Hi,
I have been working on POC to migrate our existing code in ASP.NET to ASP.NET Core. I got the trial version of ComponentSpace for ASP.NET Core to do a test. I have figured out most the issues and got stuck with the following error while generating the signature. Could you please help me understand what this error and what should be done to fix it?
Code:
XmlElement assertionElement = Assertion.ToXml();
XmlSignature signature = new XmlSignature(samlConfigurationResolver, new LoggerFactory());
var singedXml=signature.Generate(assertionElement, certificate2.PrivateKey, SamlConstants.DigestAlgorithms.SHA256, SamlConstants.SignatureAlgorithms.RSA_SHA256, null, certificate2);
Message: "The parameter is incorrect"string
Source: “System.Security.Cryptography.Cng”
Exception:
-InnerException{Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The parameter is incorrect
at Internal.Cryptography.CngCommon.SignHash(SafeNCryptKeyHandle keyHandle, Byte[] hash, AsymmetricPaddingMode paddingMode, Void* pPaddingInfo, Int32 estimatedSize)
at System.Security.Cryptography.RSACng.<>c__DisplayClass28_0.b__0(AsymmetricPaddingMode paddingMode, Void* pPaddingInfo)
at System.Security.Cryptography.RSACng.SignOrVerify(RSASignaturePadding padding, HashAlgorithmName hashAlgorithm, Byte[] hash, SignOrVerifyAction signOrVerify)
at System.Security.Cryptography.RSACng.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
at System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash)
at System.Security.Cryptography.AsymmetricSignatureFormatter.CreateSignature(HashAlgorithm hash)
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
at ComponentSpace.Saml2.XmlSecurity.Signature.XmlSignature.Generate(XmlElement unsignedElement, AsymmetricAlgorithm signingKey, String digestAlgorithm, String signatureAlgorithm, String inclusiveNamespacesPrefixList, X509Certificate2 x509Certificate)}System.Exception {Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException}
If you use the idp.pfx file that we ship with the example projects, do you see the same error? I just want to confirm whether the issue is specific to the PFX file you’re using.
I also suggest considering using our ISamlIdentityProvider class. This is demonstrated in the ExampleIdentityProvider project. It’s much easier than having to deal with the specifics of signing SAML assertions etc.
If there’s still an issue, please enable SAML trace and send the generated log file to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
[quote][/quote]
If you use the idp.pfx file that we ship with the example projects, do you see the same error? I just want to confirm whether the issue is specific to the PFX file you're using.
I also suggest considering using our ISamlIdentityProvider class. This is demonstrated in the ExampleIdentityProvider project. It's much easier than having to deal with the specifics of signing SAML assertions etc.
If there's still an issue, please enable SAML trace and send the generated log file to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
I also suggest considering using our ISamlIdentityProvider class. This is demonstrated in the ExampleIdentityProvider project. It's much easier than having to deal with the specifics of signing SAML assertions etc.
If there's still an issue, please enable SAML trace and send the generated log file to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Hi,
Turns out that issue is because of the PFX file.
I would love to use ISamlIdentityProvider. But, I am not sure how well it will work with our existing projects which uses .Net Framwork version of ComponentSpace.
I am currently trying to generate a signature for the assertion and then post that to an app. Turns out when signature is added SamlResponse.ToString() or ToXml() is removing the assertions.
public string CreateSamlResponse()
{
// Creating Assertions
...
// Getting the Certificate from a file repository
X509Certificate2 certificate2 = GetCertificate(true, app.Key);
SamlResponse response = new SamlResponse();
response.Status = new Status(SamlConstants.PrimaryStatusCodes.Success,"");
XmlElement assertionElement = Assertion.ToXml();
XmlSignature signature = new XmlSignature(samlConfigurationResolver, new LoggerFactory());
var singedXml=signature.Generate(assertionElement, certificate2.PrivateKey, SamlConstants.DigestAlgorithms.SHA256, SamlConstants.SignatureAlgorithms.RSA_SHA256, null, certificate2);
if(AssertionListItem.IsValid(assertionElement))
{
response.Assertions.Add(new AssertionListItem(Assertion)
{
SignedAssertion = singedXml
});
}
return Convert.ToBase64String(Encoding.UTF8.GetBytes(response.ToString()));
}
The above code doesn't seem to work. There is a method in Framework version to SamlAssertionSignature.Generate, generates an a signature and attaches it to the assertion. I used the above code to do that and it doesn't seem to work.
Instead of:
if(AssertionListItem.IsValid(assertionElement))
{
response.Assertions.Add(new AssertionListItem(Assertion)
{
SignedAssertion = singedXml
});
}
Try:
response.Assertions.Add(new AssertionListItem()
{
SignedAssertion = signedXml
});
ISamlIdentityProvider is still your best option. In the long run it will mean less code for you to maintain.