The SAML response isn't signed after upgrading from version 2.6 to 7.0

olivier.marcou · August 9, 2024, 9:19am

Hello,
We built our own IDP to communicate with Azure AD which use ComponentSpace SAML v2.0 for .Net in version 2.6.0.13.
We have to upgrade our IDP with the last version of ComponentSpace SAML for .Net and made some change in our C# code.
The first test return the following error “The SAML response isn’t signed” and we don’t know how to solve it.

The setting of the SAML Configuration

SAMLConfiguration samlConfiguration = new SAMLConfiguration() { Id = i++, Name = “LDAP” };
samlConfiguration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = “”,
Description = “Havas IT ID Provider for INTERNAL + GUEST”,
AssertionConsumerServiceUrl = $“https://idp-dev.xxxxxxxxx.com/LDAP/AssertionConsumerService”,
LocalCertificates = new List()
{
new CertificateConfiguration()
{
FileName = “App_Data\Certificates\file.pfx”,
Password = “xxxxxxxxxxxxxxxxxxxxxxxx”
}
}
};
samlConfiguration.AddPartnerIdentityProvider(new PartnerIdentityProviderConfiguration()
{
Name = “xttps://sts.windows.net/c7ed5556-xxxx/”,
Description = “INTERNAL + GUEST”,
SignAuthnRequest = true,
SignLogoutRequest = true,
WantAssertionOrResponseSigned = true,
WantSAMLResponseSigned = true,
WantAssertionSigned = false, //true,
WantAssertionEncrypted = false,
WantLogoutRequestSigned = true,
DigestMethod = “xttp://www.w3.org/2001/04/xmlenc#sha256”,
SignatureMethod = “xttp://www.w3.org/2001/04/xmldsig-more#rsa-sha256”,
SingleSignOnServiceBinding = “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”,
SingleSignOnServiceUrl = “xhttps://login.microsoftonline.com/c7ed5556-xxxx/saml2”,
SingleLogoutServiceUrl = “xhttps://login.microsoftonline.com/c7ed5556-xxxx/saml2”,
PartnerCertificates = new List()
{
new CertificateConfiguration()
{
FileName = @“App_Data\Certificates\azurefile.cer”
}
}
});
SAMLController.Configurations.Configurations.Add(samlConfiguration);

We made tests changing value of WantSAMLResponseSigned or WantAssertionSigned, without success.

Regards,

ComponentSpace · August 9, 2024, 11:50pm

WantAssertionSigned specifies that the SAML assertion must be signed. It defaults to false.

WantSAMLResponseSigned specifies that the SAML response must be signed. It defaults to false.

WantAssertionOrResponseSigned specifies that either the SAML assertion or SAML response must be signed. It defaults to true. This is useful when you’re not sure which is signed but you expect one of them to be signed.

By default, Azure AD signs the SAML assertion and not the SAML response.

My recommendation is to leave the configuration flags at their defaults. WantAssertionOrResponseSigned will check for either a SAML assertion or SAML response signature. If neither is signed or one is signed but the signature fails to verify, an exception is thrown. If either is signed and the signature verifies, no exception is thrown.

Also, double check that the correct partner certificate is configured.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.

olivier.marcou · August 12, 2024, 9:31am

Hello,

I sent a mail with log to the support.

Thank you

ComponentSpace · August 12, 2024, 10:38pm

Thank you. I’ve replied to your email.

The latest issue is a configuration inconsistency as detailed in the email.

olivier.marcou · August 13, 2024, 8:29am

Thank you for your help.
With your reply, the communication with Azure Ad works fine.

ComponentSpace · August 13, 2024, 9:14pm

You’re very welcome. Thanks for the update.