Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Exclusive Canonicalization transform "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" algorithm is not supported by ADFS 4.0
See original GitHub issueHi,
I setup a SP and using servlet to generate metedata xml by referencing java-saml/samples/java-saml-tookit-jspsample/src/main/webapp/metadata.jsp.
I saved the metadata as xml file and import to ADFS 4.0 by adding relaying party trust function, then the error is as below:
It says “Exclusive Canonicalization transform “http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments” algorithm is not supported”.
I checked the http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf at line 2941:
Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the exclusive canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or http://www.w3.org/2001/10/xml-exc-c14n#WithComments).
If I am right, “http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments” is added in com.onelogin.saml2.util.Util line 1087:
transforms.addTransform(c14nMethod);
Is it a correct code? It seems ADFS 4.0 doesn’t accept it. Or I need to config ADFS to accept it?
Please let me know if any comments, thank you very much.
Issue Analytics
- State:
- Created 6 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It seems I added the wrong c14 method, please replace at the Line 1109 of Util.java
by
And let me know if that fixes your issue.
I believe we found the issue with the signature verification, in that the cert my team is using is self signed, and it seems that ADFS performs a revocation and trust chain verification on the signer cert by default, unlike other IDPs we’ve worked with. I am still using the patched version of java-saml with your suggested change to the
c14nMethodvalue, which does appear to be necessary to even get this far.TLDR; I think the change is working, but you probably want some additional verification 😉 I pushed up a PR with the change