Forums, Documentation & Knowledge Base - ComponentSpace

The SAML response signature failed to verify


https://www.componentspace.com/forums/Topic11720.aspx

By fabio - 8/29/2021

Hello,

a customer idp partner of our is changing his own configuration he used to have to connect to our SP.
He said that he changed from 

A signed SAML Response with an unsigned Assertion/SAMLResponse with Signed Message

to

SAML Response with SignedMessage & Assertion

This generates this error



The problem was fixed on his side reverting this change.
Could you please provide me further information to better understand this scenario?

Thank you
Fabio

By ComponentSpace - 9/2/2021

Thanks for the log.

This is a known issue in the .NET framework’s System.Security.Cryptography.Xml.SignedXml class. It’s been reported to Microsoft but there isn’t a fix yet.

https://github.com/dotnet/corefx/issues/41668

The issue is related to “
” carriage return entity references that are included by some Java implementations.

The best option is to ignore the SAML message signature and only verify the SAML assertion signature. This doesn’t present any security issues.

You could ask the identity provider to sign the SAML assertion only.

Alternatively, change the PartnerIdentityProviderConfiguration to:

"WantAssertionOrResponseSigned": false,
"WantAssertionSigned": true,