Verification failed checking references

I’m seeing this error once every 1,000 - 2,000 logins. This occurs in the AssertionConsumerService on the SP after the following sequence:

The SP sends an artifact resolve request to the IdP (via SOAP)
The IdP returns an artifact response to the SP’s assertion consumer service (via SOAP)
In the assertion consumer service, the SAML response is extracted from the artifact response
We try to verify the signature of the response using the code: SAMLMessageSignature.Verify(samlResponseXml, x509Certificate)

This is where the error occurs. According to the documentation, this message indicates that the XML has been changed. This same process works most of the time. The certificate being used is the correct certificate. I’m not sure why it’s failing 10 - 15 times per day. I’m capturing the signed SAML response on the IdP side just before I send it to the SP, and I’m capturing the SAML response on the SP just before I verify the signature. There are a few differences that (I think) are introduced when the response is encapsulated in a SOAP envelope, but the same differences are present in the responses that verify successfully. The differences are:

1. xmlns:SOAP-ENV=“<a href=“””>" is added to the samlp:Response tag, and
2. empty attribute value tags are changed from saml:AttributeValue</saml:AttributeValue> to <saml:AttributeValue />

Just before the “verification failed checking references” message in the trace log, I see the following message:

System.Security.Cryptography.Xml.SignedXml Verbose: 13 : [SignedMessage#01fae243, VerifyReference] Reference Reference#01d2b938 hashed with “<a href=“"”>” (SHA1CryptoServiceProvider) has hash value cc475e93ac53b9e840cc7a99b74bdbd608b2c786, expected hash value 1d1730c256033b87e59f80def6c8cf1fd95bbf9c.

I’m assuming that the first hash value is the calculated hash. Where does the expected hash value come from? I can’t find it in the message anywhere. It may not be important, but I’m at a loss as to what is causing this issue.

The message about the hashes is coming from the .NET framework. It’s comparing the computed hash with the supplied hash. The supplied has is included in the XML signature. The format of these values in the log is different from that in the XML signature.
The changes in the XML shouldn’t matter. The XML canonicalization should cater for these.
It’s possible there’s something about the content of the SAML response that’s causing issues.
I realize this is an infrequent issue, but would it be possible to enable SAML trace and capture the log files? I’d like to see the failing case as well as successful cases for comparison.
Please send captured log files to our support email account mentioning your forum post.

I sent an email on Tuesday of this week (10/4). Can you confirm that you received it?

We received an email and replied on the same day. I just now forwarded the original reply. Let me know whether or not you received it. Thanks.