Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reference URI pointing to Response elmente and not the Assertion #1451

Closed
NunoCruzSW opened this issue May 7, 2024 · 2 comments
Closed

Reference URI pointing to Response elmente and not the Assertion #1451

NunoCruzSW opened this issue May 7, 2024 · 2 comments
Labels
question

Comments

@NunoCruzSW
Copy link

I am using this to integrate witha customer SSO in SMAL but I am getting the following execution

Sustainsys.Saml2.Exceptions.InvalidSignatureException: Incorrect reference on Xml signature. The reference must be to the root element of the element containing the signature.
at Sustainsys.Saml2.XmlHelpers.ValidateReference(SignedXml signedXml, XmlElement xmlElement, String mininumDigestAlgorithm)
at Sustainsys.Saml2.XmlHelpers.ValidateSignedInfo(SignedXml signedXml, XmlElement xmlElement, String minIncomingSignatureAlgorithm)
at Sustainsys.Saml2.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm) at Sustainsys.Saml2.Saml2P.Saml2Response.<>c__DisplayClass60_0.<ValidateSignature>b__0(XmlElement a) at System.Linq.Enumerable.Any[TSource](IEnumerable1 source, Func`2 predicate)
at Sustainsys.Saml2.Saml2P.Saml2Response.ValidateSignature(IOptions options, IdentityProvider idp)
at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()

looking at the source code and the XML it seems like the URI on the response is pointing to the Response ID and not the Assertion ID

I am not an expert to say what is wrong or not, but seems like the signature reference is trying to refer the response not the assertion element.
Is this a valid scenario? there's any assumption made by the library that misses the possibility of the URI points to the Response ID ?
@AndersAbel
Copy link
Member

It looks like the reference of the signature is not pointing to the correct node. The Saml2 spec has some strict rules XML Signature processing and this library is very strict about that validation. Could you please check where in the XML structure the signature node is, what the value of the reference is and what node has that ID.

@NunoCruzSW
Copy link
Author

NunoCruzSW commented May 24, 2024
edited

Yes, It was what I found, I looked to the message the customer is sending from their Idp and the signature was or in the wrong element or pointing to the wrong element.
We can close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndersAbel @NunoCruzSW