Hi,
I use Saml2SecurityTokenHandler to read and verify Saml2 assertion:
var handler = new Saml2SecurityTokenHandler(...);
handler.ReadAssertion(reader);
If the assertion element has no white spaces, WIF can read and verify signature without any problem:
<Assertion Version="2.0" ID="_id23590171-98f5-4dee-810a-d1b1cb67043b" IssueInstant="2015-02-24T04:17:13.1099295Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>...</Issuer><Signature xmlns=...>...</Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">A00ALR</NameID>
However, if the assertion element has white spaces, signature verification fails with error message "System.Security.Cryptography.CryptographicException: Digest verification failed for Reference '#_id23590171-98f5-4dee-810a-d1b1cb67043b'.":
<Assertion Version="2.0" ID="_id23590171-98f5-4dee-810a-d1b1cb67043b" IssueInstant="2015-02-24T04:17:13.1099295Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>...</Issuer><Signature xmlns=<SignedInfo><CanonicalizationMethod">...>...</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">A00ALR</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2015-02-24T05:17:13.1099295Z" Recipient="..." InResponseTo="id00911069320a43c1b3d0a35ded7de971" />
</SubjectConfirmation>
</Subject>
The signature is valid because it can be verified successfully by other libraries.
Is this a limitation of WIF 4.5 or is there a way to ask WIF to respect the white spaces while verifying signature?