Old certificates/invalid signature

[pfm-solita]

When running the demo, validation of the response from NemLog-in fails. I believe the issue is that the demo includes NemLog-in metadata that has old certificates.

[ronnieholm]

Duplicate of #70?

[pfm-solita]

I do not understand how having the outdated NemLog-in certificates in test-devtest4-idp-metadata.xml is the same issue as the root certificate for the certificate used by IdentityProviderDemo being installed in the wrong location in the certificate store. But if it is indeed the same issue feel free to close this issue.

[pfm-solita]

Just some additional information. This is the error I get when being redirected back to https://oiosaml-net.dk:20002/login.ashx after logging in to NemLog-in.

Exception Details: dk.nita.saml20.Saml20Exception: dk.nita.saml20.Saml20Exception: dk.nita.saml20.Saml20Exception: The signature of the incoming message is invalid.
at dk.nita.saml20.protocol.AbstractEndpointHandler.HandleError(HttpContext context, String errorMessage, Boolean overrideConfigSetting, Func`2 exceptionCreatorFunc) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\AbstractEndpointHandler.cs:line 65
at dk.nita.saml20.protocol.AbstractEndpointHandler.HandleError(HttpContext context, String errorMessage) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\AbstractEndpointHandler.cs:line 108
at dk.nita.saml20.protocol.Saml20SignonHandler.HandleAssertion(HttpContext context, XmlElement elem) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\Saml20SignonHandler.cs:line 551
at dk.nita.saml20.protocol.Saml20SignonHandler.HandleResponse(HttpContext context) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\Saml20SignonHandler.cs:line 340

at dk.nita.saml20.protocol.AbstractEndpointHandler.HandleError(HttpContext context, String errorMessage, Boolean overrideConfigSetting, Func`2 exceptionCreatorFunc) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\AbstractEndpointHandler.cs:line 65
at dk.nita.saml20.protocol.AbstractEndpointHandler.HandleError(HttpContext context, String errorMessage) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\AbstractEndpointHandler.cs:line 108
at dk.nita.saml20.protocol.AbstractEndpointHandler.HandleError(HttpContext context, Exception e) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\AbstractEndpointHandler.cs:line 152
at dk.nita.saml20.protocol.Saml20SignonHandler.HandleResponse(HttpContext context) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\Saml20SignonHandler.cs:line 351
at dk.nita.saml20.protocol.Saml20SignonHandler.Handle(HttpContext context) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\Saml20SignonHandler.cs:line 94
at dk.nita.saml20.protocol.Saml20AbstractEndpointHandler.ProcessRequest(HttpContext context) in C:\dev\github\digst\OIOSAML.Net_2\src\dk.nita.saml20\dk.nita.saml20\Protocol\Saml20AbstractEndpointHandler.cs:line 60

[ronnieholm]

Right. That's a different exception I haven't come across.

I'm not Nets or Digst support. Just someone using the library like yourself. I don't think there's any official support on Github.

[ronnieholm]

Indeed. Got the same error. The short-term fix is to omitAssertionSignatureCheck.

In WebSiteDemo's web.config, modify the line below to include omitAssertionSignatureCheck="true":

<add id="https://saml.test-devtest4-nemlog-in.dk" ShaHashingAlgorithm="SHA256" omitAssertionSignatureCheck="true">