SAML 2.0 Error when signature comes next to AttributeStatement (.Net 4.5)

StackOverflow https://stackoverflow.com//questions/21007111

  •  21-12-2019
  •  | 
  •  

Pregunta

I am running integration testing with a service that sends request with SAML 2.0 Assertion: the ReadAssertion(XmlReader reader) method of System.IdentityModel.Tokens.Saml2SecurityTokenHandler is throwing exception with Element is an invalid XmlNodeType message.

Trying to investigate this I found out that this is happening because the method is expecting to read the the end element in the place of Signature and If I remove this node this method works fine but I get another exception ID4152: The Saml2SecurityToken cannot be validated because the IssuerToken property is not set. Unsigned SAML2:Assertions cannot be validated.

Can anybody please help me what the problem is? Or is the request signature in a correct format. From my test application the signature always comes first and I don’t have this problem. Here is what they send me.

  <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
  xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3667829ea1b046968151794aa774f909"
  IssueInstant="2014-01-07T22:57:13.118Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">C=US,O=AEGISnetInc,CN=dilhn001.dil.aegis.net</saml2:Issuer>
  <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=TS: PRL-R-0000.0-2010 TC: PD-R-0000.0-2010</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
      <saml2:SubjectConfirmationData>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:KeyValue>
            <ds:RSAKeyValue>
              <ds:Modulus>jT0q3UTlZ7maUp5VwmVbZvIv67gm3SFJjN+2EhJtg9TEdTFkL5aQAI06uU32kdqnLPyfWElZdmgGtr6YHYfUy1K1o3wXK9jnX8JTL8oybNmDqkVw/TVXr9KD0vAw+8Iut1T7boDGdD7bnzwPBwImtyCIm6S6Q4Wlx64xkq4gdhZTXkkSaKPyy517LgNCtzdigDVU+bZqAueWE1l4BOpHVrjULX8wLGjZloU4rWqN0AvsjS1OpC0HO/aTxKznT4jD1PVNKJPLzlTU6e0RPuOMyTlccoPf2UeAMI+QZDim7uZ9IoE0dMnqJLSGYq+KGfa0AZReg1OFXYzF2qicdmFKeQ==</ds:Modulus>
              <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
          </ds:KeyValue>
        </ds:KeyInfo>
      </saml2:SubjectConfirmationData>
    </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2014-01-07T22:19:12.905Z" SessionIndex="123456">
    <saml2:AuthnContext>
      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
    </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
      <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Lab IT Testcase</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
      <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.3.1259.10.1001</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
      <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">urn:oid:2.16.840.1.113883.3.1259.10.1001</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
      <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">urn:oid:2.16.840.1.113883.3.1259.10.1001</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
      <saml2:AttributeValue>
        <hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="46255001" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Pharmacist" xsi:type="hl7:CE"/>
      </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
      <saml2:AttributeValue>
        <hl7:PurposeOfUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Treatment" xsi:type="hl7:CE"/>
      </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
      <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">RI0002.000000010^^^&amp;2.16.840.1.113883.3.1259.10.1001&amp;ISO</saml2:AttributeValue>
    </saml2:Attribute>
  </saml2:AttributeStatement>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#_0a559edda54f456a917fc9b4e69243a9">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>zYfPwHi3nhD9UiWU/PjUY8p2Qmg=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>HHAv7faYgZR6mwEGrHuArru8SuqJQNGa2/lFJyK1IBdQW7lsrRfPB351SYV75Kds/D/YSWRH4QAL
gu3rW7I9If8pc4Jf4ICIwMyGhzKQMy7N5h2pZGsrc2UIyyEt+0QWhjf37z7zc07RfbyfPfTiLUKG
rjhgmRO9FlQ8G2AOX8PfjMdlWyFKUcF56Qziv6mlVAvzEuJmKP6/oZQxe01GwWoA+7JddGyEEtZC
AhDnZR1dF13H3vrJtoZMHGZUVDeO7XrMhqlQA2Z5vCZ9GsSIZmAclSewh1BoImDvRUEVmFrnyZq5
bgSQkTAzzbfTILnMjMGF3WDxLBgA771nO3W6Ag==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus>jT0q3UTlZ7maUp5VwmVbZvIv67gm3SFJjN+2EhJtg9TEdTFkL5aQAI06uU32kdqnLPyfWElZdmgG
tr6YHYfUy1K1o3wXK9jnX8JTL8oybNmDqkVw/TVXr9KD0vAw+8Iut1T7boDGdD7bnzwPBwImtyCI
m6S6Q4Wlx64xkq4gdhZTXkkSaKPyy517LgNCtzdigDVU+bZqAueWE1l4BOpHVrjULX8wLGjZloU4
rWqN0AvsjS1OpC0HO/aTxKznT4jD1PVNKJPLzlTU6e0RPuOMyTlccoPf2UeAMI+QZDim7uZ9IoE0
dMnqJLSGYq+KGfa0AZReg1OFXYzF2qicdmFKeQ==</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
    </ds:KeyInfo>
  </ds:Signature>
</saml2:Assertion>
¿Fue útil?

Solución

The order of the nodes in the XML of the assertion is wrong and is not SAML2 compliant. Have a look through saml2-core,paying particular attention to section 5.

Otros consejos

Thanks for your answer Andy K. I contacted the the client and they confirmed that the SAML they send is in the wrong order.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top