Forums, Documentation & Knowledge Base - ComponentSpace

SAML Assertion Signing


https://www.componentspace.com/forums/Topic12080.aspx

By dreed83 - 4/22/2022

I inherited component space from my dev team and cannot understand how to correctly bind the certificate to sign correctly.
We've updated our public certificate and everything except assertions requiring signature are working.  All Service Partners, IP, and IDP function just fine, but when I go to sign an assertion the code breaks down for crypto reasons.

What certificate is used in the signing process?  The IDP PFX?  Should this be converted to PFX from a PEM or specific format?  Should it include public and private keys?

4/22/2022 11:27:27 AM : - RxFormsController:OASSO() : Exception occurred for user CV*******. System Message : Exception Message : Failed to generate XML signature. Exception Message : Invalid algorithm specified.
Stack Trace :  at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
 at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
 at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
 at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
 at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) Stack Trace :  at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.InternalSAMLIdentityProvider.CreateSAMLResponse(String userName, SAMLAttribute[] attributes, Status status, String assertionConsumerServiceUrl)
 at ComponentSpace.SAML2.InternalSAMLIdentityProvider.InitiateSSO(HttpResponseBase httpResponse, String userName, SAMLAttribute[] attributes, String relayState, String partnerSP, String assertionConsumerServiceUrl)
 at ComponentSpace.SAML2.SAMLIdentityProvider.InitiateSSO(HttpResponseBase httpResponse, String userName, IDictionary`2 attributes, String relayState, String partnerSP)
 at ProviderPortal.Controllers.PageControllers.Authorization.RxFormsController.OASSO(String id, String memberId)

Any help appreciated.  Also sent an email in for support.

By ComponentSpace - 4/22/2022

The PFX file includes the public key and private key and it's the private key that's used when signing SAML responses and SAML assertions. 

SHA-256, SHA-384 and SHA-512 XML signatures require the use of the Microsoft Enhanced RSA and AES Cryptographic Provider.

The PFX file includes a property specifying which cryptographic service provider to use. This must specify the Microsoft Enhanced RSA and AES Cryptographic Provider.

More information, including how to update the PFX, may be found at:

https://www.componentspace.com/forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type