Fail to authenticate on AzureAD when creating signed MakeAuthenticationRequest

Question

Fail to authenticate on AzureAD when creating signed MakeAuthenticationRequest

Closed this issue 10 months ago · 0 comments

I am trying to send signed AuthNRequest.
The request is created by ServiceProved.MakeAuthenticationRequest method.
Unfortunately, when request is serialized it looks like :
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2024-02-26T07:49:36.425Z" ID="id-c3f659c483bf9f3b6489a4639c6e4f22254b1306" Version="2.0" Destination="https://login.microsoftonline.com/../saml2" Consent="" AssertionConsumerServiceIndex="" AssertionConsumerServiceURL="https://login.../callback" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AttributeConsumingServiceIndex="" ProviderName="" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="" SPNameQualifier="" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="" >test-issuer</Issuer> <Signature> <Space>ds</Space> <Tag>Signature</Tag> <Attr> <Space>xmlns</Space> <Key>ds</Key> <Value>http://www.w3.org/2000/09/xmldsig#</Value> </Attr> <Child> <Space>ds</Space> <Tag>SignedInfo</Tag> <Child> <Space>ds</Space> <Tag>CanonicalizationMethod</Tag> <Attr> <Space/> <Key>Algorithm</Key> <Value>http://www.w3.org/2001/10/xml-exc-c14n#</Value> </Attr> </Child> <Child> <Space>ds</Space> <Tag>SignatureMethod</Tag> <Attr> <Space/> <Key>Algorithm</Key> <Value>http://www.w3.org/2000/09/xmldsig#rsa-sha1</Value> </Attr> </Child> <Child> <Space>ds</Space> <Tag>Reference</Tag> <Attr> <Space/> <Key>URI</Key> <Value>#id-c3f659c483bf9f3b6489a4639c6e4f22254b1306</Value> </Attr> <Child> <Space>ds</Space> <Tag>Transforms</Tag> <Child> <Space>ds</Space> <Tag>Transform</Tag> <Attr> <Space/> <Key>Algorithm</Key> <Value>http://www.w3.org/2000/09/xmldsig#enveloped-signature</Value> </Attr> </Child> <Child> <Space>ds</Space> <Tag>Transform</Tag> <Attr> <Space/> <Key>Algorithm</Key> <Value>http://www.w3.org/2001/10/xml-exc-c14n#</Value> </Attr> </Child> </Child> <Child> <Space>ds</Space> <Tag>DigestMethod</Tag> <Attr> <Space/> <Key>Algorithm</Key> <Value>http://www.w3.org/2000/09/xmldsig#sha1</Value> </Attr> </Child> <Child> <Space>ds</Space> <Tag>DigestValue</Tag> <Child> <Data>WIw9HtjuPxmphIWf92UTJ2U9Www=</Data> </Child> </Child> </Child> </Child> <Child> <Space>ds</Space> <Tag>SignatureValue</Tag> <Child> <Data>Data</Data> </Child> </Child> <Child> <Space>ds</Space> <Tag>KeyInfo</Tag> <Child> <Space>ds</Space> <Tag>X509Data</Tag> <Child> <Space>ds</Space> <Tag>X509Certificate</Tag> <Child> <Data>Data</Data> </Child> </Child> </Child> </Child> </Signature> <NameIDPolicy xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true" /> </AuthnRequest>
So I get this error from AzureAD:
AADSTS7500512: XML element 'Signature' in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol' was not expected in the SAML message. Either the element is not an expected part of a SAML message or was in the wrong location in the message. Check the names and ordering of the elements to confirm they conform to the SAML protocol specifications.