SAMLAssertionSignature.Verify returning false

jstoneski80 · November 27, 2019, 9:53am

Hi, I’m hoping you’ll be able to help. My code is failing when trying to verify the SAMLAssertionSignature. Here is the code.

Private Sub ProcessSuccessSAMLResponse(ByVal samlResponse As SAMLResponse, ByVal relayState As String)
’ Extract the asserted identity from the SAML response.
Dim samlAssertion As SAMLAssertion = Nothing
Dim samlAssertionElement As XmlElement = Nothing

samlAssertionElement = samlResponse.GetSignedAssertions()(0)

If SAMLAssertionSignature.IsSigned(samlAssertionElement) Then //THIS IS TRUE
Dim x509Certificate As X509Certificate2 = LoadCertificate(IdPCert, Nothing)

If SAMLAssertionSignature.Verify(samlAssertionElement, x509Certificate) Then //THIS IS WHERE IT FAILS
samlAssertion = New SAMLAssertion(samlAssertionElement)
Else
WriteErrorLogMessage("Customer ID: " & Session(“CustomerID”).ToString & Chr(13) & Chr(10) &
" - SAML: " & samlResponse.ToString & Chr(13) & Chr(10) &
" - Error: " & “Assertion in response did not verify”, “SAMLAssertionConsumer.ProcessSuccessSAMLResponse()”)
End If
Else
WriteErrorLogMessage("Customer ID: " & Session(“CustomerID”).ToString & Chr(13) & Chr(10) &
" - SAML: " & samlResponse.ToString & Chr(13) & Chr(10) &
" - Error: " & “No signed assertions in response”, “SAMLAssertionConsumer.ProcessSuccessSAMLResponse()”)
End If

’ Get the subject name identifier.
Dim userName As String = samlAssertion.Subject.NameID.NameIdentifier
Session(“UserName”) = userName

Dim firstName As String = samlAssertion.GetAttributeValue(“firstName”)
Session(“FirstName”) = firstName

Dim lastName As String = samlAssertion.GetAttributeValue(“lastName”)
Session(“LastName”) = lastName

Dim role As String = samlAssertion.GetAttributeValue(“role”)
Session(“Role”) = role

Session(“Country”) = “USA”

Response.Redirect(SignonURL, False)
End Sub

ComponentSpace · November 27, 2019, 2:34pm

I don’t see any issues with your code.
As an experiment, if you call “If SAMLAssertionSignature.Verify(samlAssertionElement)” does it return true?
If so, this indicates that the wrong certificate is being used for the verification.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace