Exclusive Canonicalization transform "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" algorithm is not supported by ADFS 4.0

See original GitHub issue

Hi,

I setup a SP and using servlet to generate metedata xml by referencing java-saml/samples/java-saml-tookit-jspsample/src/main/webapp/metadata.jsp. I saved the metadata as xml file and import to ADFS 4.0 by adding relaying party trust function, then the error is as below: image It says “Exclusive Canonicalization transform “http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments” algorithm is not supported”.

I checked the http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf at line 2941:

Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the exclusive canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or http://www.w3.org/2001/10/xml-exc-c14n#WithComments).

If I am right, “http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments” is added in com.onelogin.saml2.util.Util line 1087: transforms.addTransform(c14nMethod);

Is it a correct code? It seems ADFS 4.0 doesn’t accept it. Or I need to config ADFS to accept it?

Please let me know if any comments, thank you very much.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
pitbulkcommented, Mar 20, 2018

It seems I added the wrong c14 method, please replace at the Line 1109 of Util.java

String c14nMethod = Constants.C14N_WC;

by

String c14nMethod = Constants.C14NEXC_WC;

And let me know if that fixes your issue.

0reactions
dave-handycommented, Mar 23, 2018

I believe we found the issue with the signature verification, in that the cert my team is using is self signed, and it seems that ADFS performs a revocation and trust chain verification on the signer cert by default, unlike other IDPs we’ve worked with. I am still using the patched version of java-saml with your suggested change to the c14nMethod value, which does appear to be necessary to even get this far.

TLDR; I think the change is working, but you probably want some additional verification 😉 I pushed up a PR with the change

Read more comments on GitHub >

github_iconTop Results From Across the Web

Sign up - GitHub
Exclusive Canonicalization transform "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" algorithm is not supported by ADFS 4.0 # ...
Read more >
Ask a question - MSDN - Microsoft
Exclusive Canonicalization transform does not support the algorithm 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315' RRS feed.
Read more >
onelogin - Bountysource
Exclusive Canonicalization transform "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" algorithm is not supported by ADFS 4.0.
Read more >
Exclusive XML Canonicalization Version 1.0 - W3C
The term exclusive XML canonicalization refers to the process of applying the exclusive XML canonicalization method to an XML document subset.
Read more >
ADFS : Exclusive Canonicalization transform error
System.Security.Cryptography.CryptographicException: ID6005: Exclusive Canonicalization transform does not support the algorithm 'http://www.w3.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found