ComponentSpace

Forums



ComponentSpace.SAML2.SAMLSignatureException: Failed to verify the XML signature. --->...


ComponentSpace.SAML2.SAMLSignatureException: Failed to verify the XML...

Author
Message
Manikumar
Manikumar
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 15
Hello Team,

We have been struggling to figure out why the verification fails for the signature of a SAML response from Client. We are getting the following error no matter how many trails we have made to resolve the issue. This is extremely priority issue which have been struggling to get through since 4 days. 
ComponentSpace.SAML2.SAMLSignatureException: Failed to verify the XML signature. ---> System.Security.Cryptography.CryptographicException: Malformed reference element.
I strongly believe that the signature that was sent in the SAML response by clients is having some issue and hence is unable to verify it with the Certificate that clients has shared with us. But we are not sure of a way to prove this point.
we are using the following .net version of componentspace to verify the signature.
Assembly ComponentSpace.SAML2, Version=2.4.0.13, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9

I am attaching the SAML response XML and tried to attach the certificate unfortunately I couldn't. Request you to please take a look at the SAML respone as soon as you can and let us know what could be the reason. Appreciate your help and thanks in advance. 

Also please let us know if there is away to verify the signature with the certificate that is installed from our system.

Regards,
Manikumar

Attachments
SAMLPayLoadValueMed.xml (5 views, 5.00 KB)
Manikumar
Manikumar
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 15
Manikumar - 9/24/2020
Hello Team,

We have been struggling to figure out why the verification fails for the signature of a SAML response from Client. We are getting the following error no matter how many trails we have made to resolve the issue. This is extremely priority issue which have been struggling to get through since 4 days. 
ComponentSpace.SAML2.SAMLSignatureException: Failed to verify the XML signature. ---> System.Security.Cryptography.CryptographicException: Malformed reference element.
I strongly believe that the signature that was sent in the SAML response by clients is having some issue and hence is unable to verify it with the Certificate that clients has shared with us. But we are not sure of a way to prove this point. Hence we have created a console app to show where it fails and with what exception.
we are using the following .net version of componentspace to verify the signature.
Assembly ComponentSpace.SAML2, Version=2.4.0.13, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9

I am attaching the SAML response XML and tried to attach the certificate unfortunately I couldn't (so added some screenshots). Request you to please take a look at the SAML respone as soon as you can and let us know what could be the reason. Appreciate your help and thanks in advance. 

Also please let us know if there is away to verify the signature with the certificate that is installed from our system.

Regards,
Manikumar




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Manikumar,

Thanks for including the SAML response XML. The issue isn't with the certificate. Instead, the IdP's XML signature implementation is incorrect.

The SAML response ID is 5a2f63e1-284a-42c1-8403-b2365b64ebbe. The reference URI in the SAML response signature is 81715e6b-c9b3-4d89-b211-bb08d8252432. It should be 5a2f63e1-284a-42c1-8403-b2365b64ebbe. The SAML assertion ID is 81715e6b-c9b3-4d89-b211-bb08d8252432. They seemed to have mixed these up.

If instead they intended to sign the SAML assertion, the signature should be a child of the assertion, not the SAML response.

You should go back to them with this information and ask they correct their implementation.

The other thing to note is that they're using SHA-1. We support this but highly recommend using SHA-256 instead.

Regards
ComponentSpace Development
Manikumar
Manikumar
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 15
Hello Team,

Thank you for the very quick response. I have posted your suggestions to clients. Waiting for the to come back. Once the issue is resolved or if there are still any other issues I will let the forum know.
One more ask from me: is there a way I can verify the signature with the certificate and figure out what the issue could be ? I mean do we have a tool or something like that to quickly figure out what the problem could be.

Regards,
Manikumar.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Manikumar,

The VerifySignature console app project under the Examples\Signature folder may be used to verify signatures. However, it won't provide much more detail than the exception message (malformed reference element).

Regards
ComponentSpace Development
Manikumar
Manikumar
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 15
Thanks for your support and we got an update from client. The issue has been resolved after updating the right idP's in the signature section. The verification was successful and client was able to come into our system. However the other recommendation shared to use the SHA256 instead of SHA1 in the signature of the response doesn't work. I can clearly see the certificate uses SHA256 and after client changing the signature to use SHA256 in the signature, the following exception has been thrown from the method SAMLMessageSignature.Verify.

SignatureDescription could not be created for the signature algorithm supplied.

So we have requested the client to use SHA1 in their signature which is working all the time even though the certificate has SHA256R to be used.
May I know the reason why SHA1 in the signature works and SHA256 doesn't? what is the significance and relation between SHA256 on the certificate to SHA1 on the signature. Thanks in advance.

Regards,
Manikumar.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
There's no relationship between the algorithm used to sign the certificate and that used to sign the XML. You can have a SHA-256 signed certificate used to generate a SHA-1 signature on the SAML response and vice versa.

The SignatureDescription error relates to missing support for SHA-256. I noticed you're using version 2.4.0.13. This release is  eight years old and doesn't include this support. I recommend upgrading at some stage to pick up support for SHA-256. You'll find the release notes at:

https://www.componentspace.com/Forums/8576/Release-Notes


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search