Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

WsFederationMessage.GetToken() is appending "
" to SAML (Formatting is breaking signature check - Sign in fails)

See original GitHub issue

WS Federation was working for me prior to upgrading to .NET Core 3. I have a typical setup shown below, followed by exception that began after the upgrade. Not sure if there is any changes I should make to affect / resolve this.

Also it would be nice if I could step into the code (could not load module / find symbols). I may be missing something there - let me know if there is a way for me to step through and troubleshoot further.

I’m using Microsoft.AspNetCore.Authentication.WsFederation 3.0.0, which depends on / brings in Microsoft.IdentityModel.Protocols.WsFederation (>= 5.5.0).

            services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
            })
            .AddWsFederation(federationOptions =>
            {
                federationOptions.MetadataAddress = _options.MetadataAddress;
                federationOptions.Wtrealm = _options.Realm;
                federationOptions.Events.OnSecurityTokenValidated = OnSecurityTokenValidated;
                federationOptions.Events.OnRedirectToIdentityProvider = OnRedirectToIdentityProvider;
            })
            .AddCookie(cookieOptions =>
            {
                cookieOptions.ExpireTimeSpan = TimeSpan.FromDays(1);
                cookieOptions.Events.OnValidatePrincipal = OnValidateCookiePrincipal;
                cookieOptions.Events.OnRedirectToAccessDenied = OnRedirectToAccessDenied;
            });

Exception occurred while processing message. [Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler] 
 Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'. , KeyId: 0F0AC48C0B8FB903E0F49823DD2C133908EF139E
'.
Exceptions caught:
 'Microsoft.IdentityModel.Xml.XmlValidationException: IDX30200: The 'Signature' did not validate. CryptoProviderFactory: 'Microsoft.IdentityModel.Tokens.CryptoProviderFactory', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'.'.
   at Microsoft.IdentityModel.Xml.Signature.Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
'.
token: 'Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken'.
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteAuthenticateAsync()
09-26-2019 11:08:04.729 INF [0105C316619L, ] Error from RemoteAuthentication: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'. , KeyId: 0F0AC48C0B8FB903E0F49823DD2C133908EF139E
'.
Exceptions caught:
 'Microsoft.IdentityModel.Xml.XmlValidationException: IDX30200: The 'Signature' did not validate. CryptoProviderFactory: 'Microsoft.IdentityModel.Tokens.CryptoProviderFactory', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'.'.
   at Microsoft.IdentityModel.Xml.Signature.Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
'.
token: 'Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken'.. [Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler] 
 09-26-2019 11:08:04.875 ERR [0105C316619L, ] An unhandled exception has occurred while executing the request. [Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware] 
 System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'. , KeyId: 0F0AC48C0B8FB903E0F49823DD2C133908EF139E
'.
Exceptions caught:
 'Microsoft.IdentityModel.Xml.XmlValidationException: IDX30200: The 'Signature' did not validate. CryptoProviderFactory: 'Microsoft.IdentityModel.Tokens.CryptoProviderFactory', SecurityKey: 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: '0F0AC48C0B8FB903E0F49823DD2C133908EF139E', InternalId: '6322e1ea-2f46-4843-89d6-539a9828803b'.'.
   at Microsoft.IdentityModel.Xml.Signature.Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
'.
token: 'Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken'.
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(SamlSecurityToken samlToken, String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Disney.DTCI.AdSales.Common.Middleware.AdVisorCorrelationLogging.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:1
  • Comments:42 (20 by maintainers)

github_iconTop GitHub Comments

1reaction
brentschmaltzcommented, Sep 4, 2020

@everettcomstock @northof490 we will ping you when we have something to test. Most likely the week of Sept 7th.

1reaction
brentschmaltzcommented, Sep 4, 2020

@northof490 i would like to propose a change where the user has the ability to ‘ignore’ whitespace outside of elements. This allows a user to have control.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Why did my SAML authentication request fail?
This error occurs when App ID cannot verify the signature that is sent by SAML. To resolve the issue, verify that you have...
Read more >
Signature validation fails when SAML token is passed back ...
Signature validation fails when SAML token is passed back from identity provider using WS-Federation authentication (ASP.NET Core).
Read more >
Enforce signed SAML authentication requests - Azure
SAML Request Signature Verification is a functionality that validates the signature of signed authentication requests.
Read more >
Invalid signature on saml response azure ad. co3. If we try to
I'm facing problems to verify Azure Access Token Signature using jwt. SAML ... In the SAML Signing Certificate section, select Download to download...
Read more >
Signature verification for InCommon SAML metadata using ...
One solution, though it feels a bit unsatisfying: a) Verify the InCommon metadata file using the embedded certificate.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

X.509 Certificates with ECDSA based keys supported?

Next page

preferred_username claim from Azure AD v2 endpoint not available in the HttpContext.User.Identity.Claims collection