Singing an AuthnRequest with SHA-256

0
When I enabled the SHA-256 algorithm in the advanced tab of relying party trust in ADFS settings and the Added the code below in global.asax protected void Application_Start() { LoadIdpCertificate(); } private void LoadIdpCertificate() { string certificatestring = GetSAMLCertificate(); byte[] bytes = new byte[certificatestring.Length]; for (int i = 0; i < certificatestring.Length; i ) { bytes[i] = (byte)certificatestring[i]; } if (certificatestring != string.Empty) { CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); X509Certificate2 cert = new X509Certificate2(bytes, password, X509KeyStorageFlags.MachineKeySet); Application[IdPCertKey] = cert; if (password != string.Empty) { Application[SPKeyFile] = new X509Certificate2(Path.Combine(HttpRuntime.AppDomainAppPath "/App_Data", SPKeyFile), password, X509KeyStorageFlags.MachineKeySet); } } } Added code below to make sign request X509Certificate2 x509Certificate = (X509Certificate2)System.Web.HttpContext.Current.Application[MvcApplication.SPKeyFile]; authnRequest.Sign(x509Certificate); But I m getting this error on ADFS server eventviewer. Exception details: Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
 
asked 3/12/2020 10:53:15 PM
add a comment

1 Answers

0
Please make sure that the private key of the cert is SHA-256. You can use X509Certificate2 .NET class to load and see its private key algorithm.
 
answered 3/13/2020 9:13:59 PM
add a comment

Your Answer

Not the answer you're looking for? Browse other questions tagged adfs or ask your own question.