IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

Question

User-1255412691 posted

As per subject, I updated the <g class="gr_ gr_18 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="18" data-gr-id="18">Owin</g>.Security.WsFederation and <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" id="19" data-gr-id="19">dependant</g> packages to version 4.0 and I get the error.

I did not make any code changes other than changing

using Microsoft.IdentityModel.Protocols; 

to

using Microsoft.IdentityModel.Protocols.WsFederation;

where is the WsFederationConfiguration class seems to be now<g class="gr_ gr_17 gr-alert gr_tiny gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" id="17" data-gr-id="17">.</g>

Here is my StartupAuth:

public void ConfigureAuth(IAppBuilder app)
        {
            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                    AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
                });

            // Create WsFed configuration from web.config wsfed: values
            var wsconfig = new WsFederationConfiguration()
            {
                Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"],
                TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],                
            };

            /* 
             * Add x509 certificates to configuration
             * 
             */
            // certificate.1 must always exist
            byte[] x509Certificate;
            x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
            wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
            // certificate 2 may exist
            if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null)
            {
                x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
                wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
            }
            // certificate 3 may exist
            if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null)
            {
                x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
                wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
            }

            // Apply configuration to wsfed Auth Options
            var wsoptions = new WsFederationAuthenticationOptions
            {
                SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                Configuration = wsconfig,
                Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
                Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
            };
            wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";

            // Add WdFederation middleware to Owin pipeline
            app.UseWsFederationAuthentication(wsoptions);
        }

Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.

I am using MVC5 with the full framework. Not core.

Answer 1

User283571144 posted

Hi pilotbob,

As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use Microsoft.IdentityModel.Protocols.WsFederation instead of Microsoft.IdentityModel.Protocol.Extensions.

The Microsoft.IdentityModel.Protocols.WsFederation.

namespace Microsoft.IdentityModel.Protocols.WsFederation
{
    //
    // Summary:
    //     Contains WsFederation metadata that can be populated from a XML string.
    public class WsFederationConfiguration
    {
        //
        // Summary:
        //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration.
        public WsFederationConfiguration();

        //
        // Summary:
        //     Gets or sets the token issuer.
        public string Issuer { get; set; }
        //
        // Summary:
        //     Gets the System.Collections.Generic.IList`1 that the IdentityProvider indicates
        //     are to be used signing keys.
        public ICollection<SecurityKey> SigningKeys { get; }
        //
        // Summary:
        //     The Microsoft.IdentityModel.Xml.Signature element that was found when reading
        //     metadata.
        public Signature Signature { get; set; }
        //
        // Summary:
        //     The Microsoft.IdentityModel.Tokens.SigningCredentials that was used to sign the
        //     metadata.
        public SigningCredentials SigningCredentials { get; set; }
        //
        // Summary:
        //     Get the System.Collections.Generic.IList`1 that the IdentityProvider indicates
        //     are to be used signing keys.
        public ICollection<KeyInfo> KeyInfos { get; }
        //
        // Summary:
        //     Gets or sets token endpoint.
        public string TokenEndpoint { get; set; }
    }
}

The Microsoft.IdentityModel.Protocol.Extensions WsFederation:

namespace Microsoft.IdentityModel.Protocols
{
    //
    // Summary:
    //     Contains WsFederation metadata that can be populated from a xml string.
    public class WsFederationConfiguration
    {
        //
        // Summary:
        //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederationConfiguration.
        public WsFederationConfiguration();

        //
        // Summary:
        //     Gets or sets the token issuer.
        public string Issuer { get; set; }
        //
        // Summary:
        //     Gets the System.Collections.Generic.ICollection`1 that the IdentityProvider indicates
        //     are to be used signing tokens.
        public ICollection<SecurityKey> SigningKeys { get; }
        //
        // Summary:
        //     Gets or sets the Gets or sets the passive token endpoint.
        public string TokenEndpoint { get; set; }
    }
}

If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.

Best Regards,

Brando

Answer 2

User-1255412691 posted

What signature is it expecting? Would this be from the issuer?  As you see, I do supply <g class="gr_ gr_155 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="155" data-gr-id="155">signingKeys</g>.

How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?

Answer 3

User-1255412691 posted

The issue is that our STS is using SHA1 to sign the token, and <g class="gr_ gr_59 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="59" data-gr-id="59">Owin</g>.Security v4 no longer supports SHA1.