Hi,
I'm using WIF to read a message whose signature doesn't have KeyInfo element
<Response ID="idc640375b45ac4293ae9a70bab7991991" Version="2.0" IssueInstant="2016-01-11T09:40:28.6192428Z" Destination="https://idp.example.local/..." InResponseTo="idd14f45aa327748269e2d4adba05e52cd" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://samples.example.local/.../</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#idc640375b45ac4293ae9a70bab7991991">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>BvSo2SLM+rL+FCx9UwiWApIbT12/9ffKZbN9Iuc1O54=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>IkQ7iPrTPzmc+DWJ4J9AfBmZm1cOLrVQu2o6Dd0/jKvWp3xb8D1gNqrShHo57qx8t0cLatW2ZJvC/YtGCuXNUlm8VM7OTakn3rSBUJmY+5yWyhkD+EOPkBOZFoXYjQCtfLXaZhM8sYYeJnPEEpRF9Nl/Mop/15aQjbRczmiPiy0lgohMjF/TIQp401CUNbXcHsvUf+DDcTqNmUoyXE0cbrKr351bIqXsPLagQ7OW0nVDwD0B2s4uYkPR8ZJegaSma9keGI4fqRTteubRTznrxFdbi4yWof9McdlsYpzvaqIJsoQHSEpiKXeg1sK83KxLgMfHyRofznD7BW6iFhHAlA==</SignatureValue>
</Signature>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</Status>
WIF refuses to process the message and throws an exception:
[InvalidOperationException: ID3276: The signing credentials cannot be resolved because signed XML does not contain a SecurityKeyIdentifier.]
System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials() +527
System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement() +55
System.IdentityModel.EnvelopedSignatureReader.Read() +90
System.Xml.XmlReader.ReadEndElement() +54But according to https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, section 5.4.5, suchsignature is valid: "XML Signature defines usage of the <ds:KeyInfo> element. SAML does not require the use of <ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore, <ds:KeyInfo> MAY be absent."
Could anyone please show me if there is a workaround for this issue? Why does WIF enforce such a rule? To make the situation more frustrating, all the relevant classes are marked as internal which makes extending them impossible.
Thank you in advance,
Thuan.