I have two web applications that are getting a SAML2 SSO between them. One direction is working fine. But the other results in this error:
ID4037: The key needed to verify the signature could not be resolved from the following security key identifier
With this stack trace:
at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials() at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement() at System.IdentityModel.EnvelopedSignatureReader.Read() at System.Xml.XmlReader.ReadEndElement() at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader) at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader) at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(XmlNode assertionElement) at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
I control both sides of the code.
When running the SAML messages through my unit tests on my development machine it works. But on the test server the SAML messages fail. I have verified that the correct certificates are being used, and included in the SAML. I have even changed to other certificates to ensure there isn't an issue with that but it still failed at the same place.
The test server is part of a larger application. So I assume the issue is with how that application is setup or configured but I cannot figure out what to change or update. It's also possible that the problem is with the server itself, but I'm also not sure what to change or update on there.
The application is .NET 4.7.2. So I've looked at the SAML2 code here (https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/bdc785d01fd38c2213659be2116ebb8ae19ed4d9/src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnResponse.cs):
private Saml2SecurityToken ReadSecurityToken(XmlNode assertionElement)
{
using (var reader = new XmlNodeReader(assertionElement))
{
return Saml2SecurityTokenHandler.ReadToken(reader) as Saml2SecurityToken;
}
}
To .NET's EnvelopedSignatureReader.ResolveSigningCredentials here (https://github.com/microsoft/referencesource/blob/dae14279dd0672adead5de00ac8f117dcf74c184/System.IdentityModel/System/IdentityModel/EnvelopedSignatureReader.cs#L183)
Which lead me to create my own TokenResolver and assign that to the config, but I'm not too sure it's being called as the same error comes up.
Any help is greatly appreciated!
My custom TokenResolver was not being used. Because I specified it AFTER creating the response. Gotta be before.
config.CustomIssuerTokenResolver = new TokenResolver
I do need to specify my own Token Resolver because the default has been overriden via the web.config. But it is working now.