When SHA-256 is enabled on the relying party trust, we receive the following errors.
Error message on BrainHoney:
SAML Authentication Error
SignatureDescription could not be created for the signature algorithm supplied.
Error message on Buzz:
HTTP Status Code: 500
HTTP Status Description: Internal Server Error
Error: SignatureDescription could not be created for the signature algorithm supplied.
System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
at GoCourseServer.SamlMetadata.VerifyXmlSignature(XmlDocument doc, XmlNamespaceManager manager, XmlElement element) in C:\Jenkins\jobs\xli-build\workspace\xLi\DataModel\SamlMetadata.cs:line 152
at GoCourseServer.AuthenticationRequestHandler.VerifySamlSignature(SamlMetadata metadata, XmlDocument doc, XmlNamespaceManager manager, XmlElement element) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 1707
at GoCourseServer.AuthenticationRequestHandler.SamlLoginUser(DlapContext context, Domain domain, SamlMetadata metadata, String samlResponse, Boolean verified, String logoutUrl) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 1755
at GoCourseServer.SamlMetadataHandler.ProcessConsumer(DlapContext context, String userspace) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 394
at GoCourseServer.SamlMetadataHandler.ProcessRequest(HostContext context) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 308
The only way we've been able to get it to work is with SHA-1.
Hey Dennis, I just found out that we do not (currently) support SHA-256 for SAML configurations. I am following up with our teams to see what our options are.
Thanks, Brad. I appreciate you looking into this for us. A good number of public schools are starting to use Microsoft Office 365/Azure AD and they don't support SHA-1 for SSO.
HTTP Status Code: 500
HTTP Status Description: Internal Server Error
Error: SignatureDescription could not be created for the signature algorithm supplied.
System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
at xLi.AuthenticationRequestHandler.SignXml(XmlDocument doc, X509Certificate2 certificate, String signatureAlgorithm, String referenceUri, XmlElement element, XmlElement refChild) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 639
at xLi.AuthenticationRequestHandler.MakeSamlMetadata(Domain domain, String samlEntityId, Boolean authnRequestsSigned, String singleLogoutServiceRedirectLocation, String singleLogoutServiceRedirectResponseLocation, String singleLogoutServicePostLocation, String singleLogoutServicePostResponseLocation, String assertionConsumerServiceRedirectLocation, String assertionConsumerServicePostLocation) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 835
at xLi.SamlMetadataHandler.ProcessMetadata(DlapContext context, String userspace) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 381
at xLi.SamlMetadataHandler.ProcessRequest(HostContext context) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 301
Details
Message:
The remote server returned an error: (500) Internal Server Error.
Hey Doug, this will need some investigation. It appears that something isn't configured properly. Could you guys create a support ticket for this so that our team can look into it?
Comments (10)
Dennis, it appears that it should. I have not had personal experience with both SAML and SHA-256, but this article says that it should.
Hi Brad,
When SHA-256 is enabled on the relying party trust, we receive the following errors.
Error message on BrainHoney:
Error message on Buzz:
The only way we've been able to get it to work is with SHA-1.
Hi Brad,
Can someone take a look at the errors we are getting with SHA-256 and point us in the right direction?
Thank you,
Dennis
Hey Dennis, I just found out that we do not (currently) support SHA-256 for SAML configurations. I am following up with our teams to see what our options are.
Thanks, Brad. I appreciate you looking into this for us. A good number of public schools are starting to use Microsoft Office 365/Azure AD and they don't support SHA-1 for SSO.
Thanks again,
Dennis
With yesterday's release, you can now choose the signature algorithm of SHA-256 for SAML integrations. Check out the release notes.
Thanks for the update!
With SHA-256 turned on, both our metadata files return errors.
Hey Doug, this will need some investigation. It appears that something isn't configured properly. Could you guys create a support ticket for this so that our team can look into it?
Yes, we'll do that. Thanks,
hi i can not get in to sis