2

I've download https://github.com/onelogin/dotnet-saml and am testing against an internal IdP. Initially I thought the error was because of the certificate being SHA256 (since the one referenced in their code is a 1024-bit SHA1). I changed the IdP certificate to match that criteria, but still receive the error below after authenticating at the IdP.

I'm new to .net, but have been writing PHP for 10+ years.

Line 88: return signedXml.CheckSignature(certificate.cert, true);
Source File: c:\inetpub\dotnet-saml-master\App_Code\Saml.cs    Line: 88 

[CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.]
System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key) +240118
System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key) +44
System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly) +532
OneLogin.Saml.Response.IsValid() in c:\inetpub\dotnet-saml-master\App_Code\Saml.cs:88
_Default.Page_Load(Object sender, EventArgs e) in c:\inetpub\dotnet-saml-master\Consume.aspx.cs:28
System.Web.UI.Control.OnLoad(EventArgs e) +109
System.Web.UI.Control.LoadRecursive() +68
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4498
rcs
  • 67,191
  • 22
  • 172
  • 153
Jonathan Byers
  • 117
  • 1
  • 3
  • 9

1 Answers1

1

The toolkit uses the System.Security.Cryptography.Xml library that includes the signedXml class.

That class has the CheckSignature method, that expects as parameter the X509Certificate2 object to use to verify the Signature, and second parameter to determine if only validate the signature, or validate the signature and the x509 cert.

You are experiencing a CryptographicException. In a fast google search I found the possible reason (depends on the framework version, you can get an error when using some algorithms): https://blogs.msdn.microsoft.com/smondal/2012/08/24/signaturedescription-could-not-be-created-for-the-signature-algorithm-supplied/

and at stackoverflow a similar question with a solution: Signed XML signature verification for SSO SAML (Using sha256)

BTW: The dotnet-saml toolkit is 6 years old and it was a proof of concept of how implement SAML on .NET.

Onelogin's is working on the release of a new toolkit for .NET, but meanwhile, if you want to use that on production I can suggest you some alternatives:

Community
  • 1
  • 1
smartin
  • 2,957
  • 2
  • 23
  • 33