I am using ITfoxtec SAML library in a .Net Core web app that will be a service provider and it will be connecting to a SAML identity provider to initiate single-sign on.
I am trying to setup my SP metadata that the IdP needs.
Whenever I run the web app and try to test if it's working, it starts up fine, and I try to sign in via single sign on, I get this error:
“Signature is invalid”
I have the following in my appsettings.json file:
"Saml2": {
"IdPMetadata": "https://zion.xyz.edu/idp ",
"Issuer": "Arizona State",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
"SigningCertificatePassword": "!QAZ2wsx",
"CertificateValidationMode": "None",
"RevocationMode": "NoCheck",
"samlMetadataUrl": "~/SP_webapp/Metadata"
}
That samlMetadataUrl is supposed to point to my MetadatController.cs which has this code:
public class MetadataController : Controller
{
private readonly Saml2Configuration config;
public MetadataController(IOptions<Saml2Configuration> configAccessor)
{
config = configAccessor.Value;
}
public IActionResult Index()
{
var defaultSite = new Uri($"{Request.Scheme}://{Request.Host.ToUriComponent()}/");
var entityDescriptor = new EntityDescriptor(config);
entityDescriptor.ValidUntil = 365;
entityDescriptor.SPSsoDescriptor = new SPSsoDescriptor
{
WantAssertionsSigned = true,
SigningCertificates = new X509Certificate2[]
{
config.SigningCertificate
},
//EncryptionCertificates = new X509Certificate2[]
//{
// config.DecryptionCertificate
//},
SingleLogoutServices = new SingleLogoutService[]
{
new SingleLogoutService { Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, "Auth/SingleLogout"), ResponseLocation = new Uri(defaultSite, "Auth/LoggedOut") }
},
NameIDFormats = new Uri[] { NameIdentifierFormats.X509SubjectName },
AssertionConsumerServices = new AssertionConsumerService[]
{
new AssertionConsumerService { Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, "Auth/AssertionConsumerService") },
},
AttributeConsumingServices = new AttributeConsumingService[]
{
new AttributeConsumingService { ServiceName = new ServiceName("Some SP", "en"), RequestedAttributes = CreateRequestedAttributes() }
},
};
entityDescriptor.ContactPersons = new[] {
new ContactPerson(ContactTypes.Administrative)
{
Company = "Arizona State",
GivenName = "Redding",
SurName = "Smith",
EmailAddress = "[email protected]",
TelephoneNumber = "xxx-214-3932",
}
//}
};
return new Saml2Metadata(entityDescriptor).CreateMetadata().ToActionResult();
}
private IEnumerable<RequestedAttribute> CreateRequestedAttributes()
{
yield return new RequestedAttribute("urn:oid:2.5.4.4");
yield return new RequestedAttribute("urn:oid:2.5.4.3", false);
yield return new RequestedAttribute("urn:xxx", true, "test-value");
}
}
If you get the error on the IdP when it is called you are requring the SAML Authn to be signed, the the IdP has an incorrect SP metadata.
If you get the error after the user has logged in at the IdP the IdP metadata "IdPMetadata": "https://zion.xyz.edu/idp" containing the IdP certificate is incorrect. It is also possible that the IdP use another signature algorithm "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".