P
Prasanna B R
Guest
We are acting as a Service provider in IDP initiated SSO using SAML 2.0. We are using Saml2SecurityTokenHandler to retrieve the token from the SAML response Signed assertion. But following exception occurs when the <ds:KeyInfo> element is absent in the <ds:Signature> element. SecurityTokenHandler expects the KeyInfo to be present in the Signed assertion. But as per SAML 2.0 Specification, KeyInfo is not a mandatory element and can be absent.
Exception Received:
System.IdentityModel.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause )'. Ensure that the SecurityTokenResolver is populated with the required key.
Code Snippet :
foreach (XmlElement assertionNode in _assertionElements)
{
using (var reader = new XmlNodeReader(assertionNode))
{
Saml2SecurityToken tokenHandler = new Saml2SecurityToken();
var securityToken = tokenHandler.ReadToken(reader); // Exception triggered.
tokenHandler.DetectReplayedToken(securityToken);
tokenHandler.ValidateConditions(securityToken.Assertion.Conditions, false);
claimList.Add(tokenHandler.CreateClaims(securityToken));
}
}
1. Few responses (SAML response Signed Assertion) from the same third party IDP is missing the KeyInfo value, while other responses have this value. The IDP is inconsistent in its response behavior. What could be the reason?
2. Is the KeyInfo element mandatory for SAML response signed assertion?
3. What is the way to avoid this exception even when the IDP is missing the element in its response?
Continue reading...
Exception Received:
System.IdentityModel.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause )'. Ensure that the SecurityTokenResolver is populated with the required key.
Code Snippet :
foreach (XmlElement assertionNode in _assertionElements)
{
using (var reader = new XmlNodeReader(assertionNode))
{
Saml2SecurityToken tokenHandler = new Saml2SecurityToken();
var securityToken = tokenHandler.ReadToken(reader); // Exception triggered.
tokenHandler.DetectReplayedToken(securityToken);
tokenHandler.ValidateConditions(securityToken.Assertion.Conditions, false);
claimList.Add(tokenHandler.CreateClaims(securityToken));
}
}
1. Few responses (SAML response Signed Assertion) from the same third party IDP is missing the KeyInfo value, while other responses have this value. The IDP is inconsistent in its response behavior. What could be the reason?
2. Is the KeyInfo element mandatory for SAML response signed assertion?
3. What is the way to avoid this exception even when the IDP is missing the element in its response?
Continue reading...