2

I have a small test app that I have successfully integrated with Okta as the IdP. I have also set up AWS SSO to serve as an IdP. When I switch my app over to use AWS SSO, I get the following error:

ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
   at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
   at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
   at SAML_Example.Controllers.AuthController.AssertionConsumerService() in C:\Workspace\saml\SAML_Example\AuthController.cs:line 46
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

I have verified that the Signature Algorithm being returned from AWS SSO matches what Okta returned, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. Has anyone successfully configured ITfoxtec with AWS SSO?

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
user7273434
  • 73
  • 3

2 Answers2

0

Are the integration to Okta and AWS based on there metadata or do you configure the trust to the external IdP by configuring the IdP certificate?

It sounds like you are validating the AWS IdP against an incorrect certificate.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    I am using the vendor metadata in both instances. I tried multiple different certificates on the AWS SSO side, and even tried a sha1 certificate (with the signature algorithm listed above as well as the appropriate signature algorithm for sha1) but still the same error. – user7273434 Jul 30 '21 at 10:38
  • Is the SAML 2.0 response encrypted? .NET do not support all possible cipher suites. .NET support e.g. RSA OAEP MGF1P for asymmetric encryption. – Anders Revsgaard Aug 02 '21 at 07:53
  • 1
    I don't believe so. I am able to view the SAML object when watching in debugger. Is there a specific data item within the returned object that I should look at to verify it is not encrypted? – user7273434 Aug 02 '21 at 12:23
  • Okay then the SAML 2.0 response is not encrypted. – Anders Revsgaard Aug 03 '21 at 08:45
  • 1
    It seems to be failing on return CheckSignature(Saml2Signer.Certificate.GetRSAPublicKey()); in Saml2SignedXml.cs. This is calling into a .Net security library, and for some reason this passes when using Okta but does not pass when using AWS SSO. I compared the object returned from Saml2Signer.Certificate.GetRSAPublicKey() on both setups and cannot find any significant differences between the objects. Any pointers on what to look for in terms of differences would be appreciated. – user7273434 Aug 03 '21 at 14:02
  • 1
    I was able to get this to work by updating the UnbindInternal method to send in a value of false to the Read method for validateXmlSignature. It does not appear there is a programmatic or config-based way to set this, unless I am missing something. – user7273434 Aug 03 '21 at 17:31
  • If the validateXmlSignature is false the XML signature is not validated. Therefore et seems to work because the signature is actually not validated at all. – Anders Revsgaard Aug 04 '21 at 08:12
  • 1
    I have reached out to AWS to see if they have any ideas on why their signature is not able to be validated by this library. If they are not able to provide any solution, I will either need to move forward with disabling the signature validation or move on to another SAML library. – user7273434 Aug 04 '21 at 12:12
  • Is it possible for you to share a sample showing the problem? – Anders Revsgaard Aug 04 '21 at 18:31
  • 1
    I am simply using the TestWebAppCore project that is available on Github with the library itself and pointing it to an AWS SSO endpoint. I reached out to our AWS rep and they were able to replicate this issue, so they are taking a look on their end as well. – user7273434 Aug 05 '21 at 19:18
  • Okay, I do not have an AWS account and is therefore currently not able to test. I'll wait for your AWS rep to get back about the issue. And if necessary create a AWS account my self. – Anders Revsgaard Aug 06 '21 at 08:40
  • 1
    I have the same problem. Did you end up changing libraries? – Craig A Oct 26 '21 at 04:12
  • No I'm afraid not. I do not know the cause of the error. – Anders Revsgaard Oct 26 '21 at 08:32
0

It is my understanding that usually the assertion tag is what is signed. In AWS's case, they sign the assertion tag as well as the entire response. The assertion tag's signature does not validate for me the but the signature for the entire response does. I figure since the assertion is in the response, it can be considered valid as well.

I removed the call to unbind and replaced it with the following:

var certValidation = true;
var cert = _samlConfig.SignatureValidationCertificates.FirstOrDefault();
var nodes = saml2AuthnResponse.XmlDocument.SelectNodes("//*[local-name()='Signature']").ToEnumerable().ToList();
var responseSignature = nodes.FirstOrDefault(n => n?.ParentNode?.LocalName == "Response");
if (responseSignature != null)
{
    var signedXml = new SignedXml(responseSignature.ParentNode as XmlElement);
    signedXml.LoadXml(responseSignature as XmlElement);
    certValidation = signedXml.CheckSignature(cert, true);
}
else
{
    foreach (var node in nodes)
    {
        var signedXml = new SignedXml(node.ParentNode as XmlElement);
        signedXml.LoadXml(node as XmlElement);
        certValidation = certValidation && signedXml.CheckSignature(cert, true);
    }
}

If there is no signature on the overall response, it reverts back to the original behavior and checks every signature present.

Craig A
  • 131
  • 2
  • 4