Subject: Unable to verify the XML signature
Date: 2014-11-06 10:28:22
From: Itsupport Ireland
Source: unable-verify-xml-signature
----------------------------------------------------------------------

Hi there,
We are having an issue validating the SAMLResponse signature. We can confirm that the correct certificate is used for the validation. It throws up an error (Unable to verify the XML signature) and doesn't go inside the if or else statements. 
                if (samlResponse.Validate(x509Certificate))
                {
                    //We know this is a valid SAML Response so call SAML Handler           
                }
                else
                {
                    //Check for other certificates & another certificate store for other Ferderated Provider
                }
 
 
When testing using a ComponentPro IDP, the following is generated as part of the SAMLResponse and gets validated without any issue by the ConsumerService:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_BD630CBC3517282247E30A95E9AFEFBD">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
 
 
However when testing with the CA SiteMinder federation partner, the following is generated as part of the SAMLResponse and is having the validation issue (Unable to verify the XML signature) on the ConsumerService:
<Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_8b0e86b81ae6101aced887ec98beb77f5fed">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
 
 
Here was the exception message:
 
Inner Exception
System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied. at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key) at System.Security.Cryptography.Xml.SignedXml.CheckSignature() at ComponentPro.Saml.SignableSamlObject.c_K5J(KeyInfo c_GCU, SignedXml c_XDU)
 
 
Seems to be having an issue with the Signature algorithm.
I checked and it is included on the Ultimate SAML feature that sha256 algorithm is supported for generating and verifying SAML XML signatures.
 
 
Could there be any parameter which is causing the signature validation to fail. I noticed
that the following parameters are different:
ComponentPro IDP:
<InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
 
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
 
CA SiteMinder IDP:
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
 
 
If it matters, I'm using the Net2_0 ComponentPro.Saml.dll.
 
 
Any help would be appreciated. Thanks a lot.

 

---------------------------------------------------------------------- Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor who sold you the license and ask for your money back. Back to ComponentPro Q&A Forum Index