Error with signature verification - ADFS - SAML2

Question

i'm looking for help about signature verification for SAML2 authentication. I wanted to connect a webapp to an ADFS server.

I made some test :

1. the signature verification works for sha1RSA signature algorithm
2. the signature verification didn't work for sha256RSA signature algorithm

This my code (it's a part of the saml2-js library) :

crypto        = require 'crypto'
debug         = require('debug') 'saml2'
{parseString} = require 'xml2js'
url           = require 'url'
util          = require 'util'
xmlbuilder    = require 'xmlbuilder'
xmlcrypto     = require 'xml-crypto'

check_saml_signature = (_xml, certificate, cb) ->
  xml = _xml.replace(/\r\n?/g, '\n')
  doc = (new xmldom.DOMParser()).parseFromString(xml)

  signature = xmlcrypto.xpath(doc.documentElement, "//*[local-name(.)='Signature' and 
  namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")

  console.log("SIGNATURE : " + signature)
  sig = new xmlcrypto.SignedXml()
  sig.HashAlgorithms = ["http://www.w3.org/2001/04/xmlenc#sha256"]
  sig.SignatureAlgorithms = ["http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"]
  console.log("Signature : " + sig.SignatureAlgorithms)
  test = format_pem(certificate, 'CERTIFICATE')
  console.log("CERTIFICATE : " + test)
  sig.keyInfoProvider = getKey: -> format_pem(certificate, 'CERTIFICATE')
  console.log("KEYINFO:" + sig.keyInfoProvider)
  sig.loadSignature signature[0]
  valid = sig.checkSignature xml
  console.log("Valid ADFS : " + valid)
  if valid
    return true
  else
    console.log(sig.validationErrors)
    return false

format_pem = (key, type) ->
  return key if (/-----BEGIN [0-9A-Z ]+-----[^-]*-----END [0-9A-Z ]+-----/g.exec(key))?
  return "-----BEGIN #{type.toUpperCase()}-----\n" + key.match(/.{1,64}/g).join("\n") + "\n-----END #{type.toUpperCase()}-----"

Ouput :

SIGNATURE : <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_79f9a2d9-b2dc-45f7-906c-075a76f8548d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>GEkLGRzwMpVPtCiic9Dv1AbxG5a/fz199lyPHs07oGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>LUGusFWX4iPNrJ55GQ42bCin6JJs9Gf0EVtFQBXQwo2CS2kfybKCXCVHXGmF2rcZsWLS1mDjZrrqFEKt9MDvKJNJByya/7/+HhaHJfxJPe8zta/LtSu40XfEzmhHfjJLRzTUyw78mpy/ju1OwV6USVc6vOCXtVG3XgA5TQSxgUbadSpi5F6KMUANtRzGVqQocOmHLMo9Oa5BDG2wds9vRsR/AGcFMANTf0MeSs1VdjjJiTIcMoUMRvhcut0iKe49M+MKh9Q0Z4wsRIUzsEtrHT/+RgdMeqaA2ZV8psCueYPYIIF+BFYYh4J65ft+B0R8rO4UdYNmqcg9W833jPLBLw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC/jCCAeagAwIBAgIQFCBLey+6npNN5CkvNwRZGjANBgkqhkiG9w0BAQsFADA7MTkwNwYDVQQDEzBBREZTIFNpZ25pbmcgLSBFQzJBTUFaLTRTT0NUOUoudGVzdC1hcnRlcnlzMi5jb20wHhcNMjEwNjEwMTMzMjM3WhcNMjIwNjEwMTMzMjM3WjA7MTkwNwYDVQQDEzBBREZTIFNpZ25pbmcgLSBFQzJBTUFaLTRTT0NUOUoudGVzdC1hcnRlcnlzMi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNzzHT/18+5bpUB6m2tlxCy4doLQtO8v8XzZin3azreTLy3TV3w0E+JI6Cn9P3j/tGaHXQwrbWlEnbYLvMKZDWGjdO3wwnAy5ddYKAC9y78GkIVIUOmd/fDWugQagZxxx+dbDPdoCe65apw21NJztxHPBdoDxhaJ7Cl1aLHCrciKaHR2JjFgB9glUjurK5vyGdwv5kZrxJ7kB+8xtiOcrzszQb6vdlULTwJDA2Zeet4JqatLzHfF+SaZrpbUWk7gtR6gqaMCMVuEOUqXzGZo/hYr6/ceeRl0KyzdkSz31/t7j51MeD4/Jzi23InLvmp9gG08KWfuDYGBDDS0A7ytFJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAV8FZ/G8zngLtGLXQGWu78lnVC7ng7MZoqSbjCjN7dXYvTCjGvws62Yrfd0EeTxofaMJQQZdyeS5ZHfrYeJAOqweronpnMg7YwUfzUClzuKwfHo54p+SZVlbr7gGjF/rs9bYiWRRMmys9E+2PolX7QjvXmeEw+B9HQXnv49bQwMPFiXjJT//z5PWZKQ9WQ1AIX6wSxnZEIh0EWIjtbmNhn7gjhInp6evWpax8H4A4JK1VTGIS+zPRlBZuvZUJZbhZA9zLsXu6moZdXEBzx42bbuW9X+erfWijY4OzT+3JVnVR9QXgD0Qbhb1sUQJVUlSqfICtB42e/C07d+2t0FxW8=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>

Signature : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

CERTIFICATE : -----BEGIN CERTIFICATE-----
MIIDBDCCAeygAwIBAgIQJxjaECuNC4dHnIJ+QZscQTANBgkqhkiG9w0BAQsFADA+
MTwwOgYDVQQDEzNBREZTIEVuY3J5cHRpb24gLSBFQzJBTUFaLTRTT0NUOUoudGVz
dC1hcnRlcnlzMi5jb20wHhcNMjEwNjEwMTMzMjM3WhcNMjIwNjEwMTMzMjM3WjA+
MTwwOgYDVQQDEzNBREZTIEVuY3J5cHRpb24gLSBFQzJBTUFaLTRTT0NUOUoudGVz
dC1hcnRlcnlzMi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW
UmjQbhc2lbCx9b0H1Kpvz4HjGisStALbwBjciJSSSsmME+pRafpg6VoEmWJ6cIaK
Zy0GkztrPT14Qqg8Bd9nT5swYB+9OBgCs9zkmhpEJEp5xQwVykrTtpAefgKA+wdw
tDft8SyjWJy+pFeRdG3DGDAQMS6CaK29rA1AGO8VBC8wnT76Wy+UzM64eavWkZ6C
Trd5nx/QEPn6rruUuRvZfcBGm+vD+CuqTHsbabOEyoWp6ttgaI1wtewvlLNvGmS9
QOZbTFg7PlE5eFLa8ca5smskAcn5PkwoCS9kv8+mA+kwmvI9dT0m1x1jL9PcpcCx
IWRQ8nwVhNHIue1ARNutAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFGTflxuM7OK
/E7waxbQ9IWAXOvP927dJtBylN6Qj7GP8rJrf0daGWq1nG95vt9B8sr7DuzVhi4B
HvCcC95of719ZtpoKYOmmYbXDi3UCn7W538DECKM+9HGv3ybbd7qzZO3xmgyJDjY
3fuqJW2VJ981SBTaWAJIZ4lJWbdZtUpEydrSuW5dzxWf1fmj2CpuYz9sh3k6yVAm
nZTZ0DsFhPyXD8jBOgX4D4xexlAaLBv0QGnRVACw28CjPUWZEwg00BgZeDAfvv7M
gd9KMNAiLU8QLOZJoWcBIMhpOcZzd3CwFZlvpBs4J3ks2KK3wYgMnBtz9/M9FXAe
wX6ShPELxYM=
-----END CERTIFICATE-----

KEYINFO:[object Object]
Valid ADFS : false
[ 'invalid signature: the signature value LUGusFWX4iPNrJ55GQ42bCin6JJs9Gf0EVtFQBXQwo2CS2kfybKCXCVHXGmF2rcZsWLS1mDjZrrqFEKt9MDvKJNJByya/7/+HhaHJfxJPe8zta/LtSu40XfEzmhHfjJLRzTUyw78mpy/ju1OwV6USVc6vOCXtVG3XgA5TQSxgUbadSpi5F6KMUANtRzGVqQocOmHLMo9Oa5BDG2wds9vRsR/AGcFMANTf0MeSs1VdjjJiTIcMoUMRvhcut0iKe49M+MKh9Q0Z4wsRIUzsEtrHT/+RgdMeqaA2ZV8psCueYPYIIF+BFYYh4J65ft+B0R8rO4UdYNmqcg9W833jPLBLw== is incorrect']
[2021-06-11T11:43:27.770] Error parsing SAML response from IDP for test. This could indicate a SAML configuration issue on our side or the IDP's. Error: SAML Assertion signature check failed! (checked 1 certificate(s))

Thanks for your help

Answer 1

There is an option in the ADFS RP (under "Advanced"?) to switch between SHA1 and SHA256.

What is it set to?