ComponentSpace

Forums



The SAML assertion failed to verify and the response isn't signed.


The SAML assertion failed to verify and the response isn't signed.

Author
Message
sidatp7
sidatp7
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 8
I am receiving the following error trying to integrate Component space to Azure ad. 

  • SamlSignatureException: The SAML assertion failed to verify and the response isn't signed.

    • ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignatureAsync(AssertionListItem assertionListItem)

    • ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)

    • ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, string relayState)

    • ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

    • BlazorServerServiceProvider.Controllers.SamlController.AssertionConsumerService() in SamlController.cs

      1.     var ssoResult = await _samlServiceProvider.ReceiveSsoAsync();
    • Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor+TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, object controller, object[] arguments)

    • System.Threading.Tasks.ValueTask<TResult>.get_Result()





    • System.Runtime.CompilerServices.ValueTaskAwaiter<TResult>.GetResult()

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask<IActionResult> actionResultValueTask)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)

    • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)

    • Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)

    • Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)

    • Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

    • Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Typically this will be a certificate configuration issue. Please check that the partner identity provider certificate in your SAML configuration is correct.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected].

https://www.componentspace.com/forums/7936/Enabling-SAML-Trace 

Regards
ComponentSpace Development
sidatp7
sidatp7
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 8
I have downloaded the Base64 certificate from azure sso and added it to the example application service provider under azure ad configuration app settings json.

here is the SAML response: 

<samlp:Response   ID="_0cf0803c-3660-4fe2-96be-48c162cf9a64"   Version="2.0"   IssueInstant="2022-11-18T17:15:02.997Z"   Destination="https://localhost:44326/SAML/AssertionConsumerService"   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">  <Issuer    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/  </Issuer>  <samlp:Status>   <samlp:StatusCode     Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>  </samlp:Status>  <Assertion    ID="_9563ae20-02b3-4b52-9a61-639d32138200"    IssueInstant="2022-11-18T17:15:02.981Z"    Version="2.0"    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">   <Issuer>https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/</Issuer>   <Signature     xmlns="http://www.w3.org/2000/09/xmldsig#">    <SignedInfo>      <CanonicalizationMethod        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>      <SignatureMethod        Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>      <Reference        URI="#_9563ae20-02b3-4b52-9a61-639d32138200">       <Transforms>        <Transform           Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>        <Transform           Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>       </Transforms>       <DigestMethod         Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>       <DigestValue>prnCcKNUX+        LswV6cr1ibKgoWDJzmgzIVC2VbsBKkYYA=       </DigestValue>      </Reference>    </SignedInfo>    <SignatureValue>Au7eym35RkG23eK4XyY6bgnaPNhCX6ehZb2WOoo0+H+rUI9Yb/lFavV8KeRj9xN48m7nDVztEWFJlaOKadVus2ROA9jQOgfLuAS43iWTFcXsxEpVdOl+cHgH1QqFyueJqQZsaEpfIhbOPQyxJdchdddz7ZaL2W3hQzSpMn4JZ9pdHytJYXLinkBEgv9BNLrwrz27Y4lY43Jnw/w5R4g44jxkfbujKVKHS70B3R0ouiKlfoY1MRwULoe1+hcI75CJa3xmRfDSn/q9hYqS8ELohSSktGjfjmALVCneNAya0ppwcr3twWXSOx+QH8J775tf8xY2ZDXHUhoEGpcbX/      flRg==    </SignatureValue>    <KeyInfo>      <X509Data>       <X509Certificate>MIIC/jCCAeagAwIBAgIQCGehfcnv6r5My/fnrbfDejANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwp3d3cuc3AuY29tMB4XDTEzMTEyMjA4MjMyMVoXDTQ5MTIzMTE0MDAwMFowFTETMBEGA1UEAxMKd3d3LnNwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPm/ew9jaGWpQS1C7KtpvgzV4nSOIFPgRt/nlRYR+pUWdDEfSKmyjK28nkQ1KKujRJTnvnmZydmUrmEFpVv+giBiUkvCJY3PxZ/EDSsF3R/OzWhkUv5nfAXPnqkX9x22b6+vUof6WiLGyAW6lOYMCVADjTSl9pSaUtIaANdx9maERcT9eQbGSnjim0WurFRYs9ZE8ttErrMH9+Su4246YDqOPAkz6La4cHHMPQdcFQT5p/cuXBfU1vl1tWdBEgAY3xHYZE8u5TTJ/vp9UxyU1MwfeO2g9VDRcokLQHrj6wFxtvufA+WtUKYJGUu2p/qSuaw7eS6UFjUn49aVqg9OacCAwEAAaNKMEgwRgYDVR0BBD8wPYAQ1/S0ibdvfdFkJ9T9oIPluKEXMBUxEzARBgNVBAMTCnd3dy5zcC5jb22CEAhnoX3J7+q+TMv35623w3owDQYJKoZIhvcNAQELBQADggEBAAHlmVoAZUt6paeFvtQbc/iaJe/Fhd+JG1U0jyjlFDcCn8erLihEbhb3mFBBMF25oO67gfA1JJXZrmHry3NlOZuovqRqm8v7wg8n0nQa1HUWkUC2TBgfg1HE8/2rmSF2PngiEi18VOxRDxx0WXMNZX6JebJ1kCOCpT/x7aupS7T1GrIPmDLxjnC9Bet7pRynfomjP/6iU21/xOIF6xB9Yf1a/kQbYdAVt2haYKIfvaF3xsq1X5tCXc9ijhBMgyaoqA+bQJD/l3S8+yCmMxEYZjAVLEkyGlU4Uwo01cKEYbXIG/YVq+4CaIRxIfMvV+j8gzTLHTXI+        pHEMfMhyYa0pzM=       </X509Certificate>      </X509Data>    </KeyInfo>   </Signature>   <Subject>    <NameID       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com    </NameID>    <SubjectConfirmation       Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">      <SubjectConfirmationData        NotOnOrAfter="2022-11-18T18:15:02.528Z"        Recipient="https://localhost:44326/SAML/AssertionConsumerService"/>    </SubjectConfirmation>   </Subject>   <Conditions     NotBefore="2022-11-18T17:10:02.528Z"     NotOnOrAfter="2022-11-18T18:15:02.528Z">    <AudienceRestriction>      <Audience>https://ExampleServiceProvider</Audience>    </AudienceRestriction>   </Conditions>   <AttributeStatement>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/tenantid">      <AttributeValue>9146dd1a-609e-4748-b407-f23657ce3e60</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/objectidentifier">      <AttributeValue>6abd57c9-cc0a-40f2-805d-7242b448fd8b</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/displayname">      <AttributeValue>Sid p</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/identityprovider">      <AttributeValue>live.com</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/claims/authnmethodsreferences">      <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>      <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>      <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">      <AttributeValue>Sid</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">      <AttributeValue>p</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">      <AttributeValue>[email protected]</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">      <AttributeValue>sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com</AttributeValue>    </Attribute>   </AttributeStatement>   <AuthnStatement     AuthnInstant="2022-11-15T17:23:00.196Z"     SessionIndex="_9563ae20-02b3-4b52-9a61-639d32138200">    <AuthnContext>      <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>    </AuthnContext>   </AuthnStatement>  </Assertion></samlp:Response>

sidatp7
sidatp7
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 8
sidatp7 - 11/18/2022
I have downloaded the Base64 certificate from azure sso and added it to the example application service provider under azure ad configuration app settings json.

here is the SAML response: 

<samlp:Response   ID="_0cf0803c-3660-4fe2-96be-48c162cf9a64"   Version="2.0"   IssueInstant="2022-11-18T17:15:02.997Z"   Destination="https://localhost:44326/SAML/AssertionConsumerService"   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">  <Issuer    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/  </Issuer>  <samlp:Status>   <samlp:StatusCode     Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>  </samlp:Status>  <Assertion    ID="_9563ae20-02b3-4b52-9a61-639d32138200"    IssueInstant="2022-11-18T17:15:02.981Z"    Version="2.0"    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">   <Issuer>https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/  ">https://sts.windows.net/9146dd1a-609e-4748-b407-f23657ce3e60/</Issuer>   <Signature     xmlns="http://www.w3.org/2000/09/xmldsig#">    <SignedInfo>      <CanonicalizationMethod        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>      <SignatureMethod        Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>      <Reference        URI="#_9563ae20-02b3-4b52-9a61-639d32138200">       <Transforms>        <Transform           Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>        <Transform           Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>       </Transforms>       <DigestMethod         Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>       <DigestValue>prnCcKNUX+        LswV6cr1ibKgoWDJzmgzIVC2VbsBKkYYA=       </DigestValue>      </Reference>    </SignedInfo>    <SignatureValue>Au7eym35RkG23eK4XyY6bgnaPNhCX6ehZb2WOoo0+H+rUI9Yb/lFavV8KeRj9xN48m7nDVztEWFJlaOKadVus2ROA9jQOgfLuAS43iWTFcXsxEpVdOl+cHgH1QqFyueJqQZsaEpfIhbOPQyxJdchdddz7ZaL2W3hQzSpMn4JZ9pdHytJYXLinkBEgv9BNLrwrz27Y4lY43Jnw/w5R4g44jxkfbujKVKHS70B3R0ouiKlfoY1MRwULoe1+hcI75CJa3xmRfDSn/q9hYqS8ELohSSktGjfjmALVCneNAya0ppwcr3twWXSOx+QH8J775tf8xY2ZDXHUhoEGpcbX/      flRg==    </SignatureValue>    <KeyInfo>      <X509Data>       <X509Certificate>MIIC/jCCAeagAwIBAgIQCGehfcnv6r5My/fnrbfDejANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwp3d3cuc3AuY29tMB4XDTEzMTEyMjA4MjMyMVoXDTQ5MTIzMTE0MDAwMFowFTETMBEGA1UEAxMKd3d3LnNwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPm/ew9jaGWpQS1C7KtpvgzV4nSOIFPgRt/nlRYR+pUWdDEfSKmyjK28nkQ1KKujRJTnvnmZydmUrmEFpVv+giBiUkvCJY3PxZ/EDSsF3R/OzWhkUv5nfAXPnqkX9x22b6+vUof6WiLGyAW6lOYMCVADjTSl9pSaUtIaANdx9maERcT9eQbGSnjim0WurFRYs9ZE8ttErrMH9+Su4246YDqOPAkz6La4cHHMPQdcFQT5p/cuXBfU1vl1tWdBEgAY3xHYZE8u5TTJ/vp9UxyU1MwfeO2g9VDRcokLQHrj6wFxtvufA+WtUKYJGUu2p/qSuaw7eS6UFjUn49aVqg9OacCAwEAAaNKMEgwRgYDVR0BBD8wPYAQ1/S0ibdvfdFkJ9T9oIPluKEXMBUxEzARBgNVBAMTCnd3dy5zcC5jb22CEAhnoX3J7+q+TMv35623w3owDQYJKoZIhvcNAQELBQADggEBAAHlmVoAZUt6paeFvtQbc/iaJe/Fhd+JG1U0jyjlFDcCn8erLihEbhb3mFBBMF25oO67gfA1JJXZrmHry3NlOZuovqRqm8v7wg8n0nQa1HUWkUC2TBgfg1HE8/2rmSF2PngiEi18VOxRDxx0WXMNZX6JebJ1kCOCpT/x7aupS7T1GrIPmDLxjnC9Bet7pRynfomjP/6iU21/xOIF6xB9Yf1a/kQbYdAVt2haYKIfvaF3xsq1X5tCXc9ijhBMgyaoqA+bQJD/l3S8+yCmMxEYZjAVLEkyGlU4Uwo01cKEYbXIG/YVq+4CaIRxIfMvV+j8gzTLHTXI+        pHEMfMhyYa0pzM=       </X509Certificate>      </X509Data>    </KeyInfo>   </Signature>   <Subject>    <NameID       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com    </NameID>    <SubjectConfirmation       Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">      <SubjectConfirmationData        NotOnOrAfter="2022-11-18T18:15:02.528Z"        Recipient="https://localhost:44326/SAML/AssertionConsumerService"/>    </SubjectConfirmation>   </Subject>   <Conditions     NotBefore="2022-11-18T17:10:02.528Z"     NotOnOrAfter="2022-11-18T18:15:02.528Z">    <AudienceRestriction>      <Audience>https://ExampleServiceProvider      ">https://ExampleServiceProvider</Audience>    </AudienceRestriction>   </Conditions>   <AttributeStatement>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/tenantid">      <AttributeValue>9146dd1a-609e-4748-b407-f23657ce3e60</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/objectidentifier">      <AttributeValue>6abd57c9-cc0a-40f2-805d-7242b448fd8b</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/displayname">      <AttributeValue>Sid p</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/identity/claims/identityprovider">      <AttributeValue>live.com</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.microsoft.com/claims/authnmethodsreferences">      <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password     ">http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>      <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn     ">http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>      <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified        http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">      <AttributeValue>Sid</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">      <AttributeValue>p</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">      <AttributeValue>[email protected]</AttributeValue>    </Attribute>    <Attribute       Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">      <AttributeValue>sidatp1262_outlook.com#EXT#@sidatp1262outlook.onmicrosoft.com</AttributeValue>    </Attribute>   </AttributeStatement>   <AuthnStatement     AuthnInstant="2022-11-15T17:23:00.196Z"     SessionIndex="_9563ae20-02b3-4b52-9a61-639d32138200">    <AuthnContext>      <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>    </AuthnContext>   </AuthnStatement>  </Assertion></samlp:Response>



Attachments
samlresponse.txt (1 view, 6.00 KB)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You'll see under the <Signature> there's an <X509Certificate>. Copy the string MIIC/jCCAeagA... ...Ya0pzM= to a text file with a .cer extension.

This is the certificate you should be using to verify the signature.

If there's still an issue, you will need to send the log file as requested.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search