I’m attempting to construct and sign a SAML assertion. The project requires SOAP Message Security 1.1 and SAML Token Profile 1.1 pattern where the SAML assertion is within the WS-Security header. See my related question here for more context.
The generated XML appears to be signed but SAMLAssertionSignature.Verify fails. Why can I not verify the SAML assertion signature which I just generated?
I’m using the package from NuGet ComponentSpace.Saml2.Net 3.5.0.
var samlAssertion = new SAMLAssertion
{
Issuer = new Issuer(“urn:idp:demo”)
};
var assertionXml = samlAssertion.ToXml();
var cert = new X509Certificate2();
cert.Import(“C:/path/to/self-signed-cert.pfx”, “pwd”, X509KeyStorageFlags.UserKeySet);
SAMLAssertionSignature.Generate(
assertionXml,
AsymmetricAlgorithm.Create(“RSA”),
cert,
inclusiveNamespacesPrefixList: null,
digestMethod: SignedXml.XmlDsigSHA1Url, // “<a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1”
signatureMethod: SignedXml.XmlDsigRSASHA1Url // “<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1”
);
Console.WriteLine(assertionXml.OuterXml);
Assert.IsTrue(SAMLAssertionSignature.Verify(assertionXml)); // fails
SAMLAssertionSignature.Verify fails to verify signature generated by SAMLAssertionSignature.Generate
The code signed the SAML assertion using the private key created by calling AsymmetricAlgorithm.Create(“RSA”). However, this key isn’t related to the public key embedded in the cert parameter and used to perform the signature verification. You must sign using the private key associated with the certificate (ie cert.PrivateKey).
SAMLAssertionSignature.Generate(
assertionXml,
cert.PrivateKey,
cert,
inclusiveNamespacesPrefixList: null,
digestMethod: SignedXml.XmlDsigSHA1Url, // “<a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”” title=“http://www.w3.org/2000/09/xmldsig#sha1” target=“_blank” style=“text-decoration: underline !important; color: rgb(97, 166, 199); font-family: Courier, "Courier New"; font-size: 13.3333px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;”><a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1"
signatureMethod: SignedXml.XmlDsigRSASHA1Url // “<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”” title=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” target=“_blank” style=“text-decoration: underline !important; color: rgb(97, 166, 199); font-family: Courier, "Courier New"; font-size: 13.3333px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;”><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1"
);