Unable to decrypt SAML Assertion

Hi,

With IdP initiated SSO, I have implemented the following logics, it performs the steps below, the code failed when it try to decrypt the SAML assertion.

  1. Sign the SAML assertion with Idp private key,
  2. Use the SP public key to encrypt the assertion
  3. Construct an SAML response object,
  4. To test SAML assertion, I then load the SP’s private key and use that to decrypt the SAML assertion, however I getting “Specified Uri is not supported” error. what’s causing the issue?
// Create SAML response
samlResponse = new SAMLResponse
{
    Issuer = new Issuer(CreateAbsoluteURL("~/ ")),
    Destination = "http://localhost/sso/msssotest/account/logon",
    Status = new Status(PrimaryStatusCodes.Success,null),
    //Assertions = { encryptedAssertion }
    Assertions = new List<XmlElement>{ encryptedAssertionXml }
};

// Load SP public key for encryption

string spPrivateCertPath = Server.MapPath("~/Certificate/sp.pfx");

if (!System.IO.File.Exists(spPrivateCertPath))
    throw new Exception("SP private key file not found.");

var spCertificate2 = new X509Certificate2(spPrivateCertPath, "password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

var spPivateKey= spCertificate2.GetRSAPrivateKey();

XmlElement assertionXmlElement = samlResponse.Assertions[0] as XmlElement;

EncryptedAssertion encryptedAssertion = new EncryptedAssertion(assertionXmlElement);

var verifySamlAssertion = encryptedAssertion.Decrypt(spCertificate2, new EncryptionMethod(KeyEncryptionMethods.RSA_OAEP_MGF1P), new EncryptionMethod(DataEncryptionMethods.KW_AES_256));

This is what the encryptedAssertion looks like:

<?xml version="1.0"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"/>
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>...</X509Certificate>
        </X509Data>
      </KeyInfo>
      <CipherData>
        <CipherValue>...</CipherValue>
      </CipherData>
    </EncryptedKey>
  </KeyInfo>
  <CipherData>
    <CipherValue>...</CipherValue>
  </CipherData>
</EncryptedData>

The "http://www.w3.org/2001/04/xmlenc#kw-aes256" data encryption algorithm is used when the symmetric key is encrypted using another symmetric key (i.e. key wrapping).

The "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" key encryption algorithm is used when the symmetric key is encrypted with an asymmetric public key.

It probably doesn’t make sense to specify these together.

Our XML encryption support is provided by .NET’s EncryptedXml class which doesn’t support the key wrapping algorithms (kw-aes256 etc).

The Configuration Guide in the product’s documentation folder lists the supported key and data encryption algorithms.

The recommended data encryption algorithm is "http://www.w3.org/2001/04/xmlenc#aes256-cbc".

Your code is making use of the SAML low-level API. For most use cases, we recommend using the SAML high-level API which handles such things as encrypting/decrypting SAML assertions and is configuration driven.

For example, SAMLIdentityProvider.InitiateSSO creates and sends a SAML response to the partner service provider including an encrypted SAML assertion, if the SAML configuration specifies the assertion should be encrypted. SAMLServiceProvider.ReceiveSSO receives and processes the SAML response including decrypting the SAML assertion. The example projects we include demonstrate calling these APIs. You’ll also find the SAML high-level API documented in the Developer Guide.

Thanks, I can decrypt the saml assertion now after changed the data encryption method to AES_256. However I am having issue on the SP side, try to load IdP certificate from metadata, but getting following errors with root certificate not trusted by trust provider. Since I am testing the SSO integration locally and use the self signed certificate from personal certificate store. What’s wrong with this setup?

Invalid certificate file 'e:\Premier.Applications\premier.Keys\Premier.Billpay.MS\SSO\MSSSOTEST\ef602a49-a85b-44b1-ae39-1a3dd0c9f69e.cer' - chainElementStatus=A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

We don’t attempt to validate the certificate chain of self-signed certificates.

What’s the complete stack trace?

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.