4

I am trying to use ITFoxtec-saml with Auth0 as IdP. But on ACS, I am getting following error:

ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
   at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 237
   at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 204
   at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 66
   at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 214
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 106
   at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 96
   at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 70
   at TestWebAppCore.Controllers.AuthController.AssertionConsumerService() in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\test\TestWebAppCore\Controllers\AuthController.cs:line 58
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
Sadiq Khoja
  • 522
  • 1
  • 5
  • 23

1 Answers1

5

The ITFoxtec Identity SAML 2.0 component should accept the signature if it is valid. I do not know about problems validading Auth0 tokens.

To debug you can check if the signature algorithm and the certificate is correct. And maybe also try to set the certificate validation mode to none and the revocation mode to no check.

Configuration example:

  "Saml2": {
    ...
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "None",
    "RevocationMode": "NoCheck"
    ...
  }
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    Thanks, turned out Auth0's default signature algorithm is SHA1, changed it to rsa and issue resolved. – Sadiq Khoja Oct 31 '19 at 13:52
  • 1
    I experienced this type of error when 1) the signature file changed (we weren't aware of the change) 2) if by mistake you get an empty line at the very beginning of the signature file (which would be invalid xml) – VilladsR Aug 25 '20 at 10:53
  • 1
    I've come across this same issue with Auth0. I notice in the Auth0 token it has `` - is there a way to get this library to use the algorithm in the token if it exists rather than the one specified in the config? It would be nice not to have to hardcode the signature ahead of time as seems to be done in the reference code. – Chris May 19 '21 at 11:04
  • 1
    You can configure to use SHA1, e.g. in the config file. But for security reasons the library will only accept the configured algorithm. – Anders Revsgaard May 19 '21 at 12:05
  • 1
    @AndersRevsgaard Thanks for the reply. I can't see the signature algorithm in the SAML metadata XML anywhere. Is there a standard way to confirm the algorithm in use or do I just need to ask the IdP to let me know what algorithm they use? – Chris May 19 '21 at 14:54
  • 1
    You can not see the algorithm the SAML metadata. You need to ask the IdP or look at the AuthnResponse you receive. – Anders Revsgaard May 20 '21 at 06:39
  • Is it possible to share a sample application? – Anders Revsgaard Aug 04 '21 at 11:14