Hi, I have a case must to have to use our IDP to imprement SSO.
I use the the sample code “SAML2ServiceProvider” in LowLevelAPI
I trace the code and get the exception message "The XML does not contain a signature. “
The error code in AssertionConsumerService.aspx.cs is
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
I think maybe I use the wrong certificate to decrypt the XML at first time.
But I try to use the online tool “<a href=“https://www.samltool.com/decrypt.php””>https://www.samltool.com/decrypt.php”
It’s can be decrypted.
So, my question is what exception message mean?
Does it mean it something wrong when is decrypt the XML?
thanks for your help.
Hi Chris
We recommend using the SAML high-level API wherever possible as it’s much easier to use.
It’s possible that the SAML assertion rather than the SAML response is signed.
If SAMLMessageSignature.IsSigned returns true then you know the SAML response is signed and you can attempt to verify it by calling SAMLMessageSignature.Verify.
Otherwise, you can call SAMLResponse.GetSignedAssertion.
// Verify the SAML assertion signature and deserialize it.
SAMLAssertion samlAssertion = samlResponse.GetSignedAssertion(x509Certificate);
Hi,
Thanks for your reply. I have some reason that I could not use the High Level API.
I check the SAMLResponse, I saw the XML contect as below.
<samlp:Response xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” xmlns:ds=“<a href=“http://www.w3.org/2000/09/xmldsig#””>http://www.w3.org/2000/09/xmldsig#“ xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” xmlns:xenc=”<a href=“http://www.w3.org/2001/04/xmlenc#”“>http://www.w3.org/2001/04/xmlenc#” Destination=“<a href=“http://localhost:51394/SAML2ServiceProvider/SAML/AssertionConsumerService.aspx?binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST””>http://localhost:51394/SAML2ServiceProvider/SAML/AssertionConsumerService.aspx?binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST" ID=“jggkicdfneajjdjajcdkdaobcaoelbiihkkkgfim” InResponseTo=“_bc7a60eb-1143-41b8-b74c-11586b70a489” IssueInstant=“2018-03-21T07:15:30.911Z” Version=“2.0”>
saml:Issuerxxxxxxxxxxxxxxxx</saml:Issuer>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” />
</samlp:Status>
saml:EncryptedAssertion
<xenc:EncryptedData Type=“”>http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm=“<a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc””>http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
ds:KeyInfo
xenc:EncryptedKey
<xenc:EncryptionMethod Algorithm=“<a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p””>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
xenc:CipherData
xenc:CipherValue
C2Ixf3Cv/bcXXY5+q…
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
xenc:CipherData
xenc:CipherValue
6zMySGADJK57smcYr1ACiTKzg/D7…
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
</samlp:Response>
So, I think decrypt it by using my certificate firstly. So I coding as below
samlResponse = new SAMLResponse(samlResponseXml);
EncryptedAssertion encryptedAssertion = samlResponse.GetEncryptedAssertion();
SAMLAssertion samlAssertion = encryptedAssertion.Decrypt(x509Certificate.PrivateKey);
It’s work now, I decrypt the SAMLResponse succelly. And next step I think I need to verify signature.
How do I do?
Instead of encryptedAssertion.Decrypt, call encryptedAssertion.DecryptToXml.
XmlElement samlAssertionElement = encryptedAssertion.DecryptToXml(spX509Certificate.PrivateKey);
if (SAMLAssertionSignature.IsSigned(samlAssertionElement))
{
if (!SAMLAssertionSignature.Verify(samlAssertionElement, idpX509Certificate))
{
// Handle failed signature verification.
}
else
{
SAMLAssertion samlAssertion = new SAMLAssertion(samlAssertionElement);
}
}
else
{
// Handle unsigned assertion.
}