The signature verified correctly with the key contained in the signature, but that key is not trusted.

[pkattaQsr]

We use this library with Shibboleth Authentication and a few universities updated their Certificate and since then for the new universities we get this below Error: "The signature verified correctly with the key contained in the signature, but that key is not trusted."

For the other universities where certificate was not updated, we dont see any issue.

Currently We use the version [v2.8.0]. Are there any known issues with this? If we update to V 2.9.0 will it fixes the issue.

[AndersAbel]

This is not a known issue with 2.8.0.

The error message indicates the the Sustainsys.Saml2 library has not added the new certificate to the active configuration. If you've configured the services to use Metadata, it should be handled automatically. However, the metadata background load scheduler might fail silently. In that case, restarting your service will cause a refresh.

If you do not use metadata you have to add the new certificates to the config.

[pkattaQsr]

@AndersAbel Thank you for your quick response.

We are a service provider and we did restart our service several times. It's a university IDP where the certificate was updated 30 days ago, since then we have this issue. Which service are you referring to restart here?

[pkattaQsr]

@AndersAbel We updated the library to 2.9.1 and also ensured our metadata matches with the IDP's metadata. We still get the same error. Can you please advise why we are getting the key is not trusted message?

[AndersAbel]

I'm referring to restarting your service/web site. Which it looks like you have already done.

How do you add the IdentityProvider? Do you set a metadata location or the flag to load metadata?

[pkattaQsr]

Our Application injects the IdentityProvider metadata manually into Sustainsys's Saml2Options class, in that property:

https://github.com/Sustainsys/Saml2/blob/v2/Sustainsys.Saml2.AspNetCore2/Saml2Options.cs#L54

We do that by:

1. Storing a reference to the Saml2Options object in a singleton after setting up Saml2 via AddSaml2
2. In a background job, the aai.dfn.de federation metadata is retrieved
3. The EntityDescriptor XML elements in the document are deserialized into IdentityProvider instances
4. For this the ReadMetadata(descriptor) method of IdentityProvider is called with the EntityDescriptor data
5. The background job then inserts/updates the IdentityProvider instances into the Saml2Options instance that is kept in singleton
6. The job runs again every 4 hours

The rest of the key verification seems to be handled by Sustainsys's system, We only read the user claims after authentication has been handled.

[pkattaQsr]

Hi @AndersAbel hope you are doing fine. Did you get a chance to look into this?

[AndersAbel]

Thanks for updating on how you do the metadata loading.

The error message indicates that while the signature is correct in the received Saml2 response/assertion, the signing key has not been added to the IdentityProvider's SigningKeys collection. Can you please validate that your metadata loading actually populates the signing key collection correctly?

[pkattaQsr]

Hi @AndersAbel thank u for your response. we found an issue with one of the metadata files. We got it fixed now. Thank you for time on this and we can close this thread :)

[IvanMarkDebono]

@pkattaQsr I am in the process of implementing Shibboleth SP with a Blazor Serverside app that contacts to different universities. Can you explain or provide simple code on how you managed to implement multiple IdP's?