none
Validate java SAML signature from C#

    Question

  • Hi,

    How can i validate in .Net C# a SAML signature created in Java? Here is the SAML Signature that i get from Java:

    <pre>
       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# ">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ">
                </ds:CanonicalizationMethod>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 ">
                </ds:SignatureMethod>
                <ds:Reference URI="#_e8bcba9d1c76d128938bddd5ae8c68e1">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature ">
                        </ds:Transform>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n# " PrefixList="code ds kind rw saml samlp typens #default xsd xsi">
                            </ec:InclusiveNamespaces>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 ">
                    </ds:DigestMethod>
                    <ds:DigestValue>zEL7mB0Wkl+LtjMViO1imbucXiE=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
    jpIX3WbX9SCFnqrpDyLj4TeJN5DGIvlEH+o/mb9M01VGdgFRLtfHqIm16BloApUPg2dDafmc9DwL
    Pyvs3TJ/hi0Q8f0ucaKdIuw+gBGxWFMcj/U68ZuLiv7U+Qe7i4ZA33rWPorkE82yfMacGf6ropPt
    v73mC0bpBP1ubo5qbM4=
            </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
    MIIDBDCCAeygAwIBAgIIC/ktBs1lgYcwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5D
    QTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMDkwMjIzMTAwMzEzWhcN
    MTgxMDE1MDkyNTQyWjBaMRQwEgYDVQQDDAsxMC41NS40MC42MTEbMBkGA1UECwwST24gRGVtYW5k
    IFBsYXRmb3JtMRIwEAYDVQQLDAlPbiBEZW1hbmQxETAPBgNVBAsMCFNvZnR3YXJlMIGfMA0GCSqG
    SIb3DQEBAQUAA4GNADCBiQKBgQCk5EqiedxA6WEE9N2vegSCqleFpXMfGplkrcPOdXTRLLOuRgQJ
    LEsOaqspDFoqk7yJgr7kaQROjB9OicSH7Hhsu7HbdD6N3ntwQYoeNZ8nvLSSx4jz21zvswxAqw1p
    DoGl3J6hks5owL4eYs2yRHvqgqXyZoxCccYwc4fYzMi42wIDAQABo3UwczAdBgNVHQ4EFgQUkrpk
    yryZToKXOXuiU2hNsKXLbyIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSiviFUK7DUsjvByMfK
    g+pm4b2s7DAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEF
    BQADggEBAKb94tnK2obEyvw8ZJ87u7gvkMxIezpBi/SqXTEBK1by0NHs8VJmdDN9+aOvC5np4fOL
    fFcRH++n6fvemEGgIkK3pOmNL5WiPpbWxrx55Yqwnr6eLsbdATALE4cgyZWHl/E0uVO2Ixlqeygw
    XTfg450cCWj4yfPTVZ73raKaDTWZK/Tnt7+ulm8xN+YWUIIbtW3KBQbGomqOzpftALyIKLVtBq7L
    J0hgsKGHNUnssWj5dt3bYrHgzaWLlpW3ikdRd67Nf0c1zOEgKHNEozrtRKiLLy+3bIiFk0CHImac
    1zeqLlhjrG3OmIsIjxc1Vbc0+E+z6Unco474oSGf+D1DO+Y=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
    </pre>

    I validate the signature of a SAML signed in .Net but not of this Java one.


    If someone knows please help!!

    Thank you very much.

    Thursday, September 17, 2009 7:11 AM

Answers

All replies

  • Hi Adrya,

    From the XML fragment you provided, it is a signed XML fragment(using Xml digital signing technology). The WCF internal token serialization will perform the signing and verifying internally while the developer do not need to do it themselves. If you do need to manually perform verification, you can have a look at the XML digital signing components in .NET framework. 

    Here are some reference articles on XML signing and verification:
      

    #XML Digital Signatures in .Net

    http://blogs.msdn.com/shawnfa/archive/2003/11/12/57030.aspx

     

    #How to: Sign XML Documents with Digital Signatures

    http://msdn.microsoft.com/en-us/library/ms229745.aspx

     

    #How to: Verify the Digital Signatures of XML Documents

    http://msdn.microsoft.com/en-us/library/ms229950.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Tuesday, September 22, 2009 6:21 AM
  • Hi,

    Thank you very much, those links helped a lot.
    Found another one that signs with certificate: http://msdn.microsoft.com/en-us/library/ms148731.aspx maybe it helps someone else.

    Thanks alot again,
    Adrya
    • Marked as answer by Adrya84 Thursday, September 24, 2009 4:41 AM
    Thursday, September 24, 2009 4:39 AM
  • I am also getting the same problem, every time the signedXml.CheckSignature(cert,true) is giving false only so could you please help me on this if you get a solution for this. i was trying this from the past one month and not even succeeded. if you can provide your phone number or email i can talk to you directly here i am providing my number and email id so please respond me immidiately.

    Thanks,
    Ram
    404.488.5493
    rammohan.adduri@gmail.com

    rammohanvs@hotmail.com

    ram290580@yahoo.com

    I appriciate your help.

    Thursday, February 04, 2010 7:38 PM
  • I am also getting the same problem, every time the signedXml.CheckSignature(cert,true) is giving false only so could you please help me on this if you get a solution for this. i was trying this from the past one month and not even succeeded. if you can provide your phone number or email i can talk to you directly here i am providing my number and email id so please respond me immidiately.

    Thanks,
    Ram
    404.488.5493
    rammohan.adduri@gmail.com

    rammohanvs@hotmail.com

    ram290580@yahoo.com

    I appriciate your help.

    Thursday, February 04, 2010 7:38 PM
  • I use this Ultimate Single Sign-onSAML toolkit . Information about this library can also be found at its web blog.
    Wednesday, April 14, 2010 2:52 AM
  • Our SAML SSO components for .NET fully support SAML signature generation and verification. They're fully interoperable with Java based applications.

    More information may be found at http://www.componentspace.com/saml.

     

    Thursday, December 02, 2010 7:38 AM
  • See the following example using ultimate saml (http://www.atp-inc.net/component/saml.net ):

    const string fileName = @"C:\Documents and Settings\Administrator\Desktop\test.xml";
    
    string response = new StreamReader(fileName).ReadToEnd();
    
    XmlDocument document = new XmlDocument();
    document.PreserveWhitespace = true;
    document.LoadXml(response);
    
    Assertion assertion = new Assertion(document.DocumentElement);
    
    // Verify the SAML assertion's signature.
    if (assertion.IsSigned())
    {
      // Place your loaded X509Certificate here. it can be done by the following code:        
      //X509Certificate2 x509Certificate = new X509Certificate2(AppDomain.CurrentDomain.BaseDirectory + "\\..\\..\\X509Certificate.cer");
      X509Certificate2 x509Certificate = null;
    
      if (x509Certificate != null)
      {
        if (!assertion.Validate(x509Certificate))
        {
          throw new ApplicationException("SAML assertion signature is not valid.");
        }
      }
      else if (!assertion.Validate())
      {
        throw new ApplicationException("SAML assertion signature is not valid.");
      }
    }

    Thursday, December 23, 2010 3:01 PM
  • Hi All,

    I am getting the valid SAML response from the vendor and I just want to validate SAML Assertion.

    Below is the SAML response and I have mask few things with xxxxxxxxxxxxxxxxxxxxxx due to vendor concern.

    <samlp:Response IssueInstant="" ID="gzRaMPjm98mgG0_s0ylFgO85wao" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxxxx.com/</saml:Issuer>
    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion Version="2.0" IssueInstant="6273" ID="wZT13pIVg8n60RZgGm_fWAhYNSP" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>http://xxxxxx.com/</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#wZT13pIVg8n60RZgGm_fWAhYNSP">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www..w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>xxxxxxxxxxxxxxxxxxxxxxx</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    </ds:SignatureValue>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    </ds:X509Certificate>
    </ds:X509Data>
    <ds:KeyValue>
    <ds:RSAKeyValue>
    <ds:Modulus>
    xxxxxxxx
    </ds:Modulus>
    <ds:Exponent>xxx</ds:Exponent>
    </ds:RSAKeyValue>
    </ds:KeyValue>
    </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">staff</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter=" " Recipient="https://xxxxxxxxx.com"/>
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotOnOrAfter="" NotBefore="">
    <saml:AudienceRestriction>
    <saml:Audience>http://xxxxxxxxxxxxxxxx.com</saml:Audience>
    </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant=" " SessionIndex="wZT13pIVg8n60RZgGm_fWAhYNSP">
    <saml:AuthnContext>
    <saml:AuthnContextClassRef></saml:AuthnContextClassRef>
    </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role">
    <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://xxxx.com/</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>
    </samlp:Response>

    I have tried the below code in the .NET 3.5 web application and I am always getting the invalid signature message from the code. Please have a look in the code and suggest me.

    Thanks in Advance.

    XmlDocument doc = new XmlDocument();

    doc.Load(Server.MapPath("SAML.xml"));

    SignedXml signer = new CustomIdSignedXml(doc);

    signer.AddReference(new Reference("#_d4559638-3abf-4433-9fad-b10f8a950351"));
    // _d4559638-3abf-4433-9fad-b10f8a950351 is used as reference to DigestMethod & DigestValue.

    signer.SigningKey = new RSACryptoServiceProvider();

    signer.ComputeSignature();

    string s = signer.GetXml().OuterXml;

    SignedXml verifier = new CustomIdSignedXml(doc);

    verifier.LoadXml(signer.GetXml());

    if (verifier.CheckSignature(signer.SigningKey))
         Response.Write("Signature verified");
    else
         Response.Write("Invalid signature");

     

    Wednesday, June 29, 2011 3:53 PM