locked
IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0 RRS feed

  • Question

  • User-1255412691 posted

    As per subject, I updated the <g class="gr_ gr_18 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="18" data-gr-id="18">Owin</g>.Security.WsFederation and <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" id="19" data-gr-id="19">dependant</g> packages to version 4.0 and I get the error.

    I did not make any code changes other than changing

    using Microsoft.IdentityModel.Protocols; 

    to

    using Microsoft.IdentityModel.Protocols.WsFederation;

    where is the WsFederationConfiguration class seems to be now<g class="gr_ gr_17 gr-alert gr_tiny gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" id="17" data-gr-id="17">.</g>

    Here is my StartupAuth:

    public void ConfigureAuth(IAppBuilder app)
            {
                app.UseCookieAuthentication(
                    new CookieAuthenticationOptions
                    {
                        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
                    });
    
                // Create WsFed configuration from web.config wsfed: values
                var wsconfig = new WsFederationConfiguration()
                {
                    Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"],
                    TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],                
                };
    
                /* 
                 * Add x509 certificates to configuration
                 * 
                 */
                // certificate.1 must always exist
                byte[] x509Certificate;
                x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
                wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
                // certificate 2 may exist
                if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null)
                {
                    x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
                    wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
                }
                // certificate 3 may exist
                if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null)
                {
                    x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
                    wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
                }
    
                // Apply configuration to wsfed Auth Options
                var wsoptions = new WsFederationAuthenticationOptions
                {
                    SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                    Configuration = wsconfig,
                    Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
                    Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
                };
                wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
    
                // Add WdFederation middleware to Owin pipeline
                app.UseWsFederationAuthentication(wsoptions);
            }

    Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.

    I am using MVC5 with the full framework. Not core.

    Tuesday, March 20, 2018 2:26 PM

Answers

  • User-1255412691 posted

    The issue is that our STS is using SHA1 to sign the token, and <g class="gr_ gr_59 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="59" data-gr-id="59">Owin</g>.Security v4 no longer supports SHA1.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 23, 2018 9:43 PM

All replies

  • User283571144 posted

    Hi pilotbob,

    As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use Microsoft.IdentityModel.Protocols.WsFederation instead of Microsoft.IdentityModel.Protocol.Extensions.

    The Microsoft.IdentityModel.Protocols.WsFederation.

    namespace Microsoft.IdentityModel.Protocols.WsFederation
    {
        //
        // Summary:
        //     Contains WsFederation metadata that can be populated from a XML string.
        public class WsFederationConfiguration
        {
            //
            // Summary:
            //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration.
            public WsFederationConfiguration();
    
            //
            // Summary:
            //     Gets or sets the token issuer.
            public string Issuer { get; set; }
            //
            // Summary:
            //     Gets the System.Collections.Generic.IList`1 that the IdentityProvider indicates
            //     are to be used signing keys.
            public ICollection<SecurityKey> SigningKeys { get; }
            //
            // Summary:
            //     The Microsoft.IdentityModel.Xml.Signature element that was found when reading
            //     metadata.
            public Signature Signature { get; set; }
            //
            // Summary:
            //     The Microsoft.IdentityModel.Tokens.SigningCredentials that was used to sign the
            //     metadata.
            public SigningCredentials SigningCredentials { get; set; }
            //
            // Summary:
            //     Get the System.Collections.Generic.IList`1 that the IdentityProvider indicates
            //     are to be used signing keys.
            public ICollection<KeyInfo> KeyInfos { get; }
            //
            // Summary:
            //     Gets or sets token endpoint.
            public string TokenEndpoint { get; set; }
        }
    }

    The Microsoft.IdentityModel.Protocol.Extensions WsFederation:

    namespace Microsoft.IdentityModel.Protocols
    {
        //
        // Summary:
        //     Contains WsFederation metadata that can be populated from a xml string.
        public class WsFederationConfiguration
        {
            //
            // Summary:
            //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederationConfiguration.
            public WsFederationConfiguration();
    
            //
            // Summary:
            //     Gets or sets the token issuer.
            public string Issuer { get; set; }
            //
            // Summary:
            //     Gets the System.Collections.Generic.ICollection`1 that the IdentityProvider indicates
            //     are to be used signing tokens.
            public ICollection<SecurityKey> SigningKeys { get; }
            //
            // Summary:
            //     Gets or sets the Gets or sets the passive token endpoint.
            public string TokenEndpoint { get; set; }
        }
    }

    If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.

    Best Regards,

    Brando

    Wednesday, March 21, 2018 7:28 AM
  • User-1255412691 posted

    What signature is it expecting? Would this be from the issuer?  As you see, I do supply <g class="gr_ gr_155 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="155" data-gr-id="155">signingKeys</g>.

    How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?

    Wednesday, March 21, 2018 4:12 PM
  • User-1255412691 posted

    The issue is that our STS is using SHA1 to sign the token, and <g class="gr_ gr_59 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="59" data-gr-id="59">Owin</g>.Security v4 no longer supports SHA1.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 23, 2018 9:43 PM