Reputation: 33
In the saml2 request missing parameters SigAlg and Signature
Good day,
We used ITfoxtec library version 1.2.2. This solution worked correctly.
We are now integrating the version 4.0.5 library. We need to use SHA-256 encoding. We used the 4.0.5 library from Nugets. According to the implementation example https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2.
We changed the AccountController, added App_Start \ IdentityConfig.cs and added the IdentityConfig.RegisterIdentity() call in Global.asax.
Issue: The SigAlg and Signature parameters are missing in the provider request.
1.2.2 version library ITfoxtec, SAML tracker
4.0.5 version library ITfoxtec, SAML tracker
We set parameters:
"Saml2:IdPMetadata" = "/App_Data/metadata.xml""Saml2:Issuer" value = "http://xxx""Saml2:SignatureAlgorithm" = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256""Saml2:SingleSignOnDestination" = "https://yyy/oamfed/idp/samlv20""Saml2:SingleLogoutDestination" = "https://yyy/oamfed/idp/samlv20""Saml2:SigningCertificateFingerPrint" = "5d223463130bd1e290f1ae8dc064d1c48ab517c2""Saml2:CertificateValidationMode" = "None""Saml2:RevocationMode" = "NoCheck"
The parameter "Saml2:SigningCertificateFingerPrint" is a custom parameter, we load the certificate from the local storage:
Saml2Configuration.SigningCertificate = CertificateUtil.Load (StoreName.My, StoreLocation.LocalMachine, X509FindType.FindByThumbprint, ConfigurationManager.AppSettings.Get ("Saml2: SigningCertificateFingerPrint"));
Question: Why are the SigAlg and Signature parameters missing in the request? Bad configuration? Bad implementation?
Please help Well thank you DM
Upvotes: 1
Views: 1562
Answers (1)
Reputation: 4334
SAML 2.0 do not require Authn Requests to be signed by default (Logout Requests are required to be signed through). Therefore, the ITfoxtec Identity Saml2 package do not include the SigAlg and Signature parameters by default in the request.
To sign Authn Requests set the Saml2Configuration.SignAuthnRequest = true in code or in configuration "Saml2:SignAuthnRequest" = "true".
Edited - read from metadata
The Saml2Configuration.SignAuthnRequest can be set from the IDP metadata WantAuthnRequestsSigned.
.NET Framework sample code:
if(entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue) {
Saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
}
.NET Framework sample IdentityConfig.cs
.NET Core sample Startup.cs
Upvotes: 1
Related Questions
- Failed at binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse)
- Receiving an HTTP 400 BAD REQUEST from SAML2 Response
- InvalidSignatureException: Signature is invalid
- Signature is invalid while calling Saml2PostBinding.Unbind()
- OpenAM ITfoxtec Saml2 invalid signature response?
- ITfoxtec.Identity.Saml2 Invalid URI Issue
- Getting 400 from samltest.id when attempting SP-initiated worflow
- Signature issue SAML2p Kentor
- SAML 2.0 invalid request SSOCIRCLE
- Message: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied