Hello,
In our application we have a SSO connection to Sales Force, where our application is the Idp. This was working fine until we updated our ComponentSpace version to fix another issue. Now we get the below error message.
- I.E. From our application click a link and automatically login to Sales Force.
Error: Failed to generate the XML signature.
Is there any change needed in my code to resolve this issue?
I tired updating our SalesForce certificate and Private key to SHA-256 (certifcate issuer also changed to www.idp.com-256). But I get the same error on the generate() method
I have tried both generate methods below:
SAMLMessageSignature.Generate(samlResponseXml, x509Certificate.PrivateKey, x509Certificate);
SAMLAssertionSignature.Generate(samlResponseXml, x509Certificate.PrivateKey, x509Certificate);
Current Version: 2.6.0.19
- In another test I kept my certificates SHA-2 and rolled back my DLL’s and the connection to Sales Force worked fine. This leads me to believe I am missing something with the new configuration.
Thanks,
Adam
Hi Adam
In the newer versions we default to SHA-256 for signatures rather than the previous SHA-1.
You can still generate SHA-1 signatures but this has to be specified using one of the SAMLMessageSignature.Generate overloads that takes digest and signature methods.
You’ll find this described in:
http://www.componentspace.com/Forums/5316/SHA1-vs-SHA256-XML-signatures
I suspect the reason you cannot generate SHA-256 signatures is because your private key is specifying the wrong cryptographic service provider (CSP).
Please take a look at the following topic which describes how to specify the correct CSP.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
In the newer versions we default to SHA-256 for signatures rather than the previous SHA-1.
You can still generate SHA-1 signatures but this has to be specified using one of the SAMLMessageSignature.Generate overloads that takes digest and signature methods.
You'll find this described in:
http://www.componentspace.com/Forums/5316/SHA1-vs-SHA256-XML-signatures
I suspect the reason you cannot generate SHA-256 signatures is because your private key is specifying the wrong cryptographic service provider (CSP).
Please take a look at the following topic which describes how to specify the correct CSP.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
Im still a little foggy on getting it to work with SHA-2 and the correct CSP.
Would this require me to regenerate the certificate with a different setting.
Apologies I am very new to SSO and certificates.
Any additional information you can provide would be appreciated Im not following that much in the link.
You can use the existing certificate. In other words, no changes are required to your public and private key values.
However, the private key specifies which CSP should be used for cryptographic operations.
Not all CSPs support SHA-256 signature generation.
If you take a look at the forum post I mentioned, you’ll see you can run certutil.exe to check which CSP currently is specified.
If it’s the wrong one, you can use openssl to specify the correct CSP.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
However, the private key specifies which CSP should be used for cryptographic operations.
Not all CSPs support SHA-256 signature generation.
If you take a look at the forum post I mentioned, you'll see you can run certutil.exe to check which CSP currently is specified.
If it's the wrong one, you can use openssl to specify the correct CSP.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
Ok thanks,
I got SHA-1 working but will ultimately need to complete these steps to update our SHA-2 with the correct CSP (using openssl).
Thanks Again,
Adam
You’re welcome.
Question I was able to use OpenSSL to set the CSP on my SHA-265 certificate to "RSA and CES" (and verified using CertUtil). However the below line of code returns a NULL certificate. Does anything else need to change?
X509Certificate2 x509Certificate = (X509Certificate2)Application[IdPX509Certificate]; // Returns NULL when loading the new SHA-256 certificate.
I verified that my PFX password is also correct.
Thanks,
Adam
Question I was able to use OpenSSL to set the CSP on my SHA-265 certificate to "RSA and CES" (and verified using CertUtil). However the below line of code returns a NULL certificate. Does anything else need to change?
X509Certificate2 x509Certificate = (X509Certificate2)Application[IdPX509Certificate]; // Returns NULL when loading the new SHA-256 certificate.
I verified that my PFX password is also correct.
Thanks,
Adam[/quote]
This is my fault. apologies. I had the wrong password.
- Adam
Thanks Adam for the update. I’m glad it was something simple to fix.