...
| Expand | ||
|---|---|---|
| ||
The SP "bookkeeper.example.org" needs the "FinanceRole" attribute, with possible values "user", "manager" and "administrator". In SURFconext, this can be passed on in an eduPersonEntitlement:
|
Microsoft .NET rejects the metadata signature, help?
This is a bug introduced by Microsoft in an attempt to fix a security issue. The security issue (CVE-2019-1006) is described here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006 In particular, the problem arises when using the following method for reading metadata: https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.metadata.metadataserializer.readmetadata?view=netframework-4.8
The patch that has been rolled out changes the way XML digital signatures are verified. It seems to “fix” things by ignoring all KeyInfo elements other than the first child of a Signature element, and expecting it to contain an X509Data element. We have spoken with the responsible Microsoft developers and they acknowledge that the implementation is faulty. However, until now they have not prioritized fixing this issue in .NET. It may be helpful to report that you are affected by this problem to Microsoft to give it more priority.
A workaround is to apply an XSLT transform to remove the first KeyValue element from the signed metadata file, for example like this: strip.xslt