The SAML assertion failed to verify and the response isn't signed.

SAML for ASP.NET Core
1

I am receiving the following error trying to integrate Component space to Azure ad.

  • SamlSignatureException: The SAML assertion failed to verify and the response isn’t signed.

    • ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignatureAsync(AssertionListItem assertionListItem)

    • ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)

    • ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, string relayState)

    • ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

    • BlazorServerServiceProvider.Controllers.SamlController.AssertionConsumerService() in SamlController.cs

      +
      1. var ssoResult = await _samlServiceProvider.ReceiveSsoAsync();

    • Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor+TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, object controller, object[] arguments)

    • System.Threading.Tasks.ValueTask.get_Result()





    • System.Runtime.CompilerServices.ValueTaskAwaiter.GetResult()

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask actionResultValueTask)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)

    • Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)

    • Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)

    • Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

    • Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)



2

Typically this will be a certificate configuration issue. Please check that the partner identity provider certificate in your SAML configuration is correct.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace

3

I have downloaded the Base64 certificate from azure sso and added it to the example application service provider under azure ad configuration app settings json.

here is the SAML response:

<samlp:Response ID=“_0cf0803c-3660-4fe2-96be-48c162cf9a64” Version=“2.0” IssueInstant=“2022-11-18T17:15:02.997Z” Destination=“<a href=“https://localhost:44326/SAML/AssertionConsumerService””>https://localhost:44326/SAML/AssertionConsumerService" xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”> https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/ samlp:Status <samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/> </samlp:Status> https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/ <Signature xmlns=“ “>http://www.w3.org/2000/09/xmldsig#”> <CanonicalizationMethod Algorithm=” “>http://www.w3.org/2001/10/xml-exc-c14n#”/> <SignatureMethod Algorithm=“ “>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/> <Transform Algorithm=” <Transform">http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm=“ “>http://www.w3.org/2001/10/xml-exc-c14n#”/> <DigestMethod Algorithm=” “>http://www.w3.org/2001/04/xmlenc#sha256”/> prnCcKNUX+ LswV6cr1ibKgoWDJzmgzIVC2VbsBKkYYA= Au7eym35RkG23eK4XyY6bgnaPNhCX6ehZb2WOoo0+H+rUI9Yb/lFavV8KeRj9xN48m7nDVztEWFJlaOKadVus2ROA9jQOgfLuAS43iWTFcXsxEpVdOl+cHgH1QqFyueJqQZsaEpfIhbOPQyxJdchdddz7ZaL2W3hQzSpMn4JZ9pdHytJYXLinkBEgv9BNLrwrz27Y4lY43Jnw/w5R4g44jxkfbujKVKHS70B3R0ouiKlfoY1MRwULoe1+hcI75CJa3xmRfDSn/q9hYqS8ELohSSktGjfjmALVCneNAya0ppwcr3twWXSOx+QH8J775tf8xY2ZDXHUhoEGpcbX/ flRg== MIIC/jCCAeagAwIBAgIQCGehfcnv6r5My/fnrbfDejANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwp3d3cuc3AuY29tMB4XDTEzMTEyMjA4MjMyMVoXDTQ5MTIzMTE0MDAwMFowFTETMBEGA1UEAxMKd3d3LnNwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPm/ew9jaGWpQS1C7KtpvgzV4nSOIFPgRt/nlRYR+pUWdDEfSKmyjK28nkQ1KKujRJTnvnmZydmUrmEFpVv+giBiUkvCJY3PxZ/EDSsF3R/OzWhkUv5nfAXPnqkX9x22b6+vUof6WiLGyAW6lOYMCVADjTSl9pSaUtIaANdx9maERcT9eQbGSnjim0WurFRYs9ZE8ttErrMH9+Su4246YDqOPAkz6La4cHHMPQdcFQT5p/cuXBfU1vl1tWdBEgAY3xHYZE8u5TTJ/vp9UxyU1MwfeO2g9VDRcokLQHrj6wFxtvufA+WtUKYJGUu2p/qSuaw7eS6UFjUn49aVqg9OacCAwEAAaNKMEgwRgYDVR0BBD8wPYAQ1/S0ibdvfdFkJ9T9oIPluKEXMBUxEzARBgNVBAMTCnd3dy5zcC5jb22CEAhnoX3J7+q+TMv35623w3owDQYJKoZIhvcNAQELBQADggEBAAHlmVoAZUt6paeFvtQbc/iaJe/Fhd+JG1U0jyjlFDcCn8erLihEbhb3mFBBMF25oO67gfA1JJXZrmHry3NlOZuovqRqm8v7wg8n0nQa1HUWkUC2TBgfg1HE8/2rmSF2PngiEi18VOxRDxx0WXMNZX6JebJ1kCOCpT/x7aupS7T1GrIPmDLxjnC9Bet7pRynfomjP/6iU21/xOIF6xB9Yf1a/kQbYdAVt2haYKIfvaF3xsq1X5tCXc9ijhBMgyaoqA+bQJD/l3S8+yCmMxEYZjAVLEkyGlU4Uwo01cKEYbXIG/YVq+4CaIRxIfMvV+j8gzTLHTXI+ pHEMfMhyYa0pzM= sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com <SubjectConfirmationData NotOnOrAfter=“2022-11-18T18:15:02.528Z” Recipient=“ “>https://localhost:44326/SAML/AssertionConsumerService”/> https://ExampleServiceProvider <Attribute Name=” “>http://schemas.microsoft.com/identity/claims/tenantid”> 9146dd1a-609e-4748-b407-f23657ce3e60 <Attribute Name=“ “>http://schemas.microsoft.com/identity/claims/objectidentifier”> 6abd57c9-cc0a-40f2-805d-7242b448fd8b <Attribute Name=” “>http://schemas.microsoft.com/identity/claims/displayname”> Sid p <Attribute Name=“ “>http://schemas.microsoft.com/identity/claims/identityprovider”> live.com <Attribute Name=” “>http://schemas.microsoft.com/claims/authnmethodsreferences”> http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password http://schemas.microsoft.com/claims/multipleauthn http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified <Attribute Name=“ “>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”> Sid <Attribute Name=” “>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”> p <Attribute Name=“ “>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”> sidatp1262@outlook.com <Attribute Name=” “>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”> sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com urn:oasis:names:tc:SAML:2.0:ac:classes:Password </samlp:Response>

4
[quote]
sidatp7 - 11/18/2022
I have downloaded the Base64 certificate from azure sso and added it to the example application service provider under azure ad configuration app settings json.

here is the SAML response:

https://localhost:44326/SAML/AssertionConsumerService" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/ https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/ ">https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/ "=""> ">http://www.w3.org/2000/09/xmldsig#"> "=""> ">http://www.w3.org/2001/10/xml-exc-c14n#"/> "=""> ">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm=" "=""> ">http://www.w3.org/2001/10/xml-exc-c14n#"/> "=""> ">http://www.w3.org/2001/04/xmlenc#sha256"/> prnCcKNUX+ LswV6cr1ibKgoWDJzmgzIVC2VbsBKkYYA= Au7eym35RkG23eK4XyY6bgnaPNhCX6ehZb2WOoo0+H+rUI9Yb/lFavV8KeRj9xN48m7nDVztEWFJlaOKadVus2ROA9jQOgfLuAS43iWTFcXsxEpVdOl+cHgH1QqFyueJqQZsaEpfIhbOPQyxJdchdddz7ZaL2W3hQzSpMn4JZ9pdHytJYXLinkBEgv9BNLrwrz27Y4lY43Jnw/w5R4g44jxkfbujKVKHS70B3R0ouiKlfoY1MRwULoe1+hcI75CJa3xmRfDSn/q9hYqS8ELohSSktGjfjmALVCneNAya0ppwcr3twWXSOx+QH8J775tf8xY2ZDXHUhoEGpcbX/ flRg== MIIC/jCCAeagAwIBAgIQCGehfcnv6r5My/fnrbfDejANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwp3d3cuc3AuY29tMB4XDTEzMTEyMjA4MjMyMVoXDTQ5MTIzMTE0MDAwMFowFTETMBEGA1UEAxMKd3d3LnNwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPm/ew9jaGWpQS1C7KtpvgzV4nSOIFPgRt/nlRYR+pUWdDEfSKmyjK28nkQ1KKujRJTnvnmZydmUrmEFpVv+giBiUkvCJY3PxZ/EDSsF3R/OzWhkUv5nfAXPnqkX9x22b6+vUof6WiLGyAW6lOYMCVADjTSl9pSaUtIaANdx9maERcT9eQbGSnjim0WurFRYs9ZE8ttErrMH9+Su4246YDqOPAkz6La4cHHMPQdcFQT5p/cuXBfU1vl1tWdBEgAY3xHYZE8u5TTJ/vp9UxyU1MwfeO2g9VDRcokLQHrj6wFxtvufA+WtUKYJGUu2p/qSuaw7eS6UFjUn49aVqg9OacCAwEAAaNKMEgwRgYDVR0BBD8wPYAQ1/S0ibdvfdFkJ9T9oIPluKEXMBUxEzARBgNVBAMTCnd3dy5zcC5jb22CEAhnoX3J7+q+TMv35623w3owDQYJKoZIhvcNAQELBQADggEBAAHlmVoAZUt6paeFvtQbc/iaJe/Fhd+JG1U0jyjlFDcCn8erLihEbhb3mFBBMF25oO67gfA1JJXZrmHry3NlOZuovqRqm8v7wg8n0nQa1HUWkUC2TBgfg1HE8/2rmSF2PngiEi18VOxRDxx0WXMNZX6JebJ1kCOCpT/x7aupS7T1GrIPmDLxjnC9Bet7pRynfomjP/6iU21/xOIF6xB9Yf1a/kQbYdAVt2haYKIfvaF3xsq1X5tCXc9ijhBMgyaoqA+bQJD/l3S8+yCmMxEYZjAVLEkyGlU4Uwo01cKEYbXIG/YVq+4CaIRxIfMvV+j8gzTLHTXI+ pHEMfMhyYa0pzM= sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com <="" subjectconfirmation> "=""> ">https://localhost:44326/SAML/AssertionConsumerService"/> https://ExampleServiceProvider ">https://ExampleServiceProvider "=""> ">http://schemas.microsoft.com/identity/claims/tenantid"> 9146dd1a-609e-4748-b407-f23657ce3e60 "=""> ">http://schemas.microsoft.com/identity/claims/objectidentifier"> 6abd57c9-cc0a-40f2-805d-7242b448fd8b "=""> ">http://schemas.microsoft.com/identity/claims/displayname"> Sid p "=""> ">http://schemas.microsoft.com/identity/claims/identityprovider"> live.com "=""> ">http://schemas.microsoft.com/claims/authnmethodsreferences"> http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password ">http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password http://schemas.microsoft.com/claims/multipleauthn ">http://schemas.microsoft.com/claims/multipleauthn http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified <Attribute Name=" "=""> ">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> Sid "=""> ">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> p "=""> ">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> sidatp1262@outlook.com "=""> ">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com urn:oasis:names:tc:SAML:2.0:ac:classes:Password
[/quote]


5

You’ll see under the there’s an . Copy the string MIIC/jCCAeagA… …Ya0pzM= to a text file with a .cer extension.

This is the certificate you should be using to verify the signature.

If there’s still an issue, you will need to send the log file as requested.