1

So I have two demo applications to test. One in .net 4.7 and the other in .net core 3.1. When running the applications I'm getting different results depending the one used.

In both of them I put the CertificationValidationMode to None.

In .Net core I'm getting this error:

ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
   at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
   at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)

which is good because I modified the assertion to extend the time for testing and at that point I'm assuming that the validation was bypassed and it is failing because it does not match.

In .Net Framework, this error is coming up:

ID4037: The key needed to verify the signature could not be resolved from the following security key
        identifier
        'SecurityKeyIdentifier(
          IsReadOnly = False,
          Count = 1,
          Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
         )
        '. Ensure that the SecurityTokenResolver is populated with the required key.
   at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()
   at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()
   at System.IdentityModel.EnvelopedSignatureReader.Read()
   at System.Xml.XmlReader.ReadEndElement()
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(XmlNode assertionElement)
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)

Here I'm thinking that the validation is happening, it is not bypassed, and it is failing. Basically the Validation Mode is ignored.

Am I thinking this wrong? Thanks

Francois Tardif
  • 11
  • 1

1 Answers1

0

As you say the result looks correct regarding .NET core.

It looks like the .Net Framework cannot find a certificate that match the certificate used in the SAML. 2.0 AuthnResponse. Maybe the .Net Framework application is not configured with the correct certificate? I do not think it has anything to do with the Validation Mode.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • I looked more into it, and agreed I don't think it is link to the validation Mode. The SignedXml has no KeyInfo, when I'm adding a KeyInfo to the Response, I'm getting the same error as the .Net Core. – Francois Tardif May 24 '21 at 13:11
  • Same error, but in framework happen when ReadSamlResponse is called, in Core when Unbind is called – Francois Tardif May 24 '21 at 13:44