Signature validation of message with the "" character sequence

Question

Signature validation of message with the "" character sequence

bdhamelicodra opened this issue 2 years ago · 4 comments

When acting as Service Provider and using PingOne Identity Provider with both assertion and response signature, PingOne adds the certificate used to sign the assertion in the response, this certificate contains the sequence of characters "".
The .Net Framework classes System.Security.Cryptography.Xml.SignedXml and System.Xml.XmlDocument, seem to remove the character sequence "" when reading the XML document of the response and failed to verify signature of the message (no problem with the assertion signature).
The signing certificate is provided by PingOne with no configuration options (in particular, removing this character sequence or not including the certificate in the response).

Answer 1 · 2022-05-11T12:20:42.000Z

The problem only occurs if the option Sign Assertion & Response is selected in PingOne.

The signature validation works if either the option Sign Assertion or Sign Response is selected.
Options in PingOne:

Related problem https://support.pingidentity.com/s/question/0D58Z00009EPUbBSAX/i-am-trying-to-use-pingone-saml-idp-but-when-the-assertion-and-response-are-signed-the-sp-fails-to-validate-the-response-signature-due-to-the-presence-of-13-in-the-response

Answer 2 · 2022-05-11T12:55:56.000Z

Maybe related problem
https://stackoverflow.com/questions/71446457/aws-sso-signature-verification-problems

Answer 3 · 2022-05-11T12:56:37.000Z

The problem shown in a diff

On the right, XML received from PingOne
On the left, after the XML is passed by .NET

Answer 4 · 2023-04-08T09:35:43.000Z

Eexpect the problem to be solved in .NET 7.