none
Exclusive Canonicalization transform does not support the algorithm 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'

    Question

  • I am currently working in an integration project using the SAML 2.0 protocol, which involves a third party implemented in java (identity provider) and the service provider implemented in .NET with WIF. I am using the SAML 2.0 Protocol CTP for WIF for implementing the .NET side. However, the identity provider is using a canonicalization algorithm for the response signature, which does not seem to be supported in WIF. I looked at the WIF code with a reflection tool, and it looks like the only algorithm supported is http://www.w3.org/2001/10/xml-exc-c14n#

    Any idea if WIF can be easily extended to support the algorithm http://www.w3.org/TR/2001/REC-xml-c14n-20010315 ?

    Thanks

    Pablo.

     


    Pablo Cibraro - http://weblogs.asp.net/cibrax
    Friday, July 08, 2011 3:42 PM

All replies

  • I thought more than twice before answering this one. Is that transform allowed in a SAML Token?

    Now your real question. Writing a canonicalization transform is far from trivial, testing it with others is a *lot* of work. After that, extending WIF might be much less work...


    Paul Lemmers
    Friday, July 08, 2011 9:07 PM
  • I was trying today to use the .NET class XmlDsigExcC14NTransform for a custom SAMLResponse that is being processed by ADFS. This is the same transform with the algorithm  http://www.w3.org/TR/2001/REC-xml-c14n-20010315. I think this confirms it does not work out of the box. It looks like it does not like it because I got the error here (just including the stack trace for reference - this does not show WIF though):

    The Federation Service encountered an error while processing the SAML authentication request.

    Additional Data
    Exception details:
    System.Security.Cryptography.CryptographicException: ID6005: Exclusive Canonicalization transform does not support the algorithm 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'.
       at Microsoft.IdentityModel.Protocols.XmlSignature.ExclusiveCanonicalizationTransform.ReadFrom(XmlDictionaryReader reader)
       at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.ReadFrom(XmlDictionaryReader reader, TransformFactory transformFactory)
       at Microsoft.IdentityModel.Protocols.XmlSignature.Signature.ReadFrom(XmlDictionaryReader reader)
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ReadSignature()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.TryReadSignature()
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
       at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Wednesday, September 07, 2011 10:46 PM
  • I was able to use this class and just alter the algorithm namespace to http://www.w3.org/2001/10/xml-exc-c14n# on the transform and on the SignedXml/SignedInfo (if I remember correctly). I am not sure what this alters and whether this is what you want but it got me past the error above.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Friday, September 09, 2011 2:19 AM