Monday, November 05, 2012

ADFS : Exclusive Canonicalization transform error


Busy trying to get ADFS v2.0 to work with a third-party SAML implementation and got this weird error:

System.Security.Cryptography.CryptographicException: ID6005: Exclusive Canonicalization transform does not support the algorithm ''.

“IDxxxx” as an error normally implies it comes from WIF so trawl through that and it turns out that the only transform it accepts is:

The transforms .NET works with are all listed in:


So I had to get the third party code changed to conform with ADFS.

What is the point of all this, you may ask.

This is all connected with signatures e.g. your sp.xml looks like:

SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"

Because XML can have many forms e.g. whitespace or none, CR or CR/LF etc. you need to convert the XML to an agreed format before you sign it. Otherwise the other side may be checking the signature on a “different” document. These “agreed formats” are the canonical transforms. They are all W3C standards.

So e.g. it may state:

The canonical form of an XML document is the physical representation of the document produced by the method described in this specification. The changes are summarized in the following list:

  • The document is encoded in UTF-8
  • Line breaks normalized to #xA on input, before parsing
  • Attribute values are normalized, as if by a validating processor
  • Character and parsed entity references are replaced
  • CDATA sections are replaced with their character content
  • The XML declaration and document type declaration (DTD) are removed
  • Empty elements are converted to start-end tag pairs




Yasiel Segui said...

Hi nzpcmad,

I have been working with ADFS 2.0 and I'm getting right now the same error you are talking about. I'm trying to sign and SAML2.0 Xml request for SSO with a SHA256 Algorithm because we want to support SHA256 on the ADFS side. Do you know any specific third party tool that could be used to make all those transformations to the Xml before sending it as a request to the ADFS...?

Thanks in Advance


nzpcmad said...

Sorry, no!