Auth0 Home Blog Docs

WS Federation metadata is not signed


#1

I’m trying to get auth0 running with an existing app using ws federation. The existing app gets the FederationMetadata.xml and checks if it is signed. If it is not an exception is thrown. Is there an option to sign the xml file in auth0?

Thanks,
Jacek


#2

Have you had a look through our WS-Federation docs? That would be a good starting point


#3

Thanks for the answer. Yes I did, but I didn’t find anything about signing the FederationMetadata.xml. Google didn’t help either :slight_smile:


#4

Can you provide details on the exception being thrown?

The purpose of a cryptographic signature is to ensure that the contents have not been tampered with (and that’s why WS-Fed responses are signed). Setting up a WS-Federation trust, however, is usually a process where an administrator is involved. If the administrator (or the software itself) downloads the metadata from an https endpoint (like ours) then you are sure that the response is coming from your Auth0 domain.


#5

The exception comes from this library: System.IdentityModel.Tokens.ValidatingIssuerNameRegistry.dll. And the error text is as follows: System.InvalidOperationException: ‘WIF10120: Metadata must be signed. Metadata was not signed at location: ‘https://********.eu.auth0.com/wsfed/FederationMetadata/2007-06/FederationMetadata.xml’.’


#6

Definitely as clear as it can be… I also checked some ADFS metadata responses and they are indeed signed, so I stand corrected: there’s definitely a place for signatures in metadata documents.

Unfortunately we don’t support it at the moment.I can file a feature request for this, but unfortunately can promise any immediate resolution.

For what is worth, we used the WS-Fed server capabilities to provide SSO to many Microsoft products (including Dynamics CRM, SharePoint, Office 365) and none of them every complained about the lack of a signature, so I was really surprised about this WIF requirement.

Sorry I can’t be of much help here.


#7

Thanks for the efford, please do file a feature request. In the meantime I’ll try to sign the xml myself as a workaround.


#8

How can I use the signing certificate from the advanced settings in application settings to sign the metadata myself? I tried the .net SignedXml object, but I do not have the private key for the certificate from the settings.