Subject: ADFS 2 - Signature error
Date: 2017-12-06 11:37:24
From: Dror S
Source: adfs-2-signature-error
----------------------------------------------------------------------

Hello.

When working with ADFS 2 (running your sample) The ADFS cannot validate signature on the SSO request

If I'm removing the signatue lines:

 X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPCertKey];

// Sign the authentication request.
authnRequest.Sign(x509Certificate);

Everything works fine.

The error in ADFS event log is:

The Federation Service encountered an error while processing the SAML authentication request. 

Additional Data 
Exception details: 

    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
       at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
       at System.Xml.XmlReader.ReadEndElement()
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
       at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
       at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.CreateErrorMessage(CreateErrorMessageRequest createErrorMessageRequest)
       at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

 

This is the request xml (from:authnRequest.GetXml().OuterXml;):

    
        https://localhost:44300/
        
                
                    
                        
                    H/BoE0BQdifc0OqiiUHmJMQU1T0=
                
            
            gf Rvr/zQaODo9c72tTnCDuycPkzi1/v24NSj Z/etCtE7PMlZgz5ZoDxZxs00XWBFMxPJ0ZgBUMxMg/ShqL5PdNwcbmi57y/ijpu/4EiKtptLFmuTHpM40mRdtVtLtq1A1EnEsHDJ0CqT6hyBKKnWTQ90/pjbWgK49aA17IW Q=
            a
                
                    MIIB/DCCAWWgAwIBAgIQ39LYOFEy9K1A f1T4C/ELzANBgkqhkiG9w0BAQQFADAWMRQwEgYDVQQDEwtYWVogQ29tcGFueTAeFw0wNDEyMzExNzAwMDBaFw0wOTEyMzExNzAwMDBaMBYxFDASBgNVBAMTC1hZWiBDb21wYW55MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3E55S/VquStRieuJ39TM6HkKh47pC x3XklZ gmIPHk2XRbUuOCnJunxnesChjDJ2H0tP1usHoPU2jJbfNffEJRrVw8zDavvVqiye4hHGaSL3i7BDOChzKeQY/8yifIMFUIK7DOKwfQDUbJf662gac6u0AmNv/CNdIpECWUHokQIDAQABo0swSTBHBgNVHQEEQDA gBDHk2UyyDjvEL4gr3OaFlNBoRgwFjEUMBIGA1UEAxMLWFlaIENvbXBhbnmCEN/S2DhRMvStQPn9U AvxC8wDQYJKoZIhvcNAQEEBQADgYEAIqaguk7RrjeJJtq44DSFatuGtYxASy/MXtdbHhuiYIRNNBgBPB3NWYHVBrZnftBmbHz1Ur61x7ZWYPqezvKhyKZNgHHkbL0O35MHEYNNJhDLdw0QVn4QkZL5MhLHU 8zcaMWTERlQN3rQTAg4paz5oSVDMQyPbUAC/xsquUP44E=
                
            
        
        
    

Thanks

Dror S

----------------------------------------------------------------------

Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index