Hello,
a customer idp partner of our is changing his own configuration he used to have to connect to our SP.
He said that he changed from
A signed SAML Response with an unsigned Assertion/SAMLResponse with Signed Message
to
SAML Response with SignedMessage & Assertion
This generates this error
The problem was fixed on his side reverting this change.
Could you please provide me further information to better understand this scenario?
Thank you
Fabio
Hi Fabio,
Either scenario should work.
For the error scenario, please enable SAML trace and send the generated log file as an email attachment mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
If possible, it would be good to capture both scenarios in the log for comparison.
Thanks for the log.
This is a known issue in the .NET framework’s System.Security.Cryptography.Xml.SignedXml class. It’s been reported to Microsoft but there isn’t a fix yet.
https://github.com/dotnet/corefx/issues/41668
The issue is related to “
” carriage return entity references that are included by some Java implementations.
The best option is to ignore the SAML message signature and only verify the SAML assertion signature. This doesn’t present any security issues.
You could ask the identity provider to sign the SAML assertion only.
Alternatively, change the PartnerIdentityProviderConfiguration to:
“WantAssertionOrResponseSigned”: false,
“WantAssertionSigned”: true,