Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Signature is invalid

See original GitHub issue

Hi!

I tried to validate the SAML Response and exception thrown:

Message = Signature is invalid.
StackTrace =  at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature() in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 226
   at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 198
   at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 53
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 210
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 107
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 102
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Source\ITfoxtec\ITfoxtec.Identity\Main\ITfoxtec.Identity.Saml2\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 73
   at Sso.Web.Controllers.Mvc.Saml2Controller.<Consume>d__9.MoveNext() in C:\Projects\backend\Sso.Web\Controllers\Mvc\Saml2Controller.cs:line 164

Code:

var saml2Configuration = new Saml2Configuration
{
    CertificateValidationMode = X509CertificateValidationMode.None,
    SignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
    Issuer = new Uri("https://lastpass.com/saml/idp"),
    SingleSignOnDestination = new Uri("https://lastpass.com/saml/login/8891192/be56"),
};

saml2Configuration.AllowedAudienceUris.AddRange(Uri("https://dev.findo.io"));
byte[] signatureValidationCertificateBytes = Convert.FromBase64String("MIIDZTCCAk2gAwIBAgIJANsL5+qkMHjmMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wIBcNMTcwNTE1MTIxNTU4WhgPMzAxNjA5MTUxMjE1NThaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jXMqw9iLGBSX0DhKlPO8qx3srgAEiOw4PMOxMGNJUBOsRnvYp95Zf+YW7Qlq/1gBn1co+zBayMV9kpvPomUeOvatKzsC9A7R4Q1V1MSG4uBcaWmTjYo24bCrHAeX/A38m5bceDmYmlqNpt5Pmg5A4Dce6q9oL942H5kZYsV2o2PF9DmgENTabsL3r7NuFfcsrQXGPnKUk9Z4xFLU8FsFH13M9Lh3SMMu8c8p9IbfCcCUQekj537fPpFki/1rSBlTtfNNLrE3om/EcRDMzdPYnkaDsnFeNoXjLwjJZ06SQixTkArG/SL8ePmBId1Zi9ekgRJhogKftlsI8z7xbrY/AgMBAAGjUDBOMB0GA1UdDgQWBBSP1nSgrO/+ysfTPtaXE9yifbDXoTAfBgNVHSMEGDAWgBSP1nSgrO/+ysfTPtaXE9yifbDXoTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASfx3UbkinTplQC76Y3aUalRWJF+XzbZ188GRcZDtAF4E5XGkkfgXqtu8/49HLksMtPWatIMBxumD9D4JI4K68wFsafYQe1ZPT/eX6uxZL0K+exjzqP9BNVRlGeLvkEtIcjAzuTtMerNPYmIuFpZZzfS+nPAYZli9EFQDmSU3iW3aWKmQ+mEaikGj3EwuS3nxskaNdziMJ4LQAApqFW8cOHBfOV7hSC6MvWlgDOhfznUcYaqtDI4CnD3pyXb6zZfqjnqK+jO+r84H5PmopMUGM34jY7KUPkpvtZH0HRZr2niBysOpBVuflpUCFWYl1VJLTlHUUG66nGQq3hlW+BB+q");
saml2Configuration.SignatureValidationCertificates.Add(new X509Certificate2(signatureValidationCertificateBytes));

var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(saml2Configuration);
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);

SAMLResponse:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJwZnhmNDkzZTE5Ni05MTE2LTZmZGYtNjYxNC1iZDMzMzQ3MmM3YTkiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE3LTA1LTE3VDE0OjMwOjU1WiIgRGVzdGluYXRpb249Imh0dHBzOi8vZTI3NTdjYmYubmdyb2suaW8vU2FtbDIvQ29uc3VtZSIgSW5SZXNwb25zZVRvPSJfMWJjODU5ODMtZWE0Mi00NTE1LTgwYmEtOWRlNTg0MDExOGI2Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9sYXN0cGFzcy5jb20vc2FtbC9pZHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhmNDkzZTE5Ni05MTE2LTZmZGYtNjYxNC1iZDMzMzQ3MmM3YTkiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjJldG9pRE5pU09kOUVyYy85YVdGSkJKTW9Rbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cWVOTnI5NTUyS21BUjRZcUxWWVVwYm5wL0wwZ2xkZkxaM29SdnhsWkNWcVJWdVR3WWZQWEc3MnlKVkx0RFQvZlN4dm15UGlxaGMwcElYYjBJQUlMdU9HUmt6MVBtR0d0MkVYL2xCaE1PajUzWmN3eTdCQ29vaDhvK2wzZGxpSGtpZkpTeXAxYlhTMUdJR3FzM2ZPc25tY0x3bERMKzZzTlhsUTAyVnU5eXptUWplQnZaNzNjQS9sdHBJSU03V3cybUxkZE1CaGFkbHc3U3lwWXZ4UUtzRDlVeXU5b2xKZnBQYnhPeVBMbnZPK0ZrVjlsaGpBOG53cnFtZkdUZmMyRzlyYWRTTjEwV3FmUCt6NUFJck9WcmpseGkyUE9qUnZYekFFY0ZKaFhqUzBjTTM2VnN6TXlKUkRDekYwUmltUzZZbkdEanJYVXRPRHpBQU5FZ1BaYjFBPT08L2RzOlNpZ25hdHVyZVZhbHVlPgo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEWlRDQ0FrMmdBd0lCQWdJSkFOc0w1K3FrTUhqbU1BMEdDU3FHU0liM0RRRUJDd1VBTUVneEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbmFXNXBZVEVQTUEwR0ExVUVCd3dHVm1sbGJtNWhNUlV3RXdZRFZRUUREQXhNWVhOMFVHRnpjeTVqYjIwd0lCY05NVGN3TlRFMU1USXhOVFU0V2hnUE16QXhOakE1TVRVeE1qRTFOVGhhTUVneEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbmFXNXBZVEVQTUEwR0ExVUVCd3dHVm1sbGJtNWhNUlV3RXdZRFZRUUREQXhNWVhOMFVHRnpjeTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM2alhNcXc5aUxHQlNYMERoS2xQTzhxeDNzcmdBRWlPdzRQTU94TUdOSlVCT3NSbnZZcDk1WmYrWVc3UWxxLzFnQm4xY28rekJheU1WOWtwdlBvbVVlT3ZhdEt6c0M5QTdSNFExVjFNU0c0dUJjYVdtVGpZbzI0YkNySEFlWC9BMzhtNWJjZURtWW1scU5wdDVQbWc1QTREY2U2cTlvTDk0Mkg1a1pZc1YybzJQRjlEbWdFTlRhYnNMM3I3TnVGZmNzclFYR1BuS1VrOVo0eEZMVThGc0ZIMTNNOUxoM1NNTXU4YzhwOUliZkNjQ1VRZWtqNTM3ZlBwRmtpLzFyU0JsVHRmTk5MckUzb20vRWNSRE16ZFBZbmthRHNuRmVOb1hqTHdqSlowNlNRaXhUa0FyRy9TTDhlUG1CSWQxWmk5ZWtnUkpob2dLZnRsc0k4ejd4YnJZL0FnTUJBQUdqVURCT01CMEdBMVVkRGdRV0JCU1AxblNnck8vK3lzZlRQdGFYRTl5aWZiRFhvVEFmQmdOVkhTTUVHREFXZ0JTUDFuU2dyTy8reXNmVFB0YVhFOXlpZmJEWG9UQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU2Z4M1Via2luVHBsUUM3NlkzYVVhbFJXSkYrWHpiWjE4OEdSY1pEdEFGNEU1WEdra2ZnWHF0dTgvNDlITGtzTXRQV2F0SU1CeHVtRDlENEpJNEs2OHdGc2FmWVFlMVpQVC9lWDZ1eFpMMEsrZXhqenFQOUJOVlJsR2VMdmtFdEljakF6dVR0TWVyTlBZbUl1RnBaWnpmUytuUEFZWmxpOUVGUURtU1UzaVczYVdLbVErbUVhaWtHajNFd3VTM254c2thTmR6aU1KNExRQUFwcUZXOGNPSEJmT1Y3aFNDNk12V2xnRE9oZnpuVWNZYXF0REk0Q25EM3B5WGI2elpmcWpucUsrak8rcjg0SDVQbW9wTVVHTTM0alk3S1VQa3B2dFpIMEhSWnIybmlCeXNPcEJWdWZscFVDRldZbDFWSkxUbEhVVUc2Nm5HUXEzaGxXK0JCK3E8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBJRD0icGZ4MDRjMDY1MGEtM2I4ZS0yYTBhLTc3NTQtYTgxN2I4ODU2OGUwIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0wNS0xN1QxNDozMDo1NVoiPjxzYW1sOklzc3Vlcj5odHRwczovL2xhc3RwYXNzLmNvbS9zYW1sL2lkcDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDA0YzA2NTBhLTNiOGUtMmEwYS03NzU0LWE4MTdiODg1NjhlMCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+Z2NkaEY4aVJiK09VQ3RubFFYL3ByVVM0Nk5ZPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5EaksxVGM1dG01L2tVMDMrWDJlRFJReFJqa1g0QldPSWJlWWFxcTJDSm9KTDZ4YXYxVTR4VW1qMkZnTEF4bU8wOGN1d05pem85aWFodFBHZ2t5UktBU3NhTEhZVTUyUU9kQk8rV01pL2xWWmlPYmtJZU1CemJuUHorSmFUU2Q3NnJVeHkvalpDTmNIaEFJd204djdvNWNMaEdIeFlCOHd3TDZYaUdsbEVCaFZWWlpOTk80enBZSFl0VHFRVmdUQnJLVytjQTZ2KzZ6aFhSRXZDU3k2N2xHWWNXdmZkMGFKeUpYOWtTSzArb1p1Vi9rK0N0WlpmeG9qT2Y4RlZRRjhYUlp1WDZBZ3l2dlVyN1VzMnJKRFNiSDdXOFpKR1RBSnBIakpFTWZpYThjR0wzOTNCaEFLNkJxdlFxSkwyOTNXczUrZk5vMEVSSHI0d3F0bHdGUy9MZnc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURaVENDQWsyZ0F3SUJBZ0lKQU5zTDUrcWtNSGptTUEwR0NTcUdTSWIzRFFFQkN3VUFNRWd4Q3pBSkJnTlZCQVlUQWxWVE1SRXdEd1lEVlFRSURBaFdhWEpuYVc1cFlURVBNQTBHQTFVRUJ3d0dWbWxsYm01aE1SVXdFd1lEVlFRRERBeE1ZWE4wVUdGemN5NWpiMjB3SUJjTk1UY3dOVEUxTVRJeE5UVTRXaGdQTXpBeE5qQTVNVFV4TWpFMU5UaGFNRWd4Q3pBSkJnTlZCQVlUQWxWVE1SRXdEd1lEVlFRSURBaFdhWEpuYVc1cFlURVBNQTBHQTFVRUJ3d0dWbWxsYm01aE1SVXdFd1lEVlFRRERBeE1ZWE4wVUdGemN5NWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzZqWE1xdzlpTEdCU1gwRGhLbFBPOHF4M3NyZ0FFaU93NFBNT3hNR05KVUJPc1JudllwOTVaZitZVzdRbHEvMWdCbjFjbyt6QmF5TVY5a3B2UG9tVWVPdmF0S3pzQzlBN1I0UTFWMU1TRzR1QmNhV21UallvMjRiQ3JIQWVYL0EzOG01YmNlRG1ZbWxxTnB0NVBtZzVBNERjZTZxOW9MOTQySDVrWllzVjJvMlBGOURtZ0VOVGFic0wzcjdOdUZmY3NyUVhHUG5LVWs5WjR4RkxVOEZzRkgxM005TGgzU01NdThjOHA5SWJmQ2NDVVFla2o1MzdmUHBGa2kvMXJTQmxUdGZOTkxyRTNvbS9FY1JETXpkUFlua2FEc25GZU5vWGpMd2pKWjA2U1FpeFRrQXJHL1NMOGVQbUJJZDFaaTlla2dSSmhvZ0tmdGxzSTh6N3hiclkvQWdNQkFBR2pVREJPTUIwR0ExVWREZ1FXQkJTUDFuU2dyTy8reXNmVFB0YVhFOXlpZmJEWG9UQWZCZ05WSFNNRUdEQVdnQlNQMW5TZ3JPLyt5c2ZUUHRhWEU5eWlmYkRYb1RBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFTZngzVWJraW5UcGxRQzc2WTNhVWFsUldKRitYemJaMTg4R1JjWkR0QUY0RTVYR2trZmdYcXR1OC80OUhMa3NNdFBXYXRJTUJ4dW1EOUQ0Skk0SzY4d0ZzYWZZUWUxWlBUL2VYNnV4WkwwSytleGp6cVA5Qk5WUmxHZUx2a0V0SWNqQXp1VHRNZXJOUFltSXVGcFpaemZTK25QQVlabGk5RUZRRG1TVTNpVzNhV0ttUSttRWFpa0dqM0V3dVMzbnhza2FOZHppTUo0TFFBQXBxRlc4Y09IQmZPVjdoU0M2TXZXbGdET2hmem5VY1lhcXRESTRDbkQzcHlYYjZ6WmZxam5xSytqTytyODRINVBtb3BNVUdNMzRqWTdLVVBrcHZ0WkgwSFJacjJuaUJ5c09wQlZ1ZmxwVUNGV1lsMVZKTFRsSFVVRzY2bkdRcTNobFcrQkIrcTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9kZXYuZmluZG8uaW8iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj52aWN0b3JrQGZpbmRvLmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QxNDozNTo1NVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9lMjc1N2NiZi5uZ3Jvay5pby9TYW1sMi9Db25zdW1lIiBJblJlc3BvbnNlVG89Il8xYmM4NTk4My1lYTQyLTQ1MTUtODBiYS05ZGU1ODQwMTE4YjYiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0wNS0xN1QxNDozMDoyNVoiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QxNDozNTo1NVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9kZXYuZmluZG8uaW88L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE3LTA1LTE3VDE0OjI4OjU0WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNy0wNS0xN1QyMjozMDo1NVoiIFNlc3Npb25JbmRleD0iX2FkNzUxMGNjN2RkNDRhM2MyYjllODlhOWUxYzNlOGEyMmRiOTlhZjk0MSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj52aWN0b3JrQGZpbmRvLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

IdP EntityId: https://lastpass.com/saml/idp SP EntityId: https://dev.findo.io SP Consume Service Endpoint: https://e2757cbf.ngrok.io/Saml2/Consume

IdP X.509 certificate:

MIIDZTCCAk2gAwIBAgIJANsL5+qkMHjmMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wIBcNMTcwNTE1MTIxNTU4WhgPMzAxNjA5MTUxMjE1NThaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEPMA0GA1UEBwwGVmllbm5hMRUwEwYDVQQDDAxMYXN0UGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jXMqw9iLGBSX0DhKlPO8qx3srgAEiOw4PMOxMGNJUBOsRnvYp95Zf+YW7Qlq/1gBn1co+zBayMV9kpvPomUeOvatKzsC9A7R4Q1V1MSG4uBcaWmTjYo24bCrHAeX/A38m5bceDmYmlqNpt5Pmg5A4Dce6q9oL942H5kZYsV2o2PF9DmgENTabsL3r7NuFfcsrQXGPnKUk9Z4xFLU8FsFH13M9Lh3SMMu8c8p9IbfCcCUQekj537fPpFki/1rSBlTtfNNLrE3om/EcRDMzdPYnkaDsnFeNoXjLwjJZ06SQixTkArG/SL8ePmBId1Zi9ekgRJhogKftlsI8z7xbrY/AgMBAAGjUDBOMB0GA1UdDgQWBBSP1nSgrO/+ysfTPtaXE9yifbDXoTAfBgNVHSMEGDAWgBSP1nSgrO/+ysfTPtaXE9yifbDXoTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASfx3UbkinTplQC76Y3aUalRWJF+XzbZ188GRcZDtAF4E5XGkkfgXqtu8/49HLksMtPWatIMBxumD9D4JI4K68wFsafYQe1ZPT/eX6uxZL0K+exjzqP9BNVRlGeLvkEtIcjAzuTtMerNPYmIuFpZZzfS+nPAYZli9EFQDmSU3iW3aWKmQ+mEaikGj3EwuS3nxskaNdziMJ4LQAApqFW8cOHBfOV7hSC6MvWlgDOhfznUcYaqtDI4CnD3pyXb6zZfqjnqK+jO+r84H5PmopMUGM34jY7KUPkpvtZH0HRZr2niBysOpBVuflpUCFWYl1VJLTlHUUG66nGQq3hlW+BB+q

Thanks in advance!

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

3reactions
Revsgaardcommented, Oct 26, 2017

Fix added to https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/commit/69810b02d52213a7650884ece188af5eb4fc165f by loading Assertion in new XmlDocument before signature validation. Thank you for the contribution.

3reactions
Spkshcommented, Oct 12, 2017

Ran into this problem with a response from OpenAM. ADFS worked fine, but all OpenAM responses failed signature validation for the assertion.

From what I can tell, the issue is with canonicalization and the way SignedXml handles namespace prefixes in XmlElements when the context is the assertion element and not the full document.

e.g. OpenAM responds with a <ds:Signature /> node, whereas ADFS responds with a <Signature /> node.

Workaround is to throw the OpenAM assertion into its own document, and then validate the signature. You can do that by overloading GetAssertionElement() for Saml2AuthnResponse.

    public class OpenAmSaml2AuthnResponse : Saml2AuthnResponse
    {
        public OpenAmSaml2AuthnResponse(Saml2Configuration config) : base(config)
        {
        }

        protected override XmlElement GetAssertionElement()
        {
            XmlDocument assertionDocument = new XmlDocument
            {
                PreserveWhitespace = true
            };

            assertionDocument.LoadXml(base.GetAssertionElement().OuterXml);

            return assertionDocument.DocumentElement;
        }
    }

And then use the class in place of the base Saml2AuthnResponse:

            Saml2PostBinding requestBinding = new Saml2PostBinding();

            // OpenAM includes namespace prefix for signed elements inside the assertion
            // This causes SignedXml signature verification to fail
            // We use a special response class that extracts the assertion and runs it through a new XmlDocument so that .NET ends up with the right namespace declarations
            OpenAmSaml2AuthnResponse saml2AuthnResponse = new OpenAmSaml2AuthnResponse (requestConfig);

            requestBinding.Unbind(controller.Request.ToGenericHttpRequest(), saml2AuthnResponse);
Read more comments on GitHub >

github_iconTop Results From Across the Web

How do I Resolve the "At least one signature has problems ...
If the error "At least one signature has problems" appears in Adobe Reader, it means that the security certificate used to sign the...
Read more >
Re: At least one signature is invalid- on digital
Adobe released an update to Adobe Acrobat Reader that addresses an incorrect error message associated with a valid digital signature. Please ensure that...
Read more >
Digital signature is showing as invalid. How to validate the ...
If the Root CA that issued the signing certificate is not included in Adobe Trusted Identities, the digital signature is considered as not ......
Read more >
Adobe Acrobat Reader PDF Error: "At least one signature is ...
Signature sidebar with signatures button depicted by pen icon selected. You will be able to see all the signatures which are causing the...
Read more >
My signature appears invalid in Adobe Acrobat Reader DC
When opening documents downloaded from DocuSign, Adobe Acrobat Reader DC displays the error "At least one signature is invalid".
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified

Next page

500 Server Error: Internal Server Error for url: https://osome-botometer.p.mashape.com/2/check_account