IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0[Answered] RSS

• • Reply
  pilotbob

  Member

  22 Points

  48 Posts

  IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 20, 2018 02:26 PM|pilotbob|LINK

  As per subject, I updated the Owin.Security.WsFederation and dependant packages to version 4.0 and I get the error.

  I did not make any code changes other than changing

  using Microsoft.IdentityModel.Protocols; 

  to

  using Microsoft.IdentityModel.Protocols.WsFederation;

  where is the WsFederationConfiguration class seems to be now.

  Here is my StartupAuth:

  public void ConfigureAuth(IAppBuilder app)
          {
              app.UseCookieAuthentication(
                  new CookieAuthenticationOptions
                  {
                      AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
                  });
  
              // Create WsFed configuration from web.config wsfed: values
              var wsconfig = new WsFederationConfiguration()
              {
                  Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"],
                  TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],                
              };
  
              /* 
               * Add x509 certificates to configuration
               * 
               */
              // certificate.1 must always exist
              byte[] x509Certificate;
              x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
              wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
              // certificate 2 may exist
              if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null)
              {
                  x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
                  wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
              }
              // certificate 3 may exist
              if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null)
              {
                  x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
                  wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
              }
  
              // Apply configuration to wsfed Auth Options
              var wsoptions = new WsFederationAuthenticationOptions
              {
                  SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                  Configuration = wsconfig,
                  Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
                  Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
              };
              wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
  
              // Add WdFederation middleware to Owin pipeline
              app.UseWsFederationAuthentication(wsoptions);
          }

  Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.

  I am using MVC5 with the full framework. Not core.

• • Reply
  Brando ZWZ

  Star

  9821 Points

  3120 Posts

  Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 21, 2018 07:28 AM|Brando ZWZ|LINK

  Hi pilotbob,

  As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use Microsoft.IdentityModel.Protocols.WsFederation instead of Microsoft.IdentityModel.Protocol.Extensions.

  The Microsoft.IdentityModel.Protocols.WsFederation.

  namespace Microsoft.IdentityModel.Protocols.WsFederation
  {
      //
      // Summary:
      //     Contains WsFederation metadata that can be populated from a XML string.
      public class WsFederationConfiguration
      {
          //
          // Summary:
          //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration.
          public WsFederationConfiguration();
  
          //
          // Summary:
          //     Gets or sets the token issuer.
          public string Issuer { get; set; }
          //
          // Summary:
          //     Gets the System.Collections.Generic.IList`1 that the IdentityProvider indicates
          //     are to be used signing keys.
          public ICollection<SecurityKey> SigningKeys { get; }
          //
          // Summary:
          //     The Microsoft.IdentityModel.Xml.Signature element that was found when reading
          //     metadata.
          public Signature Signature { get; set; }
          //
          // Summary:
          //     The Microsoft.IdentityModel.Tokens.SigningCredentials that was used to sign the
          //     metadata.
          public SigningCredentials SigningCredentials { get; set; }
          //
          // Summary:
          //     Get the System.Collections.Generic.IList`1 that the IdentityProvider indicates
          //     are to be used signing keys.
          public ICollection<KeyInfo> KeyInfos { get; }
          //
          // Summary:
          //     Gets or sets token endpoint.
          public string TokenEndpoint { get; set; }
      }
  }

  The Microsoft.IdentityModel.Protocol.Extensions WsFederation:

  namespace Microsoft.IdentityModel.Protocols
  {
      //
      // Summary:
      //     Contains WsFederation metadata that can be populated from a xml string.
      public class WsFederationConfiguration
      {
          //
          // Summary:
          //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederationConfiguration.
          public WsFederationConfiguration();
  
          //
          // Summary:
          //     Gets or sets the token issuer.
          public string Issuer { get; set; }
          //
          // Summary:
          //     Gets the System.Collections.Generic.ICollection`1 that the IdentityProvider indicates
          //     are to be used signing tokens.
          public ICollection<SecurityKey> SigningKeys { get; }
          //
          // Summary:
          //     Gets or sets the Gets or sets the passive token endpoint.
          public string TokenEndpoint { get; set; }
      }
  }

  If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.

  Best Regards,

  Brando

  MSDN Community Support
  Please remember to click "Mark as Answer" the responses that resolved your issue.
  If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  
• • Reply
  pilotbob

  Member

  22 Points

  48 Posts

  Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 21, 2018 04:12 PM|pilotbob|LINK

  What signature is it expecting? Would this be from the issuer?  As you see, I do supply signingKeys.

  How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?

• • Reply
  pilotbob

  Member

  22 Points

  48 Posts

  Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 23, 2018 09:43 PM|pilotbob|LINK

  The issue is that our STS is using SHA1 to sign the token, and Owin.Security v4 no longer supports SHA1.