I am trying to verify a SAML Response that has both the Assertion and Message signed with the same certificate. When I use VerifySAML.exe the output is:
$ VerifySAML.exe assertion.xml
Loading assertion.xml
Verifying SAML message
Verified: True
Verifying SAML assertion
Verified: False
The Message is verified, but the assertion is not. Both use the exact same logic to sign the xml. The log outputs “Verification failed checking SignedInfo.” for the Assertion validation. I read that a message like that means the certificate is wrong, however, it’s the same certificate used to sign both the message and assertion.
Any help would be greatly appreciated.
-Mark
Hi Mark
Thank you for including the log file.
The issue is being investigated and I’ll let you know as soon as there’s an update (hopefully in the next 24 to 48 hours).
The issue has been identified and resolved.
I’ll email you with an update.
Thanks.
I received your email, however, our spam filter caught it. I think I was able to recover the email, but can you verify the contents of the zip? I saw ComponentSpace.SAML2.dll and ComponentSpace.SAML2.xml.
When I replace those two files in the VerifySAML folder and try to run verifysaml.exe, I get this error:
$ VerifySAML.exe -c cority.cer assertion.xml
Loading certificate cority.cer
Loading assertion.xml
System.IO.FileLoadException: Could not load file or assembly ‘ComponentSpace.SAML2, Version=2.8.1.0, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9’ or one of its dependencies.
The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
File name: ‘ComponentSpace.SAML2, Version=2.8.1.0, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9’
at VerifySAML.Program.VerifyMessage(XmlElement xmlElement)
at VerifySAML.Program.Main(String[] args) in C:\Program Files (x86)\ComponentSpace SAML v2.0 for .NET\Examples\Signature\VerifySAML\Program.cs:line 130
WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].
Do I need to recompile or use the supplied DLL somewhere else?
-Mark
Yes, those are the two files.
As the version number of the DLL is different, you will need to recompile VerifySAML.exe.
If there’s still an issue with the signature verification, please send the certificate file and XML file as email attachments to support@componentspace.com so we can run VerifySAML here.
Please rename the certificate file to .txt to get past our mail server.