can't validate sha256 from adfs

[dcripplinger]

Hi, this might be a long shot to figure out, but I'm desperate to find an answer somewhere. For the longest time, we've used pysaml2 and we've never been able to get it to work with idps using adfs unless we tell them to use sha1. Now we have someone that demands to use sha256 with their adfs. We have others that do sha256 with us successfully but not with adfs. We simply haven't been able to figure out why adfs sha256 fails signature validation. Does this sound at all similar to any known issues?

[jkakavas]

Hi,

It's not pretty clear from your description which software provides the signature, and which fails to validate it. Can you provide is with :

• Sample signed document
• Error messages

[dcripplinger]

Good news. We figured it out.

First, to clarify your questions, the IdP (using ADFS) is supplying a signature to the SP (which is us) to use to verify saml responses. The problem was fixed when we inspected the embedded cert in saml responses after they switched to sha256. It wasn't the same as the cert they originally provided us. Since this has happened in every case we've ever tried to do this with an ADFS customer, our hypothesis is that ADFS updates with a new cert when someone changes their signing algorithm, and the users of ADFS are none the wiser. After we updated our records with the new cert, it worked fine.

[naggie]

Thanks @dcripplinger for posting the conclusion -- I've seen what looks like the same issue though the fix was different.

As it turns out, the SAMLRequest going to the IdP was signed with sha1 despite configuring the signing_algorithm to be sha256 in the config.

Specifying sigalg to prepare_for_authenticate is what worked. I used import xmldsig; xmldsig.SIG_RSA_SHA256

(I know this is an old post but I thought I would comment to help someone experiencing an XKCD 979 situation :)

[naggie]

I traced this down to incorrect configuration documentation meaning my values were not set. I will make a PR to correct this.