Search code examples
asp.net-coreazure-ad-b2csustainsys-saml2

Azure B2C with custom SAML2 policy and Sha256 as the signing algorithm

I am using Sustainsys package Sustainsys.Saml2.AspNetCore2 to build a service provider web app in ASP.NET Core 3.1, which uses Azure B2C as the identity provider using SAML2. I have the following issue:

  1. If I use Sha1 as the signing algorithm, using the option MinIncomingSigningAlgorithm, then an exception is thrown by CryptoConfig.CreateFromName because that method does not know the Sha1 algorithm.

  2. If I use Sha256 as the signing algorithm then Azure B2C signs the response with Sha1 even though I have specified <Item Key="XmlSignatureAlgorithm">Sha256</Item> in the RelyingParty of my custom policy. I should note that this seems to only happen when the service provider starts the single logout flow. The login flow completes without issues and there the signing algorithm is Sha256. Here is my RelyingParty section:

 <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
       <Metadata>
        <Item Key="XmlSignatureAlgorithm">Sha256</Item>
      </Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
    </TechnicalProfile>
  </RelyingParty>

Furthermore, the metadata of Azure B2C uses Sha256 as the signature and digest method. Here is the relevant section:

<SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <Reference URI="...">
        <Transforms>
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="saml samlp xenc xs"/>
        </Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    </Reference>
</SignedInfo>

Any help is highly appreciated. Thank you.

Solution

  • It turns out that I needed to add <Item Key="XmlSignatureAlgorithm">Sha256</Item> to the tehcnical profile as well (in addition to it being part of RelyingParty as shown above). This solves the issue that I had with single logout.

    <TechnicalProfile Id="Saml2AssertionIssuer">
  <Protocol Name="None"/>
  <OutputTokenFormat>SAML2</OutputTokenFormat>
  <Metadata>    
    <Item Key="XmlSignatureAlgorithm">Sha256</Item>
  </Metadata>
</TechnicalProfile>