Hi,
I am trying to implement SAML digital signature for one our module where we are sending SAML request to external vendor who is using component space to verify the signature.
From what I understood from them is the signature we are sending are not valid. They are calling the method SAMLAssertionSignature.Verify(xmlElement, x509Certificate) which is giving false so they cannot process our request.
I tried approach suggested in the forum by trying without cert SAMLAssertionSignature.Verify(xmlElement) still false is returned.
One other forum suggested to comment signedXml.SignedInfo.CanonicalizationMethod = SignedXmlWithId.XmlDsigExcC14NTransformUrl;
I am not sure where to comment the above line.
My application is java based where we are posting SAML request to .net based application. Can anyone help to resolve the issue?
Could you please send the SAML message as an email attachment to our support email address? Please mention this topic.
Be careful not to change the XML in any way.
I can then try verifying the signature and assist with tracking down the issue.
We interoperate with the majority of SAML offerings, including those written in Java, so the implementation language shouldn’t be an issue.
Be careful not to change the XML in any way.
I can then try verifying the signature and assist with tracking down the issue.
We interoperate with the majority of SAML offerings, including those written in Java, so the implementation language shouldn't be an issue.
Sent the XML to the support group. Please verify and let me know.
Thanks for sending the XML.
I wasn’t able to verify it as I need the associated public key or certificate file.
The signature includes an empty element. Typically this would include the base-64 encoded certificate that can be used to attempt to verify the XML signature.
I also noticed that the XML includes whitespace characters.
If you open the XML in your preferred text editor (Notepad, vi etc), you’ll see that it includes whitespace characters (formatting, newlines etc).
This is perfectly valid as long as these characters were present at the time of signing.
Often when we see these whitespace characters and the signature doesn’t verify it’s because the formatting etc occurred after signing.
Did you sign the XML with these whitespace characters present or were these introduced after signing?
Could you email the base-64 encoded certificate file to support? Please rename the .cer to .txt to get past our mail server.
I wasn't able to verify it as I need the associated public key or certificate file.
The signature includes an empty element. Typically this would include the base-64 encoded certificate that can be used to attempt to verify the XML signature.
I also noticed that the XML includes whitespace characters.
If you open the XML in your preferred text editor (Notepad, vi etc), you’ll see that it includes whitespace characters (formatting, newlines etc).
This is perfectly valid as long as these characters were present at the time of signing.
Often when we see these whitespace characters and the signature doesn’t verify it’s because the formatting etc occurred after signing.
Did you sign the XML with these whitespace characters present or were these introduced after signing?
Could you email the base-64 encoded certificate file to support? Please rename the .cer to .txt to get past our mail server.
When I run our VerifySAML.exe utility, it fails to verify the XML signatures.
The VerifySAML.exe is a .NET assembly that makes use of the XML signature support in the .NET framework.
VerifySAML.exe SAML_OEG.xml
Loading SAML_OEG.xml
Verifying SAML message
Verified: False
Verifying SAML assertion
Verified: False
We also ship a Java example that uses the XML signature support included in Java’s javax.xml.crypto.dsig.*. This is included under our Examples\Java folder.
VerifyXMLSignature.bat -c SHA1.cer SAML_OEG.xml
Loading certificate: SHA1.cer
Loading XML: SAML_OEG.xml
Verifying XML signature
Signature verified: false
Verifying XML signature
Signature verified: false
This also fails to verify the XML signatures.
Therefore, neither .NET nor Java can verify these signatures.
As I mentioned, unless the newline characters and other formatting were present prior to signature generation, these will invalidate the signature.
I suspect this might be the issue.