signature verification the same as the embedded certificate?
If not then the wrong certificate is being used.
Could you please send the log file as an email attachment to our support account mentioning your forum post?