1

I'm using ITfoxtec.Identity.Saml2 4.8.0, .net 6 and am attempting to use AWS SSO as an iDP for an mvc app. I am using the sample code on the project home page.

I'm having a problem with the signature verification on the saml response AWS posts back to me via browser redirect after i successfully log into the iDP.

In stepping through the code there is a two phase signature verification, the first on the signature node of the entire response xml, and the second on the signature of the assertion node within the response xml. In my case the signature verification is successful on the overall document, but is failing on the assertion node (false is returned here).

Has anyone else come across this issue or have any suggestions for next steps in troubleshooting? I've read through much of the library and see whitespace being preserved while loading xml, and the canonicalization used by aws matches what the library is applying. The payload from AWS has the public cert in both signature blocks and they are the same in both places (and match what i have in my PEM file)

thursdays
  • 11
  • 1

1 Answers1

0

I do not know what the problem is, I'm afraid. I have never been able to debug the issue. Here another one is having the same problem ITfoxtec SAML 2.0: InvalidSignatureException When Configuring AWS SSO.

Joan Gil
  • 282
  • 3
  • 11
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    I'm not a saml expert - but it seems to me that if the sig on the entire saml response is validated, that also validating the assertions wouldn't be necessary (since their content would be hashed in with the rest of the xml being signed at the parent level). Is that a safe assumption? any thoughts on a PR that adds an "OnlyValidateRootSamlResponseSignature" boolean that could be set to true for AWS SSO sign in flows? – thursdays Mar 14 '22 at 13:07
  • 1
    actually i think Craig A's suggestion is better than mine, i will work with that (in a fork) instead for now. – thursdays Mar 14 '22 at 13:24
  • It would be best to validate both the response and assertion signature. Debug questions: 1) Do AWS use SHA-1 or SHA-256. 2) Is there more than one signing certificate in the AWS metadata? – Anders Revsgaard Mar 14 '22 at 19:25
  • SHA-256, the signing cert is included in the signature blocks for both the document and assertion and is the same in both cases. – thursdays Mar 15 '22 at 20:27
  • the signing cert in the metadata matches the signature blocks in both assertion and response (so just one cert used in both places) – thursdays Mar 15 '22 at 22:02
  • I'm afraid that I do not know the reason for this error... – Anders Revsgaard Mar 18 '22 at 09:01
  • 1
    1) Do AWS use SHA-1 or SHA-256. SHA256, but you have an option to use SHA1, signature verification fails with both. 2) Is there more than one signing certificate in the AWS metadata? Only one cert in the meta data and only one active certificate at any moment. How can we manually specify the certificate instead of specifying it through the metadata file? I would like to see if it makes any difference, and how can we validate that the library is able to extract the pub key from cert? Does the library takes into account that aws certs are padded as a result of base 64 encoding? – Techievent.in Mar 20 '22 at 08:16
  • The base64 certificate is read from metadata and added like this https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Startup.cs#L50. You can load the public certificate from a local file with CertificateUtil.Load(...) – Anders Revsgaard Mar 22 '22 at 08:51
  • Link to issue https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/issues/119 – Anders Revsgaard Oct 24 '22 at 13:47