Forums, Documentation & Knowledge Base - ComponentSpace

The SAML response signature failed to verify

By fabio - 8/29/2021


a customer idp partner of our is changing his own configuration he used to have to connect to our SP.
He said that he changed from 

A signed SAML Response with an unsigned Assertion/SAMLResponse with Signed Message


SAML Response with SignedMessage & Assertion

This generates this error

The problem was fixed on his side reverting this change.
Could you please provide me further information to better understand this scenario?

Thank you

By ComponentSpace - 9/2/2021

Thanks for the log.

This is a known issue in the .NET framework’s System.Security.Cryptography.Xml.SignedXml class. It’s been reported to Microsoft but there isn’t a fix yet.

The issue is related to “
” carriage return entity references that are included by some Java implementations.

The best option is to ignore the SAML message signature and only verify the SAML assertion signature. This doesn’t present any security issues.

You could ask the identity provider to sign the SAML assertion only.

Alternatively, change the PartnerIdentityProviderConfiguration to:

"WantAssertionOrResponseSigned": false,
"WantAssertionSigned": true,