search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
945 stars 605 forks source link

DigestAlgorithm cannot be determined for SigningAlgorithm PS256 #1367

Open ritocesura opened 1 year ago

ritocesura commented 1 year ago

Sustainsys.Saml2.AspNetCore2 Version 2.9.0

The SAML configuration of the service provider looks as follows:

services.AddAuthentication()
    .AddSaml2("...", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.SignOutScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
        options.SPOptions.EntityId = new EntityId("...");
        options.SPOptions.PublicOrigin = new Uri("...");
        options.SPOptions.OutboundSigningAlgorithm = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
        options.SPOptions.ServiceCertificates.Add(new X509Certificate2("...", "..."));

        options.IdentityProviders.Add(
            new IdentityProvider(
                new EntityId("..."), options.SPOptions)
            {
                MetadataLocation = "...",
                LoadMetadata = true
            });
    });

I need the AuthnRequest to be signed with PS256 (sha256-rsa-MGF1). But when the application tries to sign, the following exception is thrown: System.InvalidOperationException: Unable to find a digest algorithm for the signing algorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1

Can you kindly guide me on what else I need to configure to have my AuthnRequest signed with PS256 algorithm?

ritocesura commented 1 year ago

After investigating a little further, it seems that the error message is a good indicator of what is going wrong. SigningAlgorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 is used to get the corresponding DigestAlgorithm, which should be http://www.w3.org/2001/04/xmlenc#sha256.

The GetCorrespondingDigestAlgorithm method tries to get a DigestAlgorithm ending with "MGF1" which fails: https://github.com/Sustainsys/Saml2/blob/3bedefb049c338132cd380da9d0200ed727d0859/legacy/Sustainsys.Saml2.Metadata/Helpers/XmlHelpers.cs#L586-L598

Is there a possibility to either (1) set the DigestAlgorithm in the config or (2) change the way the Digest-Algorithm is determined?

The external Idp does not allow for any other Signing- or DigestAlgorithms.

AndersAbel commented 1 year ago

This is a scenario that is new to me. There is no way to handle this in the 1.x or 2.x versions. However, I would be happy to include it in 3.x. The code for XML signature handling is available in the develop branch so it's possible to have look at how to improve it.

LeThai96 commented 8 months ago

Hello @ritocesura, I have the same problem. Do you have any solution?