IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0 [Answered]RSS

• • Reply
  pilotbob

  Member

  22 Points

  48 Posts

  IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 20, 2018 02:26 PM|pilotbob|LINK

  As per subject, I updated the Owin.Security.WsFederation and dependant packages to version 4.0 and I get the error.

  I did not make any code changes other than changing

  using Microsoft.IdentityModel.Protocols; 

  to

  using Microsoft.IdentityModel.Protocols.WsFederation;

  where is the WsFederationConfiguration class seems to be now.

  Here is my StartupAuth:

  public void ConfigureAuth(IAppBuilder app)
          {
              app.UseCookieAuthentication(
                  new CookieAuthenticationOptions
                  {
                      AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
                  });
  
              // Create WsFed configuration from web.config wsfed: values
              var wsconfig = new WsFederationConfiguration()
              {
                  Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"],
                  TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],                
              };
  
              /* 
               * Add x509 certificates to configuration
               * 
               */
              // certificate.1 must always exist
              byte[] x509Certificate;
              x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
              wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
              // certificate 2 may exist
              if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null)
              {
                  x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
                  wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
              }
              // certificate 3 may exist
              if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null)
              {
                  x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
                  wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
              }
  
              // Apply configuration to wsfed Auth Options
              var wsoptions = new WsFederationAuthenticationOptions
              {
                  SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                  Configuration = wsconfig,
                  Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
                  Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
              };
              wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
  
              // Add WdFederation middleware to Owin pipeline
              app.UseWsFederationAuthentication(wsoptions);
          }

  Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.

  I am using MVC5 with the full framework. Not core.

• • Reply
  Brando ZWZ

  Star

  8931 Points

  2723 Posts

  Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 21, 2018 07:28 AM|Brando ZWZ|LINK

  Hi pilotbob,

  As far as I know, after updated to owin 4.0.0, the WsFederation namespace will use Microsoft.IdentityModel.Protocols.WsFederation instead of Microsoft.IdentityModel.Protocol.Extensions.

  The Microsoft.IdentityModel.Protocols.WsFederation.

  namespace Microsoft.IdentityModel.Protocols.WsFederation
  {
      //
      // Summary:
      //     Contains WsFederation metadata that can be populated from a XML string.
      public class WsFederationConfiguration
      {
          //
          // Summary:
          //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration.
          public WsFederationConfiguration();
  
          //
          // Summary:
          //     Gets or sets the token issuer.
          public string Issuer { get; set; }
          //
          // Summary:
          //     Gets the System.Collections.Generic.IList`1 that the IdentityProvider indicates
          //     are to be used signing keys.
          public ICollection<SecurityKey> SigningKeys { get; }
          //
          // Summary:
          //     The Microsoft.IdentityModel.Xml.Signature element that was found when reading
          //     metadata.
          public Signature Signature { get; set; }
          //
          // Summary:
          //     The Microsoft.IdentityModel.Tokens.SigningCredentials that was used to sign the
          //     metadata.
          public SigningCredentials SigningCredentials { get; set; }
          //
          // Summary:
          //     Get the System.Collections.Generic.IList`1 that the IdentityProvider indicates
          //     are to be used signing keys.
          public ICollection<KeyInfo> KeyInfos { get; }
          //
          // Summary:
          //     Gets or sets token endpoint.
          public string TokenEndpoint { get; set; }
      }
  }

  The Microsoft.IdentityModel.Protocol.Extensions WsFederation:

  namespace Microsoft.IdentityModel.Protocols
  {
      //
      // Summary:
      //     Contains WsFederation metadata that can be populated from a xml string.
      public class WsFederationConfiguration
      {
          //
          // Summary:
          //     Initializes an new instance of Microsoft.IdentityModel.Protocols.WsFederationConfiguration.
          public WsFederationConfiguration();
  
          //
          // Summary:
          //     Gets or sets the token issuer.
          public string Issuer { get; set; }
          //
          // Summary:
          //     Gets the System.Collections.Generic.ICollection`1 that the IdentityProvider indicates
          //     are to be used signing tokens.
          public ICollection<SecurityKey> SigningKeys { get; }
          //
          // Summary:
          //     Gets or sets the Gets or sets the passive token endpoint.
          public string TokenEndpoint { get; set; }
      }
  }

  If you want to use the Microsoft.IdentityModel.Protocols.WsFederation, I suggest you could also define the SigningKeys, Signature property and try again.

  Best Regards,

  Brando

• • Reply
  pilotbob

  Member

  22 Points

  48 Posts

  Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 21, 2018 04:12 PM|pilotbob|LINK

  What signature is it expecting? Would this be from the issuer?  As you see, I do supply signingKeys.

  How is it different than the signing keys? I didn't provide a signature in the previous version. Out corporate sts doesn't provide a metadata endpoint. But, I do have the metadata that I can look in. What element would the signature value be in?

• • Reply
  pilotbob

  Member

  22 Points

  48 Posts

  Re: IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

  Mar 23, 2018 09:43 PM|pilotbob|LINK

  The issue is that our STS is using SHA1 to sign the token, and Owin.Security v4 no longer supports SHA1.