Busy trying to get ADFS v2.0 to work with a third-party SAML implementation and got this weird error:
System.Security.Cryptography.CryptographicException: ID6005: Exclusive Canonicalization transform does not support the algorithm 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'.
“IDxxxx” as an error normally implies it comes from WIF so trawl through that and it turns out that the only transform it accepts is:
The transforms .NET works with are all listed in:
So I had to get the third party code changed to conform with ADFS.
What is the point of all this, you may ask.
This is all connected with signatures e.g. your sp.xml looks like:
SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
Because XML can have many forms e.g. whitespace or none, CR or CR/LF etc. you need to convert the XML to an agreed format before you sign it. Otherwise the other side may be checking the signature on a “different” document. These “agreed formats” are the canonical transforms. They are all W3C standards.
So e.g. it may state:
The canonical form of an XML document is the physical representation of the document produced by the method described in this specification. The changes are summarized in the following list:
- The document is encoded in UTF-8
- Line breaks normalized to #xA on input, before parsing
- Attribute values are normalized, as if by a validating processor
- Character and parsed entity references are replaced
- CDATA sections are replaced with their character content
- The XML declaration and document type declaration (DTD) are removed
- Empty elements are converted to start-end tag pairs