Hi,
I am using latest ComponentSpace DLL with Default SHA256 support. We sign assertion as well as response.
While signing assertion i got this error.
Error in SSO service:ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate the XML signature. —> System.Security.Cryptography.CryptographicException: Malformed reference element. at System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList) at System.Security.Cryptography.Xml.SignedXml.BuildDigestedReferences() at System.Security.Cryptography.Xml.SignedXml.ComputeSignature() at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) — End of inner exception stack trace — at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) at ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) at SamlIntegration.SAML.TemplateSSOService.CreateSAMLResponse(SamlValues samlValue) at SamlIntegration.SAML.TemplateSSOService.Page_Load(Object sender, EventArgs e)
Error happening at this line:
SAMLMessageSignature.Generate(samlAssertion.ToXml(), x509Certificate.PrivateKey, x509Certificate);
ComponentSpace full log:
IdP: Creating SAML response
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: ComponentSpace.SAML2, Version=2.6.0.17, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9, .NET v4.0 build (evaluation license).
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: CLR: 4.0.30319.42000, OS: Microsoft Windows NT 10.0.14393.0, Account: KRTYASOFTWARES\Administrator, Culture: English (India)
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: SHA-256, SHA-384 and SHA-512 signature support is already enabled.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: Generating an XML signature.
System.Security.Cryptography.Xml.SignedXml Information: 3 : [SignedMessage#01088896, BeginSignatureComputation] Beginning signature computation.
System.Security.Cryptography.Xml.SignedXml Verbose: 3 : [SignedMessage#01088896, BeginSignatureComputation] Using context: <saml:Assertion Version=“2.0” ID=“_0a16a0a3-31ae-4347-960c-5368a0e18f4b” IssueInstant=“2016-12-23T07:38:53.62Z” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>saml:Issuerhttp://localhost:64614/</saml:Issuer>saml:Subjectsaml:NameIDidp-user</saml:NameID><saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectConfirmationData Recipient=“<a href=“http://localhost/SAML2SP/SAML/AssertionConsumerService.aspx””>http://localhost/SAML2SP/SAML/AssertionConsumerService.aspx" /></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant=“2016-12-23T07:38:53.621Z”>saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
System.Security.Cryptography.Xml.SignedXml Verbose: 11 : [SignedMessage#01088896, SigningReference] Hashing reference Reference#01f778fe, Uri “#_0a16a0a3-31ae-4347-960c-5368a0e18f4b”, Id “”, Type “” with hash algorithm “<a href=“http://www.w3.org/2001/04/xmlenc#sha256"”>http://www.w3.org/2001/04/xmlenc#sha256” (SHA256Managed).
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: No XML element was found with a message ID of _0a16a0a3-31ae-4347-960c-5368a0e18f4b in the document <saml:Assertion Version=“2.0” ID=“_0a16a0a3-31ae-4347-960c-5368a0e18f4b” IssueInstant=“2016-12-23T07:38:53.62Z” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>saml:Issuerhttp://localhost:64614/</saml:Issuer>saml:Subjectsaml:NameIDidp-user</saml:NameID><saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectConfirmationData Recipient=“<a href=“http://localhost/SAML2SP/SAML/AssertionConsumerService.aspx””>http://localhost/SAML2SP/SAML/AssertionConsumerService.aspx" /></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant=“2016-12-23T07:38:53.621Z”>saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: XML signature method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: XML digest method: http://www.w3.org/2001/04/xmlenc#sha256.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: Inclusive namespace prefix list: #default samlp saml ds xs xsi.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: XML element ID: _0a16a0a3-31ae-4347-960c-5368a0e18f4b.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: The signing key type is RSACryptoServiceProvider.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: The signing key’s associated cryptographic service provider supports SHA-256 signatures.
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate the XML signature. —> System.Security.Cryptography.CryptographicException: Malformed reference element.
at System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList)
at System.Security.Cryptography.Xml.SignedXml.BuildDigestedReferences()
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 402
— End of inner exception stack trace —
ComponentSpace.SAML2 Verbose: 0 : 3992/6: 23-12-2016 13:08:53: at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 414
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 517
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 565
at ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Protocols\SAMLMessageSignature.cs:line 326
at ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Protocols\SAMLMessageSignature.cs:line 348
at SAML2IdP.SAML.SSOService.CreateSAMLResponse() in C:\Program Files (x86)\ComponentSpace SAML v2.0 for .NET\Examples\SSO\LowLevelAPI\IdP-Initiated\SAML2IdP\SAML\SSOService.aspx.cs:line 59
at SAML2IdP.SAML.SSOService.Page_Load(Object sender, EventArgs e) in C:\Program Files (x86)\ComponentSpace SAML v2.0 for .NET\Examples\SSO\LowLevelAPI\IdP-Initiated\SAML2IdP\SAML\SSOService.aspx.cs:line 113
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
To sign a SAML assertion you must call SAMLAssertionSignature.Generate rather than SAMLMessageSignature.Generate.
Your code should be something like the following.
// Serialize the SAML assertion to XML ready for signing.
var samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate);
// Add the signed assertion to the SAML response.
samlResponse.Assertions.Add(samlAssertionElement);
Better yet, I recommend using our SAML high-level API as it will call into the low-level API to signed the SAMl assertion etc as specified by the SAML configuration.
[quote][/quote]
To sign a SAML assertion you must call SAMLAssertionSignature.Generate rather than SAMLMessageSignature.Generate.
Your code should be something like the following.
// Serialize the SAML assertion to XML ready for signing.
var samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate);
// Add the signed assertion to the SAML response.
samlResponse.Assertions.Add(samlAssertionElement);
Better yet, I recommend using our SAML high-level API as it will call into the low-level API to signed the SAMl assertion etc as specified by the SAML configuration.
Your code should be something like the following.
// Serialize the SAML assertion to XML ready for signing.
var samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate);
// Add the signed assertion to the SAML response.
samlResponse.Assertions.Add(samlAssertionElement);
Better yet, I recommend using our SAML high-level API as it will call into the low-level API to signed the SAMl assertion etc as specified by the SAML configuration.
Thank you, solved issue.
You’re welcome.