Is there a way to Decrypt encrypted SAML token??

[amitsharma2912]

IDX30011: Unable to read XML. Expecting XmlReader to be at ns.element: 'urn:oasis:names:tc:SAML:1.0:assertion.Assertion', found: 'http://www.w3.org/2001/04/xmlenc#.EncryptedData'.

at Microsoft.IdentityModel.Xml.XmlUtil.CheckReaderOnEntry(XmlReader reader, String element, String namespace) at Microsoft.IdentityModel.Tokens.Saml.SamlSerializer.ReadAssertion(XmlReader reader) at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ReadSamlToken(String token) at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at AspNetCoreWsFederation.MyTokenValidator.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) in C:\Users\asharma\Downloads\IdentityServer4.WsFederation-dev1\IdentityServer4.WsFederation-dev\src\AspNetCoreWsFederation\MyTokenValidator.cs:line 42 at Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.d__9.MoveNext()

[amitsharma2912]

CN=localhost26307764284393307152165585077234995202ZRAV3WqSmH5NPflAXyt5NOD+6CoYJPT/XbFw6271a5MmFAmdi85Cnx3gUtNSJUrgoIAXSh9wXZO9CUAFoV/DlZuGHLMQPkP0w+Hwb6gGDAUKyoLVt1oN8pF+5fGVXNdKrRZeW3NiQGwNg2/AcDhlKEYAQ0EG/SyLmKBfpT96L48=WFrMWH32bN669ZFFPU+GBzP7PVwVmQ1Fxr83ISnhqaW7X6i7ah2UkkTBAfMlbOtmNGZgJMYUzuowjADXWhkSKBAohQsQP3dQKpn1Uz/TsB+vfLNJa+iPTDtrm9E5hMZi5r4vOwquseuWjwEUE8maa1pS6nm2qS3fubTQ5TcZIQfnvWSI4V20iGupeGy7ghX1Xk9LHpVUeu2+vI+XK/pKCLkd3wMkvqNQn3nfAdJIc1Tqu/I2jVCGl5/MiiX9370HAL8j+F6nhKcPTIQtxBjuT6MLuS8oeejfduHpIHTQOCSk0jIOoivEkpxAd5WPyOU6gQygke5T0kN69d1EkLQnY3hcXZfP9Zjh1NMrWyPr8URBWkY22HUNH9B5Gta4axTB8taq4j7nzaUCC2pkf4IVQo2VOwE2WQylLSxCldo0N6H0HSB911zuspsuW4eO9Ps/0408hYEupq+C3lWhAjuYEYpReOlbOgNdWfqmSDpKrGjastS7yvwwlRc1LhpqSB6Ka8JWBs/94A/oSYXa00H/p6m1f7AcBlXVsuU7z2EUmrFVLK/KL/mdjarK1wPXHoXILPYih86KktxSuju5ttvgRGpRHJgPjvsPgWbG3y5G1D/WTqw1+/8fRITXlv77U95Qy3p4sJCUb3MYLtwYRsDtRQkj1a3zPz+nfkBID02Ki16Pdn2N0djfvuoPSa801ElBfSd/qN/xejTyupjL01UzxET19jqayP3sHnj/0giKMhBEpQzQsM9kMOJOCdaxu/r7GpWoF9gEIgStXh0jxj59fcltO7XQ6vN4LaezK85P7XybbcAFnLTeiKwgBHOWBRXB0YHwGHmhB20q0ZRT5Qjw67t1T91aL+3xp0tNZuNDOucfd2TrV6T0MWBTa3Nn6kv8ZL2/5bVCDdiqcvIztGHfFWWVoMR0CvueY2RwH4924EBIBVKawcGz+Gk8DwERUE67oQJkJ7ZR9VZjnnwlzAMg5q2snwYg3goaygOoJnHSCAypLt6ZGsXGw/Y+yYCsPQjc2gKKgItIJNJ7GMjZmR6WgAWbeC4ZHxGFW5a9bEOYPFAijX/8gPoLSWRNiOaf2+ySB7mylbfctBderFmQgWEVnF0WOm+ekuERkzANgXPAXp8akpzb4qsAAu7cFuSxXoQROS4/gOfJInq8lRgKuNNwroaltRLg3ptl8TbJuop0Du7KnWxeHoQRla+ZV1S6G8tsw+HQt9xcA7Gko0qhmfMGPnPgtwhI+rC1dZQgk4kthsF8Gw3liprxru6sSmwC5czjXAOI+eQF7/Ky9L/rszAOV8SsEMk0ZsYz/919fuQBnkNwwRpmAtl2ChGConcj0/x2gQIgHLbiScDjBy9PNGGD0CUHQOUjCM0bbj77335zrFVWMjK3VzHu0jXFhaL+7wKCIio4juKSxKyB9c5E0ngGDsWD8YWmX4kRgS+d/LMm7ws3+DniyBYCOV+HK6Q27UjCMikWjzeAagPLf05Si+tkyGDBSQYuDf/bcYByY5VXqYuSoaWF0KKjKgjumDj8JzzDAT2obKwUh/3NlGKo7B0VEFanGxKvXYdtISQRcWlqlXJmvJxjnOzWQrVXWhD2MXkWIaeOxmkido+V1EEPTx4CTz/W7tYLOQCFXDh7MOm4mGu2rtsdPBcmq6V0TTuyhvCQBvzUrRlO2Q8v/gQkN1U5R8KVHnoc72MjH2q3n0Q1esxKP9QAYlIqVX5ZJXg0hleTtRlrlNW06C60OWaGMXMPrY070rMKrZM2DRtdp1u7MUnr8BFgdHBXUWbTgN9VBZyGXrMrSC3Mv/BDYMBSns+GMYBEVPxooMtINNHWwBk++2xXrKwwS9TsJ4UPG3PbaF1SuELwt1Sgj6BVgZ5ZzWxHTAH2GbHYIUGdJDYcpgMzFFsHnt6raHkMqp15My7itRJztoCeSuT7nvIfNcKq4/YGHaVr5F9zY5IfJlhekuV0dOknwmUbeW2boU/wO9Yhr7abVt3nee5/ocC9RF/UEtOHbcfwpDwzaws95MWAL1TFXVzJa2jTMYhLrUyDZGZrL5a7fyS0FyVzQYodoDFb0cVmUDpqPOLM4lFr11mYkM3J8qkUf+Dxl0hMVJDN/C1C/V1IM9XoLsFigkoT0KY3TAQzHmJc9mdBipagtag0DBoFsdgUDG7eRrl/QWqa1r+aIIyrvaXZs6LPp8UlvFixa7TdHQNoH00QgIK/yjhop1OiYJ/PMu5e4rBppYj63dcrN+TrN8+kS7+ShsK3jm9xatXAoYIX2bSIPXLXnOOevEL521ZLQh/KiS55Up0FKeJeeM9gToyZEE4+8r4yU6q2i+F89bDDFpLz0rYM6BXWni0EqZn6ySArCw+llKC9tO95jXbMOtUDFw9Zmxi4WA4KSjdT0DCfrP0rWNvIZXkfuzieyHToA/WpCWtV518Z8e4taw79USRKwQIjehd1BYP1Bz+7+1vjKOCjdRKkr1T1uZdNXFGbYyZdaD5XlKDIVd07FwXOUKjFo+jeFH4HFE1JBQxyTr/0kL9GPMNLTKqAHUjGIv+0iGew44RMPASkAtCYc/Gg0az/CpHndwjAtWevkq3afo46M3cHwD6CKTyEhEN1owAONCcGhupFnZfiIA6ASK4pHjuLUpHZGv0VkLWbgI2E8nnYO/GmYJiDHIGRa3+BiwL2KbaAodhfq4otL6Y8J/tSKmBNBn+Ob7slnJvwkkYShKISrnzZnI1w1zvEgyKfsahPqs9kmoZ9O/OozPPoiQtoIO2/rFXi6Jqz+rTFf2BZwNkD7YI6W6O0m6ZxHqKVeLYCgE3Y5vEQGC4Ip66QCzn2SSt+Y69KJXt7CJheos9fVY4mDSDCikfyOE/zEkVbP1a1QXBTnX0z8dX91uFRfh2frzCUSXKjNXTAYiKRd3Y+DbZs5lOvBLN2OxJik4bCq+mtao0SCrrRlXHF5C3Ti6biKIGVCEa28WBQUQo8L2CbstGOoaLwvlc3uYzI1oo1VouV7q4PfnP7eDoKt0HHoftI3/+6d3bdb+A4r6Q+8LDKp3b63jZRhYiN0WmRsZhJDfetpaX8XzYvYVK054HsR3+DOibROt5XKqLwpplpDg+E1mNzmAimwIegZkLi9i8aAZOppbfy6wypaSPpBYeEFMow85uGHoDAE+oOUlieyvSIjFocIti44UIgTd5V5fZVJSW3nUfFej0maK6wODTHMVFWakVKiV4omZLkC6hxXj4uOc3crbXK5a1nB7kJesLZ6z9Hcf3yd0+YmX5MlzD7pmphxVHtdm8HUcbAFMbt1bPRUGe6+ZsA1T1Eaq97vS2IRuI/rv3jy6ZfHrRPG2cXZKWcVQZk7iuP57HAsty46OSopVww3mwaV3sJWnrURfmwAbfv7YXnnreR9dwYyUwizm24gw04N6PqHoJpL8V+/Dgtbr7l81yLEd4gCOfLq+avP1P52CferWOyXh0pG53z0a70d5m2E/YQnKJFjnHJaLk8v7ROXwOuSRcNKNtXzfkP9QEWZpor9kvdcjcGNjzTrGmpcIXJ1fLhq1yJZoQfe4H1Z+GOku2M4FQ0zeU+DgVh17vLsG/L3+8z2e8Si3p+pzrD3pCiOPDsaib3rjm0VswXGrUIQPa2dZyl87WPuR35GZk8sQPDjrUwDlK7gFAy/ajlTOYEpNZcRfJwjD8AsOuqkOlFlefO+tBGYSZJ1SwkDgrcyrqWneJ9jc2nM3Xu3Ed0WMb5y5bPxIOlfrtXzd3FVZToqpYYyPTaD1OuvOvOlWN46Cip+nT9ZVKpWhlMGtdWuTO0GEyFlZ3dapCAzrZ0GZkLC8aHzIvodnxxaZqsgaz+ZHittPxuZIHbJmDHUMnuNzwyrlTc9w1R8E1uh9ry0DRiZLtNglzXOZi6beV+PiAYEYRjdtLRUQaBUCvOQzV+4Tytj/Lcx2V+o7vRNLwWa0zfJ7DpY/HyiV/oM1BgKdbmwxsxKgdwcgX8ojLs7jFR6vF58+RaDtwjL58vgW9Am7Ayv2v7mvQo2alNk9fTGdclQz2zRwaXyBDOTNGMWxixaBmyVtmj+0wYx65fZqpemAz+lOWtOetp9y1dXlA0eYP5v175sbSRRfI1BVYoDPQxwLgPNwe15rONmTN+0l/jxdOIT5/wbAhqW8XwxDTv7OoGtBfoWdGQXYgL2LWYSKrHaVnB+4UHyUUIg0LdrunAVmHsPyS5+3lT200S5w9UC07HWQSwrv8Hd3wU3AMTXJSG7QxtmBLYf16t7uuM/hSzAD9F9k5DubsrsIH+s3YZGW3sj5zAc1j6EwsMQhErlBUzR0H6oUL2yzsF7vx2CLFzhwrrOHWG/UdF+fNtPGMphJadwbf9UkiK1tEKZ41/Jy/7

[blowdart]

@brentschmaltz ?

[rasitha1]

Doesn't appear to be valid xml. Here's a cool site you can use for SAML stuff: https://www.samltool.com/

[amitsharma2912]

@rasitha1 I have decrypted the above encrypted saml using the same website and it gives me a valid XML which I am able to even validate... so for sure the issue is not with token..

[rasitha1]

Looks like SamlSecurityTokenHandler.ValidateToken is expecting a plain text token(?). It doesn't seem to have any decryption support.

Maybe you have to override that and provide your own decryption? Looking at how JwtSecurityTokenHandler is implemented, CryptoProviderFactory might help... just a wild guess.

[brentschmaltz]

@blowdart @amitsharma2912 @rasitha1 we only support signed saml tokens in 5.3.0. @GeoK is working on allowing encrypted tokens.

[blowdart]

As this is currently "by design", or really "we don't support this yet", I'm closing the issue.

[amitsharma2912]

Any idea when this functionality will be available ??? What else can i do to support this for now?? As this is the only functionality hindering our migration.

[Tratcher]

@amitsharma2912 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/ is a better place for that question, that's where the implementation will happen.