Azure AD SAML2响应:System.Security.Cryptography不支持http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

时间:2016-11-29 19:03:23

标签: saml-2.0 azure-active-directory kentor-authservices

大家。我有一个谜。这对某人来说可能是显而易见的。

大约10天前,我的服务提供商应用程序在完美工作几周后开始抛出一个奇怪的错误。我有一个服务提供商在本地和Azure上运行。该应用程序使用KentorAuthServices来处理凌乱的XML和加密位。它运行得很顺利然后,突然间,它开始抛出错误,"无法创建哈希算法对象。"我启用了框架调试并将其跟踪到堆栈跟踪提取的最后一行中指示的位置:

[CryptographicException: Could not create hash algorithm object.]
   System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList) +160912
   System.Security.Cryptography.Xml.SignedXml.CheckDigestedReferences() +154
   System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key) +73

实际上,它无法创建哈希算法对象,因为此URI所代表的算法

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

现在声称不受支持,尽管它有一个内置于KentoAuthServices中的自定义处理程序 - 并且在此突然转变之前一直按预期工作。就像进行健全性检查一样,我将SP应用程序指向Kentor自己的存根IdP,该应用程序的行为符合预期。同样,我在OneLogin的SAML验证实用程序中验证了SAML响应(我将在下面重现),该实用程序还报告响应有效但算法不受支持。

我知道的事情:

  • Azure AD证书在“受信任”中是最新,完整且可访问的 LocalMachine的根证书存储,并在10月10日之后创建 翻转的政策变更(无论如何都应该与此无关)。
  • SP没有使用任何类型的自签名签名请求 证书;也没有。
  • 在本地和Azure上,该应用程序都与之挂钩 一个SSL端口。
  • 应用程序的配置 - EntityId,Issuer,元数据 位置和加载,绑定,请求签名行为;所以 on - 保持不变 - 除了我的测试,它添加了一个指向存根提供者的可交换IdP引用。
  • Azure AD成功处理请求和 发出响应,否则有效;然而, System.Security.Cryptography无法为其创建哈希 签名。

我觉得我错过了一些明显的东西,除了应用程序从一天到下一天没有变化的事实;因此,我有义务问世界上是否有任何变化来解释为什么rsa-sha256即将死亡。这是修改后的SAML请求和响应供您阅读。大多数身份识别信息都已删除,但您已从Azure AD中了解信息,因此证书已存在,您可以对其进行验证以进行验证。谢谢,祝你有个美好的一天。

<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id1cf99748a239485692824ff1b950b5f9"
Version="2.0"
IssueInstant="2016-11-29T16:44:34Z"
Destination="https://login.windows.net:443/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2"
AssertionConsumerServiceURL="https://xxxx.azurewebsites.net/AuthServices/Acs">
<saml2:Issuer>https://xxxxx.xxx/federation</saml2:Issuer>
</saml2p:AuthnRequest>

<samlp:Response 
    ID="_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
    Version="2.0" 
    IssueInstant="2016-11-29T16:44:36.521Z" 
    Destination="https://xxxxxxxx.azurewebsites.net/AuthServices/Acs" 
    InResponseTo="id1cf99748a239485692824ff1b950b5f9" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
    </Issuer>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion 
        ID="_xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx" 
        IssueInstant="2016-11-29T16:44:36.505Z" 
        Version="2.0" 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/</Issuer>
        <ds:Signature 
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod 
                    Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference 
                    URI="#_2a5aa895-bcf1-4f98-87d6-187e7d75338c">
                    <ds:Transforms>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod 
                        Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                    <ds:DigestValue>
                        HE62WvhO505xxxxxxxxnopQTPfL6LybGYySKUKfBxtY=
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>E8bvvT1iw148RaVOtlPWWMhPMq121arxJ2lwRd3Boi5Xe3Lw+sc9TgCWsmFa4tcIq0idmYTkYVio4cBDNnzIcMqy28JeeiF53nriO3eyxRQiPeJhyy6JUFnbhWEa6DcYvIbD14izrvdQGuGzULeL8K2cc32xDnCjYZXAWvY4V+iaEJhXqc50bfplUXwTcgo2YzPckmh/+iad0jVFBBj1S7bMDp9+hOvUHgrwU/FIm8H7Y/g6rZZ2mlkEsdRP0WRQfCgI/IHLf1IqUdaGE9hZpqcecmtAiKytWIe/0z/8zzUC3Xp2f+L2XEXMH3Y7iNOyKr38X3FQ/
                OChWEdYLIj3rw==
            </ds:SignatureValue>
            <KeyInfo 
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC8DCCAdigAwIBAgIQNJKIhylW6qVJDAuPDpyGfDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xNjExMjQxNDI2NTlaFw0xNzExMjQxNDI2NTlaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApMAryO4ZkQ5WE+2QOK1oe8cXa00JH4zGDjRF92Nj4s8NrPF+2zR2IwTYV3yH5kTckCYU2+i+jDr4lBRvjG+LSoN9xdUtu4pF9Ya1v6VN6ELWnTtZYSMY7Xh3ztjF7jmWFSEvANTcTLq5wSfbZuDfti6zdJ+TP6DSN6Q3cR0wqdPJbR4NlQdpmIVAIHrpur218IhRSMcodxlKdS47cU7jTb1Vqo9uzRmrz9l5aZnPgxzv2OKHafD7E/eDIUMjkfOoZbNJJIfBy1wrGUHBLdb318VVIMDtym4Xw52TuFJ1O0dWRZU4pGGh8Vo81Hz689i8cTYv0v4bUmUeCE9kHOTHbQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAuoJMRWb3hj0f7Bg8jFTRizA+3sVXI98MKRCmxDHy84LQi5VE8VOW9TXXN8cfPQ0MlFOGg5aeePWMjr4Pmwfq5Q1aZ0JsQszAIhKzIq1jGadwlkAs1VKA37oHa6aa8OrAtLYhA5xwqq5q6oE1AULuC7g697FoSO0Q8MpHl6VCxvuqXzHQ/KYXiJ6hqpHTZN8eliBwio7+xP0O23QdM0sgkO5EvdSiuB5s23e77iutJD8YvD+oOz3QVf9OeOuocK1TtQmFaiI3kkliM1sfWowHjfIOiPjNpSBmEuKiq02XCWTDzkuYCxcRdgVnhRG+/SRqv+OTJIs6vnAWrtsFIbRGt</X509Certificate>
                </X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxxxxxxx.xxxxxxxxxxxxxxx@Xxxxxxxxxxx.com
            </NameID>
            <SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData 
                    InResponseTo="id1cf99748a239485692824ff1b950b5f9" 
                    NotOnOrAfter="2016-11-29T16:49:36.505Z" 
                    Recipient="https://xxxxxxxxxxxxxxxxxxxxxxx.azurewebsites.net/AuthServices/Acs"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions 
            NotBefore="2016-11-29T16:39:36.505Z" 
            NotOnOrAfter="2016-11-29T17:39:36.505Z">
            <AudienceRestriction>
                <Audience>https://xxxxxxxxxxxxxx.com/federation</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>ccbf68cb-7932-44bd-b015-cb686e0a4441</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>94d0114a-c4b8-4568-bf63-4b597aa65eda</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/displayname">
                <AttributeValue>xxxxxxxxxxxxxxxxxxxx</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>live.com</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>xxxxxxxxxxxxx</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>xxxxxxxxxxxxxxxxxxxxxxx</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>xxxxxxxxxxxxxxxxxxxxx@Xxxxxxxxxxxxxxxxxx.com</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>xxxxxxxxxxxxxxxx.xxxxxxxxxxxx@xxxxxxxxxxxxxxxxxxxx.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement 
            AuthnInstant="2016-11-27T02:37:17.000Z" 
            SessionIndex="_xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

0 个答案:

没有答案