Buzz: Questions & Answers

Support for SHA-256

Follow
Implemented feature idea or fixed bug
Dennis Killmer

Is it possible to configure SAML using SHA-256?

Comments (9)

Sort by
Brad Marshall
  • Agilix team member

Dennis, it appears that it should. I have not had personal experience with both SAML and SHA-256, but this article says that it should.

0 Comment actions Permalink
Doug Killmer

Hi Brad,

When SHA-256 is enabled on the relying party trust, we receive the following errors.

Error message on BrainHoney:

SAML Authentication Error

SignatureDescription could not be created for the signature algorithm supplied.

Error message on Buzz:

HTTP Status Code: 500
HTTP Status Description: Internal Server Error
Error: SignatureDescription could not be created for the signature algorithm supplied.

System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
   at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
   at GoCourseServer.SamlMetadata.VerifyXmlSignature(XmlDocument doc, XmlNamespaceManager manager, XmlElement element) in C:\Jenkins\jobs\xli-build\workspace\xLi\DataModel\SamlMetadata.cs:line 152
   at GoCourseServer.AuthenticationRequestHandler.VerifySamlSignature(SamlMetadata metadata, XmlDocument doc, XmlNamespaceManager manager, XmlElement element) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 1707
   at GoCourseServer.AuthenticationRequestHandler.SamlLoginUser(DlapContext context, Domain domain, SamlMetadata metadata, String samlResponse, Boolean verified, String logoutUrl) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 1755
   at GoCourseServer.SamlMetadataHandler.ProcessConsumer(DlapContext context, String userspace) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 394
   at GoCourseServer.SamlMetadataHandler.ProcessRequest(HostContext context) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 308

The only way we've been able to get it to work is with SHA-1.  

0 Comment actions Permalink
Dennis Killmer

Hi Brad,

Can someone take a look at the errors we are getting with SHA-256 and point us in the right direction?

Thank you,

Dennis

0 Comment actions Permalink
Brad Marshall
  • Agilix team member

Hey Dennis, I just found out that we do not (currently) support SHA-256 for SAML configurations. I am following up with our teams to see what our options are.

0 Comment actions Permalink
Dennis Killmer

Thanks, Brad. I appreciate you looking into this for us. A good number of public schools are starting to use Microsoft Office 365/Azure AD and they don't support SHA-1 for SSO.

Thanks again,

Dennis

0 Comment actions Permalink
Brad Marshall
  • Agilix team member

With yesterday's release, you can now choose the signature algorithm of SHA-256 for SAML integrations. Check out the release notes.

0 Comment actions Permalink
Doug Killmer

Thanks for the update!  

With SHA-256 turned on, both our metadata files return errors.

HTTP Status Code: 500
HTTP Status Description: Internal Server Error
Error: SignatureDescription could not be created for the signature algorithm supplied.

System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
   at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
   at xLi.AuthenticationRequestHandler.SignXml(XmlDocument doc, X509Certificate2 certificate, String signatureAlgorithm, String referenceUri, XmlElement element, XmlElement refChild) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 639
   at xLi.AuthenticationRequestHandler.MakeSamlMetadata(Domain domain, String samlEntityId, Boolean authnRequestsSigned, String singleLogoutServiceRedirectLocation, String singleLogoutServiceRedirectResponseLocation, String singleLogoutServicePostLocation, String singleLogoutServicePostResponseLocation, String assertionConsumerServiceRedirectLocation, String assertionConsumerServicePostLocation) in C:\Jenkins\jobs\xli-build\workspace\xLi\Handlers\Authentication.cs:line 835
   at xLi.SamlMetadataHandler.ProcessMetadata(DlapContext context, String userspace) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 381
   at xLi.SamlMetadataHandler.ProcessRequest(HostContext context) in C:\Jenkins\jobs\xli-build\workspace\xLi\HostModules\SSO.cs:line 301
Details
Message: The remote server returned an error: (500) Internal Server Error.
Time: Friday, March 4, 2016 9:13:54 PM UTC
URL: https://azure-test.brainhoney.com/SAML/metadata.ashx/FederationMetadata/2007-06/FederationMetadata.xml
User ID:  
Version: 2016.3.1.1295
Machine: BH_631701
Code: 500 Internal Server Error
Error ID: fbd739978c0c40588546630750082165

 

 

0 Comment actions Permalink
Brad Marshall
  • Agilix team member

Hey Doug, this will need some investigation. It appears that something isn't configured properly. Could you guys create a support ticket for this so that our team can look into it?

0 Comment actions Permalink
Doug Killmer

Yes, we'll do that.  Thanks,

0 Comment actions Permalink
Please sign in to leave a comment.