function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
BradFBradF 

SAML Validator - says bad certificate but .Net says it's A-OK

Hi All,

 

In preperation for intergrating with salesforce, I'm using the saml validator tool to verify the xml response that we'll be generating. The response itself is generated via .Net code and I can verify that the certificate in the reponse is valid using the .Net SignedXML class. However the saml validator keeps spitting out:

 

Signature or certificate problems        

The signature in the response is not valid        

Is the correct certificate supplied in the keyinfo? false

 

I've already tried re-uploading my certificate. Has anyone else experienced this issue or has a suggestion on what I should try next? Also the saml validator seems to be stuck in the past - all the validation time stamps it is using are 7 hours in the past (maybe thats the problem). I've read on some older posts (like 2008) that the CanonicalizationMethod may not be supported but I've seen other posts where others are using it.

 

cheers

 

Brad

 

Here's my response xml:

 

<Response xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_f852314a-7f5e-4308-a01f-66d20a8bbd96" Version="2.0" IssueInstant="2012-03-03T00:47:48Z" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://e4.localhost.com:80/samltester/</saml:Issuer>   

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="#_f852314a-7f5e-4308-a01f-66d20a8bbd96">

<Transforms>

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<DigestValue>HPGYiDDltAsp9sb3pG7+rWSUS/o=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>mbwggKm66i0Zr4iMx7cV54tNAYCuKe7/57sdNB+gNQGsaMycrWKulg+lb600k25FAZd35HgERkdxQhxzRXQ5Bsj0Cih/lp72dCzVatdaS3Rq6vyhXDmJUY+2h3lxx2LSv9ZaB2n1Qf0nBk8yNbw9FwR02K9IylZ7Oo/MXEZ9NZQ=</SignatureValue>

<KeyInfo>

<X509Data>

<X509Certificate>MIIB7jCCAVugAwIBAgIQV+MQJbQVy5pCwrl/4YTOZzAJBgUrDgMCHQUAMBQxEjAQBgNVBAMTCWV2b2NvLmNvbTAeFw0xMTEyMTUxODMxNTZaFw0zOTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMTCWV2b2NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAomWw7fF8Ibs90ZFvOgBTnHlWwXdVm58Uvp+6OywHjQRbxP9KdWOK1llIKmj4tzOwEle76TaO7i0zAQWY3gQhsllDlwN7vRPLKFBqafv5gTEeXflqPUVEEc+vflDMo3rqOwdenWuhAob+f29SRCb6hT4UMXicCHY0nEFa/9n1V1kCAwEAAaNJMEcwRQYDVR0BBD4wPIAQ1XnBOOit6jpdnjhOuNn80aEWMBQxEjAQBgNVBAMTCWV2b2NvLmNvbYIQV+MQJbQVy5pCwrl/4YTOZzAJBgUrDgMCHQUAA4GBAC5WqW3xH5MIp7seMom8ezzYbwTrvef2WMPHhpkPdMXl0/xs6s+s1lNp+9ntV0OSJ60DVWmA1GywpLgNt6/nIAePLBNHdKND+ypWqCEPbYNbH4QbA6Q+q1okuOg0/crgf2cq312tFJjZJb3pWoOL9HctHyywVzyZq5XmVHWzMhrs</X509Certificate>

</X509Data>

</KeyInfo>

</Signature>

<Status>    

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />  

</Status>  

<Assertion Version="2.0" ID="_0ca4a862-e9ed-4c2a-8c10-f1c5ff500e3c" IssueInstant="2012-03-03T00:47:48Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">    

<Issuer>http://e4.localhost.com:80/samltester/</Issuer>    

<Subject>      

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">brad.furdyk@evoco.com</NameID>       <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">        

<SubjectConfirmationData NotOnOrAfter="2012-03-03T01:47:48.0000000Z" Recipient="https://login.salesforce.com" />       </SubjectConfirmation>    

</Subject>    

<Conditions NotBefore="2012-03-03T00:47:48Z" NotOnOrAfter="2012-03-03T01:47:48Z">      

<AudienceRestriction>        

<Audience>https://saml.salesforce.com</Audience>      

</AudienceRestriction>    

</Conditions>    

<AuthnStatement AuthnInstant="2012-03-03T00:47:48Z">      

<AuthnContext>        

<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>      

</AuthnContext>    

</AuthnStatement>  

</Assertion>

</Response>



duggladuggla

You have probably gotten an answer elsewhere or figured this out by now, but there appears to be a problem with the base64 encoded string which is included in the SAML XML for you certificate.  

It appears to almost contain an x509 certificate, but the base64 decoding process is producing an error for some reason. 

It may be that you need to insert line breaks at intervals in the base64 encoding (keeping each line no longer than 80 characters) to allow all base64 decoders to handle it properly. 

This may not be a problem at all in your case, but it is a good idea when working with base64-encoded certificates.