Unable to verify Auth Request signature on IdP with SP initiated SSO

flyfox · April 24, 2025, 2:09pm

Hi,

For SP initiated SSO, I’ve built an IdP app to process the Auth Request and send back the SAML assertion as response. However when process the Auth Request by following the steps below, but failed to verify the signature.

Receive the authn request over HTTP-Redirect.
Identify the SP from the issuer field in the authn request.
Verify the HTTP-Redirect signature.

From IdP app:

X509Certificate2 spCertificate = LoadCertificate(spCertPath, spPassword);

HTTPRedirectBinding.ReceiveRequest(Request, out authnRequestXml, out relayState, out signatureAlgorithm, out signature);

string issuerName = Issuer.GetIssuerName(authnRequestXml);

HTTPRedirectBinding.VerifyRequestSignature(Request, signatureAlgorithm, signature, publicKey);

From the SP side, I’ve implemented the following method to sign the query string:

        private static string SignQueryString(string queryString, AsymmetricAlgorithm key, string signatureAlgorithm)
        {

            byte[] dataToSign = Encoding.UTF8.GetBytes(queryString);

            HashAlgorithmName hashAlgorithm = GetHashAlgorithmName(signatureAlgorithm);

            byte[] hash;
            using (var hasher = HashAlgorithm.Create(hashAlgorithm.Name))
            {
                hash = hasher?.ComputeHash(dataToSign);
            }

            if (key is RSA rsa)
            {
                byte[] signature = rsa.SignHash(hash, hashAlgorithm, RSASignaturePadding.Pkcs1);
                return Convert.ToBase64String(signature);
            }

            throw new InvalidOperationException("Unsupported key type for RSA signing.");
        }

I am getting the failed to verify signature on HTTP redirect message.

[SAMLSignatureException: Failed to verify signature on HTTP redirect message.]
ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.CheckSignature(String redirectURL, String encodedSignature, String messageQueryName, AsymmetricAlgorithm key, String signatureAlgorithm) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:568
ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.VerifyRequestSignature(HttpRequestBase httpRequest, String signatureAlgorithm, String signature, AsymmetricAlgorithm key) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:1096

I’ve checked the signature, after urldecode(), it matches to the one generated on SP side and use the public key from SP certificate to verify the signature. What could be the issue in here? What else can I check?

ComponentSpace · April 24, 2025, 9:10pm

This is not the recommended approach.

The HTTPRedirectBinding class is part of the SAML low-level API. You should be using the SAML high-level API instead as it’s simpler to use, requires less application code, is configuration driven, and handles all the various security checks including signature generation/verification.

On the SP side, you call SAMLServiceProvider.InitiateSSO to create and send a signed SAML authn request.

For example:

SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);

On the IdP side, you call SAMLIdentityProvider.ReceiveSSO to receive and process the signed SAML authn request.

For example:

SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP);

X.509 certificates, URLs etc are included in the SAML configuration (eg. saml.config file) rather than being embedded in the code.

I highly recommend taking a look at the ExampleServiceProvider and ExampleIdentityProvider projects which are included with the product. These are described in the Examples Guide which you’ll find in the documentation folder.