search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
959 stars 602 forks source link

ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key. #528

Open jvdven opened 8 years ago

jvdven commented 8 years ago

Hi,

We are using Kentor.AuthServices for one of our clients and we are really close to completing our implementation. In one of the last steps an EncryptedTokenDecryptionFailedException is thrown.

When we debug the code we are able to reach line 512 of the CreateClaims method in the Kentor.AuthServices.Saml2P.Saml2Response class (see stacktrace below).

Kentor.AuthServices.Saml2P.Saml2Response.CreateClaims

at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection1 clauses, EncryptingCredentials& encryptingCredentials) at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadEncryptedId(XmlReader reader) at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadSubjectId(XmlReader reader, String parentElement) at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadSubject(XmlReader reader) at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader) at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader) at Kentor.AuthServices.Saml2P.Saml2Response.<CreateClaims>d__53.MoveNext() in D:\Data\Kentor.AuthServices\Saml2P\Saml2Response.cs:line 512 at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source) at Kentor.AuthServices.Saml2P.Saml2Response.GetClaims(IOptions options) in D:\Data\Kentor.AuthServices\Saml2P\Saml2Response.cs:line 476

I'm not sure why there is a key that could not be resolved. Do you know what we should do to resolve this?

Thanks in advance.

m1tchel commented 8 years ago

Hi,

I'm working on the same implementation as jvdven. The exception we get thrown by Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData() is because the decryptionKey in that method is null.

While trying to resolve the decryption key, this method is trying to resolve the decryption key from both the embedded KeyInfo and any external clauses.

I found out that the serviceTokenResolver in the Saml2PSecurityTokenHandler does not contain any tokens. Thereby not being able to resolve a key.

Our client uses Artifact binding so the only element present in the KeyInfo element is the reference to our certificate. I tried extracting the SecurityKey from the certificate referenced in the saml and use that one for decryption, but this is a AsymmetricSecurityKey and the Saml2SecurityTokenHandler only accepts SymmetricSecurityKeys for decryption.

Any help or suggestions would be appreciated :)

explunit commented 8 years ago

It looks like the current code in AuthServices is only decrypting elements called EncryptedAssertion: https://github.com/KentorIT/authservices/blob/v0.19.0/Kentor.AuthServices/SAML2P/Saml2Response.cs#L370-L372

I'm not familiar with the structure of the xml when Artifact binding is used. Does it have the EncryptedAssertion element? If not, can you post the structure of it here?

m1tchel commented 8 years ago

The code never runs that method because allAssertionElementNodes is not null.

https://github.com/KentorIT/authservices/blob/v0.19.0/Kentor.AuthServices/SAML2P/Saml2Response.cs#L359

This is the structure of the assertion node CreateClaims method is reading:

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:etoegang:HM:00000003273226310000:entities:4019</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#_5be51e5f26dc0b00447f28e6cd1cd1b5124ad03d">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>0ERwJGtvQeY7RxhOuXrjSefSlSr8WBXRyheojhr5ir4=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Hl1392l9AJ+EsbkvGL9FR2iK8aZzB2PbfobOrvUHoZGA9W1T9eG1aWxUTU1t
0oBkgqjmPfcwGwl9DVUj6cFYpxSjf/hbmCNToVlVeM8zXJnoQe7+0R3TYkO/
b/EGrb3RmUJZZ/PyDn7OZnT3cWdHTQQqgsgsAJn0aRc7G3CpNTc3P6jh870p
bubLQAV3FBvfQ1wouM8n47BQDlpbj4Xm7G0YB5e0puGaKSPNb3TW9kz20pCb
vPbvg2437pLi8Fy8Q+L3bg6XlxCQgkvYFa+HNyhz9fQIEH9+yVAF1epfCNU1
u5asr9J8j+KFstWZq7OeZiwEYgmhkN8DnePT+duxMA==</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:KeyName>d8f5600f7b4c66824c49ec3a3e32b89137cf2ce1</ds:KeyName>
    </ds:KeyInfo>
</ds:Signature>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:EncryptedID>
        <xenc:EncryptedData Id="_dbe5731d88464864bf62c19c60e6b19136c7fe96" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_b7e1cd28b0457a4ca055d51248b284aace408bb3" />
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>lj+GtnvYuGhjaudunnTGvmZZ+VYrVNHAVxeUUAWwhu8LtTkHINUOC7ldtmOI2kcVXEBa1jldqjT+3vB7gg/Mduielj8avsjKh/S/uYJW8YRCq4Y+4wsO4ES52GXsI9GpDx6jg9VtdWeSOwJCOjwvkIQjv0xs0vAiYoCdJXDNgUr/ucFX1DU97uJfDGq/EIbwRkAcqO7VqtM4cW5KtZBBOITD/imjjAzOWRFXqKnlnC91kfuAOGWNxYm3RD0wYskaSSxXgrukt5VJD10QF0bWdXS0yCnM9i6Gwe1iiRlf9GI=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
        <xenc:EncryptedKey Id="_b7e1cd28b0457a4ca055d51248b284aace408bb3" Recipient="urn:etoegang:DV:00000003242891010000:entities:0001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
            </xenc:EncryptionMethod>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>example.com</ds:KeyName>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>VR1fnmJSJiDbZyDEKxYvKuL/So751knXeHb9WtCpCnhwLriX+GFGHnQLRcaz48FsMAvKV39V1CZZrJFGodIIF/AnoGmvmoJ/o9EAK75QtokAAA/75quPriDBhGe7VWcnafA7aQFW/PX1EvjQ3vOvB+lMjZdWwbzpqSp5kNv5EoG7c4nNxdtxhRh3jj2fCdpz/ux/Be9tRS86FEsnpdEEgBOOOBw/mD+IFTI+IeySsjGZcYldOit/eyT0DhEtZZ+0k6cwfMR0Ei/ERtYI2hC5Y0qEPtI3MHBLnIAyT89sPDarwjRoJNCjea6scmy4Hw3Ih0to5UUkA91u+C/n2fReyA==</xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
                <xenc:DataReference URI="#_dbe5731d88464864bf62c19c60e6b19136c7fe96" />
            </xenc:ReferenceList>
        </xenc:EncryptedKey>
    </saml:EncryptedID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData InResponseTo="id48341dc1b59f4d23b8e8e348d9047315" NotOnOrAfter="2016-07-29T08:55:36Z" Recipient="http://localhost:2181/AuthServices/Acs" />
    </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-07-29T08:53:36Z" NotOnOrAfter="2016-07-29T08:55:36Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:AudienceRestriction>
        <saml:Audience>urn:etoegang:DV:00000003242891010000:entities:0001</saml:Audience>
    </saml:AudienceRestriction>
</saml:Conditions>
<saml:Advice xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Assertion ID="_31dcc3cc870afe3a7ac4029805e3ec1359204ee3" IssueInstant="2016-07-29T08:53:32Z" Version="2.0">
        <saml:Issuer>urn:etoegang:AD:00000003273226310000:entities:4019</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_31dcc3cc870afe3a7ac4029805e3ec1359204ee3">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>EJ4H0kvThIADklzgykcO+By4Ms4J5E6TnIT4n2VQOTM=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>UuslFUhMbYso125zGoSP11C9OyruGTVHz3d8tgI51fJTwTyJLvjBdcZBpVx8
Uk95PawuodMhNS14xulSiOfxcM6B0aubNZqMj0HI3503QOzyxaP1++CSIiaz
jFAZYb3xB7jzuPf7wfz9KNcZ3TLunkqLR+SrOzelb8dE8eU2PUP8eoOUo+QM
0lDpML0z2I8W1qJFrPAIbw5VZektFqj0j5Up07Ab44mi+bU+pJ8O+FajBdba
Zfh8UIHUWP0wbvyP5c8SwgvoREmgcZHcuxCMyI7CzP+P6FFijBWX1FgiUeWM
PhfsHvSSx+HTeS+VI/7A5x5WWWPaDUrK5N56tsNx2w==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:KeyName>d8f5600f7b4c66824c49ec3a3e32b89137cf2ce1</ds:KeyName>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">7844bfc4-f5fd-495f-b481-3e9fae4a0e89</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_9133656780d9bad945dd616d4c537420cdb473da" NotOnOrAfter="2016-07-29T08:55:32Z" Recipient="https://eid.digidentity-preproduction.eu/hm/eh19/ad_hm" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2016-07-29T08:51:32Z" NotOnOrAfter="2016-07-29T08:55:32Z">
            <saml:AudienceRestriction>
                <saml:Audience>urn:etoegang:HM:00000003273226310000:entities:4019</saml:Audience>
                <saml:Audience>urn:etoegang:KR:99999999000000000010:entities:9019</saml:Audience>
                <saml:Audience>urn:etoegang:DV:00000003242891010000:entities:0001</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2016-07-29T08:53:32Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
                <saml:AuthenticatingAuthority>00000003273226310000</saml:AuthenticatingAuthority>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="urn:etoegang:core:Representation">
                <saml:AttributeValue xsi:type="xs:boolean" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
                <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">232b21be-593f-4587-bfbc-3cb52e4ff982</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:etoegang:core:ActingSubjectID">
                <saml:AttributeValue>
                    <saml:EncryptedID>
                        <xenc:EncryptedData Id="_6cf2b34dc7" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_096b15fd-57e8-4127-9465-d708a0e7ac0a" />
                            </ds:KeyInfo>
                            <xenc:CipherData>
                                <xenc:CipherValue>xHc+A9kJdd/n23g7rJwsfumYe+/DAR4e6e+zgUrCb7iLV6p2HM3GUQ1isPsx
Ne9XAp1yBeewgDChQICkgdb/hIDYVBnrdd286h/zaHz1PVNipJQQAC4Ecnyf
Itkwx/c/QgTb6flGIkUQzTRNd2FZyJll6FUHrHkd2rnEe/d1xw3bzHAAbLyK
rvpImzwv9dKKkQP3w7J+PU5psUD3rlSIuDHjvrJJOlf963V7iRo4KrHtb/Qu
3CvxokyXv1Ydy7K2e1avHetBnKV9ee2fqK9YB2EUm1a2LZqvYYN9VmG0A2Lg
nexBIp4LSy9F5qChKOO8ZfidhaZWxL6IMmQDCJBVB5IwcqLe3L1psLPNfpMd
ISKj2iraXQ0aWlf1jbCAuTuB
                                </xenc:CipherValue>
                            </xenc:CipherData>
                        </xenc:EncryptedData>
                        <xenc:EncryptedKey Id="_096b15fd-57e8-4127-9465-d708a0e7ac0a" Recipient="urn:etoegang:KR:99999999000000000010:entities:9019" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                            </xenc:EncryptionMethod>
                            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                <ds:KeyName>a810a050-d8bf-4d9d-81c0-459aa83082a8</ds:KeyName>
                            </ds:KeyInfo>
                            <xenc:CipherData>
                                <xenc:CipherValue>EDTvGcT/v1xam4d7uCFDa3+YAiubZMn4xs/NWxoCcEnzMNCA9tW59fMpwqdO
RPpTuieM1xoSV/IM1aglWdePtsOVwOegMUg3V+QhK3k572VrQ67N/tPbd1d9
tgOMjDCqUGvolR1mhYgKD9VmTxs9bOTDc3iYk/CKHsqbwv/IgYLxPgwFycWX
QNzVFwoehhBcfdlm3pcSKFQvFWOEPTTd5vh/1hbL04Yzb2HdsQyxP5pChmIZ
bXSOu11/e2IhzSz/64yzNTw7TYN3CNjoXnWLVk6O9kbfc90ps/I9Pa0A6dAB
SOPIM9FnkEbWTCvjY24oFP6bjrbp4mNDnMNxuDLoHQ==
                                </xenc:CipherValue>
                            </xenc:CipherData>
                            <xenc:ReferenceList>
                                <xenc:DataReference URI="#_6cf2b34dc7" />
                            </xenc:ReferenceList>
                        </xenc:EncryptedKey>
                    </saml:EncryptedID>
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
    <saml2:Assertion ID="_8EC05321040E9BFDB30B9420C5128EAA" IssueInstant="2016-07-29T08:53:35.703Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>urn:etoegang:KR:99999999000000000010:entities:9019</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_8EC05321040E9BFDB30B9420C5128EAA">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>3FydWkpuOMnCtlMSOGbtMat4b1KkdFosxTySKyLS5/A=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>JY2bSI25o2CmNFhGmbsB4jbKDXN29f0Pzrl6/JS/xZYjR5200IvDAjPh5XPrZxfb8IbTKB2dqNaO36L7zbIYe9+/eG4sHIjK2BUEoeSzb6kl9/KS6fAlNoaNsZ7ATWMUbgXpn7W6biQtO6lMTMeUQteV3rhQD0NCD+nRSyBQRZBT5EjJvRh3gPVHLmCG4Mx9jscIycz3TfxTPfLK2DD3jqTpuMj8p7RHxhjXnE8bMPVzsYTMVRunVwFVlEW5mNEdUEdRImz5fa63a8ARqH4ZBKHKsW+gT5A2wGHdsGqcpMBRG2bGg5lE3YbZVvVdSRGrx+J9qjBy16prU+0eAKSlYA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:KeyName>a810a050-d8bf-4d9d-81c0-459aa83082a8</ds:KeyName>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3DF0669F0A3C8EB867145D7A67E433AA</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_4de71bfd2f9e30c452ccdf6ee1c6eab8e04a7345" NotOnOrAfter="2016-07-29T08:58:35.703Z" Recipient="urn:etoegang:HM:00000003273226310000:entities:4019" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-07-29T08:53:35.704Z" NotOnOrAfter="2016-07-29T08:55:35.704Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>urn:etoegang:DV:00000003242891010000:entities:0001</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:Advice>
            <saml2:AssertionIDRef>_31dcc3cc870afe3a7ac4029805e3ec1359204ee3</saml2:AssertionIDRef>
        </saml2:Advice>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="urn:etoegang:core:DeclarationType">
                <saml2:AttributeValue>DeclarationOfSectoralIdentity</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:etoegang:core:SchemeVersion">
                <saml2:AttributeValue>1.9</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="urn:etoegang:core:LinkedDeclarationSignatureValue">
                <saml2:AttributeValue>UuslFUhMbYso125zGoSP11C9OyruGTVHz3d8tgI51fJTwTyJLvjBdcZBpVx8
Uk95PawuodMhNS14xulSiOfxcM6B0aubNZqMj0HI3503QOzyxaP1++CSIiaz
jFAZYb3xB7jzuPf7wfz9KNcZ3TLunkqLR+SrOzelb8dE8eU2PUP8eoOUo+QM
0lDpML0z2I8W1qJFrPAIbw5VZektFqj0j5Up07Ab44mi+bU+pJ8O+FajBdba
Zfh8UIHUWP0wbvyP5c8SwgvoREmgcZHcuxCMyI7CzP+P6FFijBWX1FgiUeWM
PhfsHvSSx+HTeS+VI/7A5x5WWWPaDUrK5N56tsNx2w==</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="urn:etoegang:core:SectorID">
                <saml2:AttributeValue>
                    <saml2:EncryptedID>
                        <xenc:EncryptedData Id="_df5923139c89a3c93a12150427ce314f" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_1a3e7e793377506f16d5de4438a12e10" />
                            </ds:KeyInfo>
                            <xenc:CipherData>
                                <xenc:CipherValue>lj+GtnvYuGhjaudunnTGvmZZ+VYrVNHAVxeUUAWwhu8LtTkHINUOC7ldtmOI2kcVXEBa1jldqjT+3vB7gg/Mduielj8avsjKh/S/uYJW8YRCq4Y+4wsO4ES52GXsI9GpDx6jg9VtdWeSOwJCOjwvkIQjv0xs0vAiYoCdJXDNgUr/ucFX1DU97uJfDGq/EIbwRkAcqO7VqtM4cW5KtZBBOITD/imjjAzOWRFXqKnlnC91kfuAOGWNxYm3RD0wYskaSSxXgrukt5VJD10QF0bWdXS0yCnM9i6Gwe1iiRlf9GI=</xenc:CipherValue>
                            </xenc:CipherData>
                        </xenc:EncryptedData>
                        <xenc:EncryptedKey Id="_1a3e7e793377506f16d5de4438a12e10" Recipient="urn:etoegang:DV:00000003242891010000:entities:0001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                            </xenc:EncryptionMethod>
                            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                <ds:KeyName>example.com</ds:KeyName>
                            </ds:KeyInfo>
                            <xenc:CipherData>
                                <xenc:CipherValue>VR1fnmJSJiDbZyDEKxYvKuL/So751knXeHb9WtCpCnhwLriX+GFGHnQLRcaz48FsMAvKV39V1CZZrJFGodIIF/AnoGmvmoJ/o9EAK75QtokAAA/75quPriDBhGe7VWcnafA7aQFW/PX1EvjQ3vOvB+lMjZdWwbzpqSp5kNv5EoG7c4nNxdtxhRh3jj2fCdpz/ux/Be9tRS86FEsnpdEEgBOOOBw/mD+IFTI+IeySsjGZcYldOit/eyT0DhEtZZ+0k6cwfMR0Ei/ERtYI2hC5Y0qEPtI3MHBLnIAyT89sPDarwjRoJNCjea6scmy4Hw3Ih0to5UUkA91u+C/n2fReyA==</xenc:CipherValue>
                            </xenc:CipherData>
                            <xenc:ReferenceList>
                                <xenc:DataReference URI="#_df5923139c89a3c93a12150427ce314f" />
                            </xenc:ReferenceList>
                        </xenc:EncryptedKey>
                    </saml2:EncryptedID>
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml:Advice>
<saml:AuthnStatement AuthnInstant="2016-07-29T08:53:36Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:etoegang:core:assurance-class:loa3</saml:AuthnContextClassRef>
        <saml:AuthenticatingAuthority>urn:etoegang:AD:00000003273226310000:entities:4019</saml:AuthenticatingAuthority>
    </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Attribute Name="urn:etoegang:core:ServiceUUID">
        <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">232b21be-593f-4587-bfbc-3cb52e4ff982</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:etoegang:core:SectorID">
        <saml:AttributeValue>
            <saml:EncryptedID>
                <xenc:EncryptedData Id="_5af261814b3b5c78c499a5ed513ce5b06bc7b308" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_a1a8f570795f75ab7f874b52f935f4a9eac11d0a" />
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>lj+GtnvYuGhjaudunnTGvmZZ+VYrVNHAVxeUUAWwhu8LtTkHINUOC7ldtmOI2kcVXEBa1jldqjT+3vB7gg/Mduielj8avsjKh/S/uYJW8YRCq4Y+4wsO4ES52GXsI9GpDx6jg9VtdWeSOwJCOjwvkIQjv0xs0vAiYoCdJXDNgUr/ucFX1DU97uJfDGq/EIbwRkAcqO7VqtM4cW5KtZBBOITD/imjjAzOWRFXqKnlnC91kfuAOGWNxYm3RD0wYskaSSxXgrukt5VJD10QF0bWdXS0yCnM9i6Gwe1iiRlf9GI=</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
                <xenc:EncryptedKey Id="_a1a8f570795f75ab7f874b52f935f4a9eac11d0a" Recipient="urn:etoegang:DV:00000003242891010000:entities:0001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:KeyName>example.com</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>VR1fnmJSJiDbZyDEKxYvKuL/So751knXeHb9WtCpCnhwLriX+GFGHnQLRcaz48FsMAvKV39V1CZZrJFGodIIF/AnoGmvmoJ/o9EAK75QtokAAA/75quPriDBhGe7VWcnafA7aQFW/PX1EvjQ3vOvB+lMjZdWwbzpqSp5kNv5EoG7c4nNxdtxhRh3jj2fCdpz/ux/Be9tRS86FEsnpdEEgBOOOBw/mD+IFTI+IeySsjGZcYldOit/eyT0DhEtZZ+0k6cwfMR0Ei/ERtYI2hC5Y0qEPtI3MHBLnIAyT89sPDarwjRoJNCjea6scmy4Hw3Ih0to5UUkA91u+C/n2fReyA==</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#_5af261814b3b5c78c499a5ed513ce5b06bc7b308" />
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
            </saml:EncryptedID>
        </saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

The exception is thrown while reading the <saml:EncryptedID> node

AndersAbel commented 8 years ago

AuthServices currently only supports when the assertion as a whole is encrypted. This is an unencrypted assertion, with an encrypted Id. To handle that some further development is needed.

Also Authservices does not use the wif infrastructure for decryption and signature verification so those key handler mechanisms are never populated with the key config that Authservices knows about.

ThiemeNL commented 6 years ago

Hi, it has been a while. Did somebody manage to fix the issue?

MichielNL commented 5 years ago

We have exact the same problem. Can anyone help me with the problem?

dschilling commented 5 years ago

The error message for this problem has changed. If you try to process a SAMLResponse that contains an EncryptedId, you now get this:

[NotSupportedException: IDX13140: EncryptedId is not supported. You will need to override ReadEncryptedId and provide support.]
   Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadEncryptedId(XmlDictionaryReader reader) +62
   Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdentifier(XmlDictionaryReader reader, String parentElement) +100
   Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadSubject(XmlDictionaryReader reader) +169

[Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading '[PII is hidden]' for Saml2SecurityToken. Inner exception: 'System.NotSupportedException'.]
   Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadSubject(XmlDictionaryReader reader) +462
   Sustainsys.Saml2.Saml2P.Saml2PSerializer.ReadAssertion(XmlReader reader) +1992
   Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token) +192
   Sustainsys.Saml2.Saml2P.Saml2PSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) +10
   Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) +100
   Sustainsys.Saml2.Saml2P.<CreateClaims>d__60.MoveNext() +337
   System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +387
   System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
   Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData) +118
   Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState) +57
   Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +442
   Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs e) +261
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +141
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +48
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +71
KayodeBakker commented 4 years ago

I would also like to see this be released in a new version soon if possible but I can imagine that the backlog has more important things than this.

AuthServices currently only supports when the assertion as a whole is encrypted. This is an unencrypted assertion, with an encrypted Id. To handle that some further development is needed.

Also Authservices does not use the wif infrastructure for decryption and signature verification so those key handler mechanisms are never populated with the key config that Authservices knows about.

To try to work around this problem without the aforementioned fix, I wanted to validate one thing from your statement. You mentioned that the AuthServices currently only supports when the assertion as a whole is encrypted. I am guessing you are referring to a case such as this one:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:EncryptedAssertion>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>AorzhHNPYqxzihtW1MEwikl22O/xxNYm5ESCg6qpt9UMCXGishGFyUdgkgqqYq2WnlC2TCUid0z7ajTP0ESed8I+erg0AHSIoiXPlvMUlJ1BGhUBSfjOtkZiOnrGBxUVErLHUwN8esp71WCWgyuVKFn1/inf8hvpxzNCme3MOvo=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>J+Pzs2RfdwtFg4Pd5Ka94ZNVx4qHwHlJrv3vfgFTM5o2Zj3ig7bFt9JPsBqBx28CH8gB9jM/r7tNvrDGzUl1dIc1yQIINr07OHcoy97KeFbS/Hwc+s6YMP9P35ElTjjBkW8bSTRKbsXYFAH7LzsrOds52H9hLNfG9BL06YMMl8DVCLGRs5fFCPDdeCDm3cQ/9Hf4jjT7/Ad51S2yiCknIJh1h52sxvlcKoqeqPECU5X3+lc2rsIavkRArDVVpIW7fJ9v0MNusq+A16jyCtipz4JH5fYa1KEIO974TnckEShfuEocRdjp6+MSHX0iGvPnk2YiDdAJeln/Tl/m2ROChNz1TcuMGpscZtLsX5TfS4icQZ0fPJS7cui8jcCGxD3lOgBLTsV9LHnEDpoXXKHRIAodOvSP6Ude9bbEaNFABmdzoeWbKdC7P7mPfBirAt3vYd68CXK4hBLJMmnk0Co1RxSfJtPAWOSEKz9bcj39pk0Lp7eRJ6+O1IduRDICLahqyDlmSVAdgaKcy+moj5ycbF3oWIUPdWFVWLWwNGluws0R+avVfpC8j6tumzRJH9QCYUIIgVTLEdRAX9fbcWb0K66f5JqNcjBv93stRnpTohXIS0NLPLyyhRNAoAYm11R5OB8VhfCjxbCNy20cNl0DY/prRFOudtv1CpwiSEnQAUlJBOWIh2jAGRv2YjSlrg31eQXsVSSVUsrWoL5CO2W0+avAEzv64itbACL46WqwyoTXKulhORnNTEN8d0Ieq9LHral7ZGCvbmBlX7tMhVq+g9eEX/bj5tcYy01kGJLnqFEzbHhYED9oxsBXBaILmGS6nERkvsit/1mDRS8tyz0WjcqhOIGIv2QQOJ5HLbd+tQZsklKFBYHH48xHHvagw8sOeRVEI2Uc18X9uKwVwLoQkLPf578Ff76Obd28mgIj6Y7YXG7rQW1exfX/zF/V73jM2xPKauSfaGu8MrkJ31l1zXXllCWYR3m5kX+3Lh/X/cg2/EY2neqK9nHb+O/roWbLLsPYcKZl0rtwKROC6q9mjtvUrL/oGCuzi96RyoO3KBlNSS9EIQk7dyqR7vfEBdfycF9rFqsxnnUeIs1RkqgTr8gHnCyzid1vVWJc3bt1UE/CD+3Rsa8JUBQ4kFDT4zu1sqHwttTVBPxq1UHkz6PbhslLd7n2ygnbcD4GyQxAuzXIQACvIMuY57iyrW2tsubnCKn8vyc17GHJmVTZoCrUinLlmhrVlEuD9gO8kdIG0rgK6IWTtdoOcBSKiPaSq4BV1DyIEpRnrt01rK1K+3sGpFYi8dOo5MTJ3ErTQ1oCWISssNx9w63ue8uCgZ+IgI4bs3LHBd1oSUnsZ7IXyX1uiDk6W4qbWhQHMTTpJtd2X/Kkbi8VA+vygJGQg+teEItyosctZFvwYMX2YAm5YOEce/YiTYUEl6dgc3W4oFAk3HFje6IKbXPXt1iHJrUmR3kEHqGpDuTOIF3tOjgM/Jz1LZimUUdAgydJoA7lQ5yUVZr3GBoaG7KtDcDw3dO8vkj46o6Dtb76SUhzzMu8wbwMmyW8t45VfdfSST5mYXXEdbmrPM6gygInfXTmzZ2Rc+tTG0zfaw4544lxUcKCjh3IEYJu2zy4IU0x02uiqfahl4P03sxLLefgbVQtHeDCgUk3cAVTbkBygr3KuinUqo46RLDRnLkoc9yWCYRCpGkixA6v1GPppG6fRzQKsvR/PVl/dlniKriZIm5//t/ImexTih6LOBczLAcFdr8NrRXa68EXlWatmpLTlp57dYIBi7LDjlbBWDEs3ktUnJki+0/nVNsROgQ5ApMYooq1P7QScUoI/LPkyOMws2t4SS6VvvqkG3L5aHt2zFdjBj+0MkWlDDFSgrXuSluK2tr1ncBnadOG4yZxGtQjdt7EJjXUJUxQrkJTG7i/JLixEUAV3HpH2Sm8sOLf+SGdKjHFRojAHZO5hzOcvXQtu1B4MwZaOmNWhAtfE8myQmQ215YoggY7IQxRjIuY8EI5BZeNBLgIW2Le11HJ1hZ3OajThFei9ApeagaCLaK62SiooPi5BJa+Ub6yr90+VBGSQkLNb6u7fkgbDMK0RcTN20Ru99a6fka6NLP/4Cnuskc5LvX9iOZRqz1EuhbSyhT13h4rFZll765BQg2fq/k6DvOKWc+yi2IXBhoJWqp1AAPyvcQX+v0LZIDTacUmkpsvEWAVPaBwGfycvgDaQuBC/paEcLd0WRUQXRxnpi6vyrd5dilGe4bMfzS7WeOrx98AJ2s1i8b/KCRjM28v1IeXIXVq4eI3orxw0aPjKP7ijmTwTfybJYQroq8pbBlg6ZXm6XNWdAZpv3bvOZl9afm78xWY/faJC6bd6I6zj1UxPN5C154RW7zC47R63fjmh2WoP0rnUdgrNEus8lhnJpV1SfWLU3k2IDTLK8ZcoeqIMoqZlUoX0hsKhW+9rBGJtKSCkqzle6FFlOMQ2wPPtrahXt7JAEM56bWyg4hoIiia5TbgZ7i2mGyor1ME2Sw2vve4f0b0D591Hs+tSZafjRLmVSR8GpojqTwGc3WgMyXn9IoRVkNipsg8sYugBIf8KVX2NHP1wghPKg1dAUJaYdQOmTnhDXBOs9sOv4Bal98NuUZ5AcaWc3Cx1rf9hWdzrQ+HzNPXxa1H+Y/4Kh8gvJc/pESs8hOScF/HZCHysGTcm/h4ATEQZhcos3GOLc/T3Xx+wt0qV/MqGasXBg6n/sdlXw+9Y5UutQ6c5x65ZAyXHYrZ219OHsWK1I1T6H7BODwOioEDJvBJmeM9kdAFeHgXBi+GEKrD5sfViKgUlhG+B7B/CVrzkG/8EjK7JZx/dxWnJXAz6D6c6TGxPnLQaxaeYBRpdLp84hFubgPgsDw03CY1a6ObJgzN+w61Xil4H8uoDLuMox0QEfY=</xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedData>
  </saml:EncryptedAssertion>
</samlp:Response>
AndersAbel commented 4 years ago

There is a larger design decision to be made here. The Microsoft.IdentityModel packages do support encrypted assertion and support signature validation. It might be time to just get rid of our own code for all of this and use the key handling, signature validation and encryption/decryption infrastructure of that library.