[Bug] Type attribute of SubjectConfirmationData has incorrect casing #3206
Description
Which version of Microsoft.IdentityModel are you using?
Microsoft.IdentityModel.Tokens.Saml 8.8.0
Where is the issue?
- M.IM.Tokens.Saml
Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft.IdentityModel.
Repro
Reproduction is a bit complex since we have extended the saml security token handling and serialization to handle cases which Microsoft.IdentityModel.Tokens.Saml doesn't, for example holder-of-key. The reproduction code uses our package, Solid.IdentityModel.Tokens.Saml version 1.0.6. When using the version of Microsoft.IdentityModel.Tokens.Saml that is the dependency of our package (which is 6.8.0), then the SubjectConfirmationData is serialized correctly. If we update to 8.8.0, then the type attribute has changed from Type to type. This breaks our integration with ADFS, which expects the type attribute to be Type.
The saml assertion has been formatted for readability.
using System.Security.Claims;
using System.Security.Cryptography;
using System.Xml.Linq;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using Solid.IdentityModel.Tokens;
using Solid.IdentityModel.Tokens.Saml2;
var services = new ServiceCollection()
.AddCustomCryptoProvider(options => options.AddFullSupport())
.BuildServiceProvider()
;
CryptoProviderFactory.Default = services.GetRequiredService<CryptoProviderFactory>();
using var signing = RSA.Create(2048);
using var encryption = RSA.Create(2048);
var proof = new byte[32];
RandomNumberGenerator.Fill(proof);
var proofKey = new SymmetricSecurityKey(proof);
var claims = new List<Claim>
{
new (ClaimTypes.NameIdentifier, "user"),
new (ClaimTypes.Name, "Some User Name"),
new (ClaimTypes.Role, "user_role")
};
var identity = new ClaimsIdentity(claims, "Saml2Repro", ClaimTypes.Name, ClaimTypes.Role);
var descriptor = new RequestedSecurityTokenDescriptor()
{
Issuer = "urn:Saml2Repro",
Audience = "https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues",
SigningCredentials = new SigningCredentials(new RsaSecurityKey(signing), SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest),
NotBefore = DateTime.UtcNow.Subtract(TimeSpan.FromMinutes(5)),
Expires = DateTime.UtcNow.Add(TimeSpan.FromMinutes(5)),
Subject = identity,
ProofKey = proofKey,
ProofKeyEncryptingCredentials = new EncryptingCredentials(new RsaSecurityKey(encryption), SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128Encryption)
{
CryptoProviderFactory = services.GetRequiredService<CryptoProviderFactory>()
}
};
var handler = new Saml2EncryptedSecurityTokenHandler();
var token = handler.CreateToken(descriptor);
var assertion = handler.WriteToken(token);
var doc = XDocument.Parse(assertion);
Console.WriteLine(doc.ToString());Expected behavior
SubjectConfirmationData to have the http://www.w3.org/2001/XMLSchema-instance Type attribute.
Actual behavior
SubjectConfirmationData has the http://www.w3.org/2001/XMLSchema-instance type attribute.
Cause
This was caused by #2894
Output from reproduction
These outputs have been xml formatted for readability. Signature validation may fail.
Using Microsoft.IdentityModel.Tokens.Saml 6.8.0
<saml:Assertion ID="_fd463a9a-29df-4296-a529-cae3900834c2" IssueInstant="2025-04-14T14:00:03.583Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>urn:Saml2Repro</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_fd463a9a-29df-4296-a529-cae3900834c2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>MhBS1jVM4b4/l0kmR45xbCXrS/jPPfAwya5TanDzK1g=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>fWBmI5lkIkIQmA9jH5KRypLxuJIU9qIAjghLVav1F+BVNIjv8y9yIHtbXYDWsBismlaAX/Oa7B6suXDx/NkfP89SdpP+uCnr+haoJeAg+NwaGE44fs3y56AqzMOs6uCqCziH8fE1G3gdKJElR0xDnVgFlhpV+Jg6wSFBH8DKzVFLW3Gh0yZxolwcqKUzjl2mve7Nu6x/u834F0c2jzJ398CCNFMwS9Jzovl0LMWRHp73ABG4CepKg2Ygb3WkYyN00itQV6V4oyuV512E6ms4zDZPGbxeuGLss3nLcozA3kvpwGi0TpO9XxGy/WSDbK1rjGDAa75TdO1Ycd335W1CLA==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>zKWJ0a2Z8UgWBUk0Vivl7iAkWFqkaWTB+7kQJ9lDes3hNNJRBTeQxJVdhEo1/85BRzi/24/+QPfeNTiZv7FRYaP4a2R0OaOM/4LMryzXupGZlcAeAPC5q99KHdoI1ygfbfK3kmOTFucrhDqgCq3vZD5gDL33fnwu+4DLj9kN0K5Uc198YJDUvlHOnTqCm2M6xXpVhv+gjOoyJwVg1GE2If/KVGJQhX3UAYUtoXYskZRuQAB5jZUCALGwoMxiGSYzsFo/I75Ok2FaLFS67vITCJnu+qqZogMXAnZuRoa5gxI16lOw7ekIMBzNMNZXccbHuwW27uai6lc+dqRnvlqdgQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData a:Type="KeyInfoConfirmationDataType" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>oSm6tAJv7ubIzASaIYPGHYWLENeNOMAj6irt451c0kk</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>sDT82o/SQT9iJ/Aq170RBFEtHKZYXZNW/DC5VmsLwH8tXsT/YvE/W5W8XobkyGRJmrJlNGQ+wTpuLgCLUIepInBqE3g+cpa3el75L/olCBYK9jxnpSbYWACmp36MNdkyRMmYbznkJO1E0N8dQ94f7GDUnizVJUmMS5FTQrxaCQkp2T3M4FUqkaoQp02T8hmydeeHGtZz5bhHTWkubrZ5bWTgy7sE3h8ADr5l7k4dOshDOQSDGMGUAFma+ACp+kwmV/ShF2hg8L++/L+ea21L+0Zz3KjotQ4170Ptig4GLxA9Pa8Tg1GUG+wTq1eMxkdS1ifgFkQBbCnO6KsUERZULw==</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2025-04-14T13:55:03.575Z" NotOnOrAfter="2025-04-14T14:05:03.575Z">
<saml:AudienceRestriction>
<saml:Audience>https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">Some User Name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">user_role</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>Using Microsoft.IdentityModel.Tokens.Saml 8.8.0
<saml:Assertion ID="_13d11f0f-c39d-4528-b089-e6709f70a88e" IssueInstant="2025-04-14T14:13:20.157Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>urn:Saml2Repro</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_13d11f0f-c39d-4528-b089-e6709f70a88e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>ltjP3IS3aJ6Z9OmN9RDneVbHMseO4chFg+bPT9an/n4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>JZoxLts2aFgVcyrvZfOaKYpRRewgoqnhA4lPGXZjb31yHP5S1cDhWRbC3+kuzFvNKJa2H/mY6KocfKxSolj7el9WNpaNabq10P2HnaK5M3xj1W5/JuWq0xrfcka15Sx8GEw4frc0hq/eRi6F1+moMfHwmSe+p2KwGUAoV/xWp9tnToOjGQTwNGHZFh0+YmA6Q5A43d9ZE6zhY7XHCXhi5x5EvH+qsLVDI0LrayoBuV01siKnAZpIGTdwKMm/Bp/LiF9T4Vcvz7iwYfD5w6OUzi1rxo4Sd8HIRAwkiTI4pcrI99fDZTexckkfgbs1jr1FBph/ZXX8Z9+ThkQF0rvc5A==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>n43KAkDqozreh6DbE65sXmxIFxBgz561du9dIhukZjgmocVpWu3lI3czKXdCLAGD3/1RLtzbdaqkKNWLf2vuvLtDNie4zMDk4ZCfMWmZZ55vLha1xSfrUCeyhHQALdjyVSMRfuGCyqLoiAi6xb+fKau0VDAl8SkfRhVdewdcrjIFl0bkwrrLIgfCpobICLSlayhjFEZ+GDQeqDWPqxbIQsNjFxQwXNkfHzZDd1AbVqYG4DcWWNbtchoy4fRs0/WnYvrhttLEm/Dd13PWHzWTqaQ28tXMUFz4z6RECS4IE1uMrxGBOqhRUdb3eDk4h+ZgQj+jc9iGBbay+3BWkVf41Q==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:SubjectConfirmationData a:type="KeyInfoConfirmationDataType" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>KJvgkegFxkIybgTP-yc74EcOKuWYF8bJlE6L-zKmKYw</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>rUeJw9GPyF0MF/i2MomBeEVS87sIy6dV3YJspRRU29ndBDatpnmDlvAd9iYG5OGZXUDVRs/GzhQ48q1T9V6Ity9rkFBBnzsoH2RcBt40yS1uYHavNv8KJPdlAsaU7E1nTdm8LGTASO6hG35CSKDf5ptSYRmP5AbYj6UtKGug1S0auMH/2nVE7wSzjz5ti+c39dau3m/tW5wgirdOHgBF6JtS3Bv4WFNW7Wsv4Lcz5pSKDRuqeJhJ1gWy8GTAhdN6g1T3RkgtIeuQHOX0kV3AuJ8tPmQErqdPKAyL/DPT2I9A3GzTSkzeU4C2JLPXRWCuVgxgVKbaiWm9pTPddcZyQw==</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2025-04-14T14:08:20.149Z" NotOnOrAfter="2025-04-14T14:18:20.149Z">
<saml:AudienceRestriction>
<saml:Audience>https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">Some User Name</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">user_role</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>