Subject: Ultimate SAML: SHA 256 Logout Request: ADFS SAML request is not signed with expected signature algorithm
Date: 2021-01-22 13:46:13
From: cglynn
Source: ultimate-saml-sha-256-logout-request-adfs-saml-request-not-signed-expected-signature-algorithm
----------------------------------------------------------------------

Login is working with SHA 256.  Service Provider initiated logout is having issues.  

SHA 1 is working correctly.  The only change in with SHA 256 test is updating the ADFS Relying party to use SHA256.  In code switching to signing with SHA 256.

Using ComponentPro.Saml V 7.2.238

Error from ADFS:

SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1 

 User Action: 
Verify that signature algorithm for the partner is configured as expected.

SAML Logout Request
 myNetLearning             ny27iiavqQIWzQsFF3URKUWrWZRSd7aAwcOpIH29cbI=   Pd7Q 5/gCRhXWVbPUQzyZS /kh57eCpK2kCqr439R53TWRtS5zE15FDsRAGyIVcOj2TyRxDBgC71HQYbO7jCfn4w4GxSRSCcrOyS7XKRze0/Th8/SzqGL8zI33z5E kmYuYAIbRBGGbr4mo/vMAnBuikHsmakNQyWEyGwBDiWFLvrQiNnXLI/U0uVKL/KGyM1DE6J20FG9 gonHxa4x3OFroaupmMhOMYg 9WnHhW0sbNY63Z jyOqZ3LETYctEvr FpFHYhYWo99ZTT9/zFKQ2zS 1tyu15aQbEQP95fplUZUPlHiqsFZuBq9PYT417r1ubHhxPdbFZMtrifvMpiA==  nl tech support 

Method to sign request

public void RedirectToIdentityProvider(HttpContextBase context, ISsoConfiguration configuration, string returnUrl)
        {
            var logoutRequest = new LogoutRequest
            {
                Destination = configuration.IdentityProviderLogoutUrl,
                Issuer = new Issuer(WebConfigurationManager.AppSettings["RelyingPartyIdentifier"]),
                NameId = new NameId(context.User.Identity.Name)
            };

            X509Certificate2 x509Certificate = CertificateManager
                .GetCertificate(StoreName.My, StoreLocation.LocalMachine,
                    configuration.NlSigningCertificate.IsNullOrEmpty() ?
                        WebConfigurationManager.AppSettings["CertificateSubjectName"] :
                        configuration.NlSigningCertificate, true);

            if (configuration.SigningAlgorithm == Crypto.HashAlgorithmTypes.SHA256)
            {
                logoutRequest.Sign(x509Certificate.PrivateKey, "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
            }
            else
            {
                logoutRequest.Sign(x509Certificate.PrivateKey);
            }

            
            logoutRequest.Redirect(context.Response, getIdentityProviderUrl(configuration.IdentityProviderLogoutUrl), null, x509Certificate.PrivateKey);
        }

----------------------------------------------------------------------

Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index