where is the WsFederationConfiguration class seems to be now.
Here is my StartupAuth:
publicvoidConfigureAuth(IAppBuilder app){
app.UseCookieAuthentication(newCookieAuthenticationOptions{AuthenticationType=CookieAuthenticationDefaults.AuthenticationType});// Create WsFed configuration from web.config wsfed: valuesvar wsconfig =newWsFederationConfiguration(){Issuer=ConfigurationManager.AppSettings["wsfed:Issuer"],TokenEndpoint=ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],};/*
* Add x509 certificates to configuration
*
*/// certificate.1 must always existbyte[] x509Certificate;
x509Certificate =Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));// certificate 2 may existif(ConfigurationManager.AppSettings["wsfed:certificate.2"]!=null){
x509Certificate =Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));}// certificate 3 may existif(ConfigurationManager.AppSettings["wsfed:certificate.3"]!=null){
x509Certificate =Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));}// Apply configuration to wsfed Auth Optionsvar wsoptions =newWsFederationAuthenticationOptions{SignInAsAuthenticationType=CookieAuthenticationDefaults.AuthenticationType,Configuration= wsconfig,Wreply=ConfigurationManager.AppSettings["wsfed:Wreply"],Wtrealm=ConfigurationManager.AppSettings["wsfed:Wtrealm"],};
wsoptions.TokenValidationParameters.NameClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";// Add WdFederation middleware to Owin pipeline
app.UseWsFederationAuthentication(wsoptions);}
Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.
I am using MVC5 with the full framework. Not core.
As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use Microsoft.IdentityModel.Protocols.WsFederation instead of Microsoft.IdentityModel.Protocol.Extensions.
The Microsoft.IdentityModel.Protocols.WsFederation.
namespace Microsoft.IdentityModel.Protocols.WsFederation
{
//
// Summary:
// Contains WsFederation metadata that can be populated from a XML string.
public class WsFederationConfiguration
{
//
// Summary:
// Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration.
public WsFederationConfiguration();
//
// Summary:
// Gets or sets the token issuer.
public string Issuer { get; set; }
//
// Summary:
// Gets the System.Collections.Generic.IList`1 that the IdentityProvider indicates
// are to be used signing keys.
public ICollection<SecurityKey> SigningKeys { get; }
//
// Summary:
// The Microsoft.IdentityModel.Xml.Signature element that was found when reading
// metadata.
public Signature Signature { get; set; }
//
// Summary:
// The Microsoft.IdentityModel.Tokens.SigningCredentials that was used to sign the
// metadata.
public SigningCredentials SigningCredentials { get; set; }
//
// Summary:
// Get the System.Collections.Generic.IList`1 that the IdentityProvider indicates
// are to be used signing keys.
public ICollection<KeyInfo> KeyInfos { get; }
//
// Summary:
// Gets or sets token endpoint.
public string TokenEndpoint { get; set; }
}
}
The Microsoft.IdentityModel.Protocol.Extensions WsFederation:
namespace Microsoft.IdentityModel.Protocols
{
//
// Summary:
// Contains WsFederation metadata that can be populated from a xml string.
public class WsFederationConfiguration
{
//
// Summary:
// Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederationConfiguration.
public WsFederationConfiguration();
//
// Summary:
// Gets or sets the token issuer.
public string Issuer { get; set; }
//
// Summary:
// Gets the System.Collections.Generic.ICollection`1 that the IdentityProvider indicates
// are to be used signing tokens.
public ICollection<SecurityKey> SigningKeys { get; }
//
// Summary:
// Gets or sets the Gets or sets the passive token endpoint.
public string TokenEndpoint { get; set; }
}
}
If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.
What signature is it expecting? Would this be from the issuer? As you see, I do supply signingKeys.
How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?
Member
22 Points
48 Posts
IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0
Mar 20, 2018 02:26 PM|pilotbob|LINK
As per subject, I updated the Owin.Security.WsFederation and dependant packages to version 4.0 and I get the error.
I did not make any code changes other than changing
to
where is the WsFederationConfiguration class seems to be now.
Here is my StartupAuth:
Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.
I am using MVC5 with the full framework. Not core.
Star
8931 Points
2723 Posts
Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0
Mar 21, 2018 07:28 AM|Brando ZWZ|LINK
Hi pilotbob,
As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use
Microsoft.IdentityModel.Protocols.WsFederation
instead ofMicrosoft.IdentityModel.Protocol.Extensions.
The Microsoft.IdentityModel.Protocols.WsFederation.
The Microsoft.IdentityModel.Protocol.Extensions WsFederation:
If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.
Best Regards,
Brando
Member
22 Points
48 Posts
Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0
Mar 21, 2018 04:12 PM|pilotbob|LINK
What signature is it expecting? Would this be from the issuer? As you see, I do supply signingKeys.
How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?
Member
22 Points
48 Posts
Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0
Mar 23, 2018 09:43 PM|pilotbob|LINK
The issue is that our STS is using SHA1 to sign the token, and Owin.Security v4 no longer supports SHA1.