Cannot use X509SecurityKey with ECDsa to sign SAML tokens #3429
Description
Which version of Microsoft.IdentityModel are you using?
8.15.0
Where is the issue?
- M.IM.JsonWebTokens
- M.IM.KeyVaultExtensions
- M.IM.Logging
- M.IM.ManagedKeyVaultSecurityKey
- M.IM.Protocols
- M.IM.Protocols.OpenIdConnect
- M.IM.Protocols.SignedHttpRequest
- M.IM.Protocols.WsFederation
- M.IM.TestExtensions
- M.IM.Tokens
- M.IM.Tokens.Saml
- M.IM.Validators
- M.IM.Xml
- S.IM.Tokens.Jwt
- Other (please describe)
Repro
IdentityModelEventSource.ShowPII = true;
var file = System.IO.Path.Combine(System.AppContext.BaseDirectory, "idsrvtest_ecc.pfx");
var cert = new X509Certificate2(file, "123");
var cred = new SigningCredentials(new X509SecurityKey(cert), "ES384");
var conditions = new SamlConditions(DateTime.Now, DateTime.Now.AddHours(1));
conditions.Conditions.Add(new SamlAudienceRestrictionCondition(new Uri("urn:client1")));
var subject = new SamlSubject(null, null, "bob");
var statement = new SamlAuthenticationStatement(subject, "urn:oasis:names:tc:SAML:1.0:am:password", DateTime.Now, null, null, null);
var assertion = new SamlAssertion("_" + Guid.NewGuid(), "https://server", DateTime.Now, conditions, null, new SamlStatement[] { statement });
assertion.SigningCredentials = cred;
var token = new SamlSecurityToken(assertion);
var handler = new SamlSecurityTokenHandler();
using var sw = new StringWriter();
using var xw = XmlWriter.Create(sw);
handler.WriteToken(xw, token);
var xml = sw.ToString();Expected behavior
XML SAML token with valid signature with X509 Certificate in KeyInfo
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_899dafc2-a573-4be8-bd60-59d8d3ba61ce" Issuer="https://server" IssueInstant="2026-02-25T15:50:55.409Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2026-02-25T15:50:55.409Z" NotOnOrAfter="2026-02-25T15:55:55.409Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:client1</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2026-02-25T15:50:53.000Z">
<saml:Subject>
<saml:NameIdentifier>bob</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<Reference URI="#_899dafc2-a573-4be8-bd60-59d8d3ba61ce">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
...
</KeyInfo>
</Signature>
</saml:Assertion>Actual behavior
Throws exception with message
Algorithm: 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384', SecurityKey: '8CA9E53F54CE518AF3A8DDAD7211DBF94C834B3B' is not supported. The list of supported algorithms is available here: https://aka.ms/IdentityModel/supported-algorithms
Possible solution
Fix supported algorithm validation
And choose correct signature function in AsymmetricAdapter