azure-activedirectory-identitymodel-extensions-for-dotnet
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard
AzureAD
Saml2SignatureValidation fails to validate document which is considered valid by online validators
I am trying to use Saml2SecurityTokenHandler to validate SAML tokens my application receives. Recently, we received a token which the library rejects with a signature validation error but which other online validators accept. Am I doing something wrong or is there a bug?
Error Message
IDX10514: Signature validation failed. Keys tried: 'System.Text.StringBuilder'. KeyInfo: 'Microsoft.IdentityModel.Xml.KeyInfo'. Exceptions caught: 'System.Text.StringBuilder'.token: 'Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken'.
Code for repro Note:
- The cert used in the repro was one I created for this purpose using openssl. It is not sensitive.
- The example SAML response was created using https://www.samltool.com/sign_response.php
- I was able to validate the signature on the example SAML response using https://www.samltool.com/validate_response.php and also https://www.rtr.at/TKP/was_wir_tun/vertrauensdienste/Signatur/signaturpruefung/Pruefung.en.html
var pathToCertFile = @"...";
var pathToSamlResponseXml = @"...";
var cert = new X509Certificate2(
pathToCertFile,
password: string.Empty,
keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable
);
var saml = File.ReadAllText(pathToSamlResponseXmlFile);
var sr = new StringReader(saml);
var reader = XmlReader.Create(sr);
reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion").Dump();
var key = new X509SecurityKey(cert);
new Saml2SecurityTokenHandler().ValidateToken(
reader,
new TokenValidationParameters
{
IssuerSigningKey = key,
LifetimeValidator = (o, e, f, g) => true,
ValidateAudience = false,
ValidateIssuer = false,
},
out var validated
); // throws "Signature validation failed"
Files for repro repro.zip
At first glance it isn't clear to me why this would be happening, but it definitely seems like it could be a bug on our part. We'll investigate this and get back to you.
@mafurman thanks for looking into this. Any findings so far? Do you need anything from me?
Hi @mafurman apologies for bumping this again but I was wondering if you could give me a sense of when someone would be able to look into this issue? This is currently cause problems for us with a production SAML integration, and I'd like to be able to at least provide the stakeholders with a vague timeline.
EDIT: I tried to do this at a lower level using SignedXml and hit a similar problem; I wonder if the root cause is the same. I filed https://github.com/dotnet/runtime/issues/48474 on the .NET runtime github and they've linked it to an older issue which has some musings on what the root cause is.
We were able to work around this issue for now by using SignedXml. That has the same (and possibly worse) bugs but I found a workaround in the context of that API (see https://github.com/dotnet/runtime/issues/48474).
Given that the .NET team states on that issue that they don't really plan to support SignedXml going forward, it would be great to see this issue address so that .NET could offer a robust Saml2 implementation.