Answered by:
IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

Question
-
User-1255412691 posted
As per subject, I updated the <g class="gr_ gr_18 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="18" data-gr-id="18">Owin</g>.Security.WsFederation and <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" id="19" data-gr-id="19">dependant</g> packages to version 4.0 and I get the error.
I did not make any code changes other than changing
using Microsoft.IdentityModel.Protocols;
to
using Microsoft.IdentityModel.Protocols.WsFederation;
where is the WsFederationConfiguration class seems to be now<g class="gr_ gr_17 gr-alert gr_tiny gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" id="17" data-gr-id="17">.</g>
Here is my StartupAuth:
public void ConfigureAuth(IAppBuilder app) { app.UseCookieAuthentication( new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType }); // Create WsFed configuration from web.config wsfed: values var wsconfig = new WsFederationConfiguration() { Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"], TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"], }; /* * Add x509 certificates to configuration * */ // certificate.1 must always exist byte[] x509Certificate; x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]); wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate))); // certificate 2 may exist if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null) { x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]); wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate))); } // certificate 3 may exist if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null) { x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]); wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate))); } // Apply configuration to wsfed Auth Options var wsoptions = new WsFederationAuthenticationOptions { SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType, Configuration = wsconfig, Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"], Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"], }; wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"; // Add WdFederation middleware to Owin pipeline app.UseWsFederationAuthentication(wsoptions); }
Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.
I am using MVC5 with the full framework. Not core.
Tuesday, March 20, 2018 2:26 PM
Answers
-
User-1255412691 posted
The issue is that our STS is using SHA1 to sign the token, and <g class="gr_ gr_59 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="59" data-gr-id="59">Owin</g>.Security v4 no longer supports SHA1.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, March 23, 2018 9:43 PM
All replies
-
User283571144 posted
Hi pilotbob,
As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use
Microsoft.IdentityModel.Protocols.WsFederation
instead ofMicrosoft.IdentityModel.Protocol.Extensions.
The Microsoft.IdentityModel.Protocols.WsFederation.
namespace Microsoft.IdentityModel.Protocols.WsFederation { // // Summary: // Contains WsFederation metadata that can be populated from a XML string. public class WsFederationConfiguration { // // Summary: // Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration. public WsFederationConfiguration(); // // Summary: // Gets or sets the token issuer. public string Issuer { get; set; } // // Summary: // Gets the System.Collections.Generic.IList`1 that the IdentityProvider indicates // are to be used signing keys. public ICollection<SecurityKey> SigningKeys { get; } // // Summary: // The Microsoft.IdentityModel.Xml.Signature element that was found when reading // metadata. public Signature Signature { get; set; } // // Summary: // The Microsoft.IdentityModel.Tokens.SigningCredentials that was used to sign the // metadata. public SigningCredentials SigningCredentials { get; set; } // // Summary: // Get the System.Collections.Generic.IList`1 that the IdentityProvider indicates // are to be used signing keys. public ICollection<KeyInfo> KeyInfos { get; } // // Summary: // Gets or sets token endpoint. public string TokenEndpoint { get; set; } } }
The Microsoft.IdentityModel.Protocol.Extensions WsFederation:
namespace Microsoft.IdentityModel.Protocols { // // Summary: // Contains WsFederation metadata that can be populated from a xml string. public class WsFederationConfiguration { // // Summary: // Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederationConfiguration. public WsFederationConfiguration(); // // Summary: // Gets or sets the token issuer. public string Issuer { get; set; } // // Summary: // Gets the System.Collections.Generic.ICollection`1 that the IdentityProvider indicates // are to be used signing tokens. public ICollection<SecurityKey> SigningKeys { get; } // // Summary: // Gets or sets the Gets or sets the passive token endpoint. public string TokenEndpoint { get; set; } } }
If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.
Best Regards,
Brando
Wednesday, March 21, 2018 7:28 AM -
User-1255412691 posted
What signature is it expecting? Would this be from the issuer? As you see, I do supply <g class="gr_ gr_155 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="155" data-gr-id="155">signingKeys</g>.
How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?
Wednesday, March 21, 2018 4:12 PM -
User-1255412691 posted
The issue is that our STS is using SHA1 to sign the token, and <g class="gr_ gr_59 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="59" data-gr-id="59">Owin</g>.Security v4 no longer supports SHA1.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, March 23, 2018 9:43 PM