none
CheckSignature on some SAML responses fails. RRS feed

  • Question

  • Hi Team,

    We have implemented SAML authentication and using .Net framework 4.6.2

    CheckSignature is failing on some SAML responses, so far we have found one such case. CheckSignature passes for all other SAML responses.

    1. SAML response is valid

    2. Certificate is valid

    3. SAML response text was not altered.

    Found this article on the web --> https://github.com/dotnet/corefx/issues/19198

    Here is the code which checks signature on SAML response.

     XmlNamespaceManager manager = new XmlNamespaceManager(xmlDoc.NameTable);
                manager.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
                manager.AddNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion");
                manager.AddNamespace("samlp", "urn:oasis:names:tc:SAML:2.0:protocol");

                XmlNodeList nodeList = xmlDoc.SelectNodes("//ds:Signature", manager);

                SignedXml signedXml = new SignedXml(xmlDoc);

                if (nodeList?.Count != 1)
                {
                    return false;
                }

                //Load signedXml from SAML Response 

                signedXml.LoadXml((XmlElement) nodeList[0]);

                // Load certificate from file store
                X509Certificate2 cert = (certificate from file store.)

                //Verifiy signature using the public key in the signature and key signing ceritificate.

                return (signedXml.CheckSignature() || signedXml.CheckSignature(cert, true));

    Please let me know, if there I am missing anything here.

    regards,

    Prashant.

    Wednesday, September 5, 2018 1:41 PM

All replies