Hi Team,
We have implemented SAML authentication and using .Net framework 4.6.2
CheckSignature is failing on some SAML responses, so far we have found one such case. CheckSignature passes for all other SAML responses.
1. SAML response is valid
2. Certificate is valid
3. SAML response text was not altered.
Found this article on the web --> https://github.com/dotnet/corefx/issues/19198
Here is the code which checks signature on SAML response.
XmlNamespaceManager manager = new XmlNamespaceManager(xmlDoc.NameTable);
manager.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
manager.AddNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion");
manager.AddNamespace("samlp", "urn:oasis:names:tc:SAML:2.0:protocol");
XmlNodeList nodeList = xmlDoc.SelectNodes("//ds:Signature", manager);
SignedXml signedXml = new SignedXml(xmlDoc);
if (nodeList?.Count != 1)
{
return false;
}
//Load signedXml from SAML Response
signedXml.LoadXml((XmlElement) nodeList[0]);
// Load certificate from file store
X509Certificate2 cert = (certificate from file store.)
//Verifiy signature using the public key in the signature and key signing ceritificate.
return (signedXml.CheckSignature() || signedXml.CheckSignature(cert, true));
Please let me know, if there I am missing anything here.
regards,
Prashant.