1

Good day,

We used ITfoxtec library version 1.2.2. This solution worked correctly.

We are now integrating the version 4.0.5 library. We need to use SHA-256 encoding. We used the 4.0.5 library from Nugets. According to the implementation example https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2.

We changed the AccountController, added App_Start \ IdentityConfig.cs and added the IdentityConfig.RegisterIdentity() call in Global.asax.

Issue: The SigAlg and Signature parameters are missing in the provider request.

1.2.2 version library ITfoxtec, SAML tracker

4.0.5 version library ITfoxtec, SAML tracker

We set parameters:

  • "Saml2:IdPMetadata" = "/App_Data/metadata.xml"
  • "Saml2:Issuer" value = "http://xxx"
  • "Saml2:SignatureAlgorithm" = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
  • "Saml2:SingleSignOnDestination" = "https://yyy/oamfed/idp/samlv20"
  • "Saml2:SingleLogoutDestination" = "https://yyy/oamfed/idp/samlv20"
  • "Saml2:SigningCertificateFingerPrint" = "5d223463130bd1e290f1ae8dc064d1c48ab517c2"
  • "Saml2:CertificateValidationMode" = "None"
  • "Saml2:RevocationMode" = "NoCheck"

The parameter "Saml2:SigningCertificateFingerPrint" is a custom parameter, we load the certificate from the local storage:

Saml2Configuration.SigningCertificate = CertificateUtil.Load (StoreName.My, StoreLocation.LocalMachine, X509FindType.FindByThumbprint, ConfigurationManager.AppSettings.Get ("Saml2: SigningCertificateFingerPrint"));

Question: Why are the SigAlg and Signature parameters missing in the request? Bad configuration? Bad implementation?

Please help Well thank you DM

shivlal kumavat
  • 868
  • 1
  • 12
  • 28
Daniel Mudrák
  • 33
  • 5
  • 1
    out of interestt ...does the IdP meta data have "WantAuthnRequestsSigned=true" set? – Bernhard Thalmayr Jul 11 '20 at 11:16
  • 1
    Thanks for the reply. IDP metadata is set to "WantAuthnRequestsSigned = true". IDP metadata is read by the configuration, the WantAuthnRequestsSigned property is not read directly in this configuration. Metadata: `` Read configuration: `Saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);` – Daniel Mudrák Jul 13 '20 at 05:43

1 Answers1

1

SAML 2.0 do not require Authn Requests to be signed by default (Logout Requests are required to be signed through). Therefore, the ITfoxtec Identity Saml2 package do not include the SigAlg and Signature parameters by default in the request.

To sign Authn Requests set the Saml2Configuration.SignAuthnRequest = true in code or in configuration "Saml2:SignAuthnRequest" = "true".

Edited - read from metadata

The Saml2Configuration.SignAuthnRequest can be set from the IDP metadata WantAuthnRequestsSigned.

.NET Framework sample code:

if(entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue) {
    Saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value; 
}

.NET Framework sample IdentityConfig.cs

.NET Core sample Startup.cs

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 2
    If the IDP meta data has set `WantAuthnRequestsSigned="true"` and the SAML lib reads the meta data but ignores this, I would consider this as a bug in the SAML SP implementation. – Bernhard Thalmayr Jul 14 '20 at 07:42
  • 1
    Thanks. I did not notice the commented part of 'Saml2Configuration.SignAuthnRequest = true' in IdentityConfig.cs – Daniel Mudrák Jul 14 '20 at 12:11
  • It is a good idea to show how to read the WantAuthnRequestsSigned from metadata, thanks. I have added sample code and edited the answer. – Anders Revsgaard Jul 15 '20 at 13:18