Assertion validation fails for Microsoft Azure IdP Authn response

[chefsalim]

Erlang 18.

Calling esaml_cowboy:validate_assertion(SP, Req) fails. In xmerl_dsig.erl, it fails at the point of calling
public_key:verify(Data, HashFunction, Sig, Key), which returns false (this fails at crypto:verify).

Everything works fine if Okta is the IdP. The only difference between the Okta and Azure IdP seems to be the key length (Azure is 2048 bits), as well as use of SHA1 (Azure is not using SHA1) in the signature computation.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:d5:eb:9b:38:4b:37:85:46:95:45:c3:60:24:53:df
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=accounts.accesscontrol.windows.net
        Validity
            Not Before: Oct 28 00:00:00 2014 GMT
            Not After : Oct 27 00:00:00 2016 GMT
        Subject: CN=accounts.accesscontrol.windows.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:8a:b3:fb:8f:84:47:fb:cd:58:b3:8d:f7:2b:
                    fc:84:86:15:ef:7e:c9:43:aa:c2:97:a5:df:cc:e0:
                    ba:db:cb:1e:61:43:df:d1:36:86:93:dd:42:17:17:
                    9f:87:38:76:dd:5f:53:92:af:91:b7:03:75:56:cf:
                    f3:e7:b8:4e:f3:69:24:cc:bf:9c:40:76:57:dd:b3:
                    09:0f:e1:84:18:e2:97:08:45:d4:44:de:d5:33:26:
                    56:30:0b:b3:42:85:bd:bc:56:f5:93:77:11:d5:15:
                    bf:11:6f:cf:f8:2f:1b:6f:67:42:19:78:41:62:a3:
                    df:1f:28:a6:bf:3d:96:6a:b5:e1:9e:d3:d2:6c:ce:
                    57:c9:2e:6f:e7:20:b0:e5:3f:d5:bb:0a:aa:b2:2a:
                    37:57:cc:28:a1:61:8c:a6:9e:b5:cb:5d:8d:84:df:
                    1b:35:50:d0:02:40:cf:36:ed:83:4f:d0:d7:07:58:
                    34:09:e1:48:36:9f:ca:01:2f:ea:43:62:aa:e9:34:
                    af:44:72:6a:c5:14:7a:f1:17:b3:62:d8:de:f4:a0:
                    2a:c2:ac:78:8f:19:66:54:04:32:d1:3d:fe:4f:e2:
                    00:6e:c9:35:c1:1b:56:0e:77:61:3b:ab:35:3a:cf:
                    9d:72:4e:53:cf:26:7f:74:d3:a1:7d:78:1e:96:2c:
                    4b:51
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         7e:89:71:e3:9c:34:8b:c0:9d:01:48:e3:78:06:98:76:11:bd:
         f8:d0:c7:c6:8a:74:52:f3:4e:aa:51:aa:60:97:b1:a8:f2:ee:
         bd:7f:22:c9:46:98:c4:d1:b3:67:11:60:18:8d:c6:a4:a7:e6:
         40:fd:89:41:64:35:13:92:6d:63:f9:fc:88:d2:ce:29:13:30:
         aa:4b:b1:48:22:89:c5:92:6a:e1:29:7f:9b:f6:2f:ed:34:b5:
         3f:92:cd:80:08:fc:40:b0:b2:a7:1b:16:ad:30:26:ab:61:d2:
         a6:47:92:93:82:41:b6:c6:31:5f:ab:a1:6c:63:3f:2b:5b:04:
         92:d2:b2:6d:54:c7:bb:6d:bf:ed:39:91:a9:64:e6:39:4c:bd:
         c1:0b:cc:8c:96:f6:21:77:4c:18:b1:b7:85:59:ed:37:f5:96:
         72:ce:70:f2:f6:ed:d6:2f:0a:93:aa:35:f5:6d:8c:8d:9f:79:
         25:a1:02:2a:30:43:61:19:61:1b:52:a6:48:1b:6b:b0:ab:02:
         05:0a:01:cf:01:ff:ad:77:e4:b1:33:bd:26:85:18:2d:78:96:
         d0:8a:69:07:b0:e1:34:7e:0f:27:98:59:23:dd:51:f2:b4:74:
         1f:7f:db:2a:42:d2:b8:36:8a:2d:64:aa:32:1a:33:76:15:ec:
         20:82:af:25

Here is some debug output:

Data: <<"<ds:SignedInfo xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#\"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#\">/ds:CanonicalizationMethod<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\">/ds:SignatureMethod<ds:Reference URI="#_2ded4e62-67bd-4a07-9e41-3307ff40b6e5">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature\">/ds:Transform<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#\">/ds:Transform/ds:Transforms<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256\">/ds:DigestMethodds:DigestValueujwSqga3Io7RgnLVHAFnZqCuS9UBhZazFp7tTmJYKds=/ds:DigestValue/ds:Reference/ds:SignedInfo">>
HashFunction: sha256
Sig: <<84,170,226,155,114,237,132,105,192,71,242,254,39,250,196,46,160,178,30,
51,41,11,171,152,227,152,104,116,134,247,9,231,141,131,173,159,104,47,
152,103,113,21,122,203,169,25,196,107,137,170,25,250,43,44,40,79,230,
224,56,216,36,151,173,173,241,207,74,123,76,77,188,90,119,208,92,64,214,
120,17,8,132,126,229,154,70,72,136,142,141,34,77,214,136,185,218,24,225,
42,18,51,237,39,18,145,98,10,110,5,173,148,13,228,203,196,178,127,27,
103,130,46,1,250,75,87,189,2,237,220,189,161,180,225,245,65,68,156,85,
233,99,60,41,34,133,123,197,188,93,0,175,41,89,63,39,68,77,172,56,224,1,
3,96,27,157,111,244,140,160,40,149,73,105,73,161,74,17,93,22,125,100,
121,241,182,148,24,68,214,45,12,68,110,231,53,154,81,202,69,115,182,9,
237,110,100,88,88,15,241,9,96,203,215,5,241,223,191,99,199,12,233,32,39,
209,80,156,114,174,149,46,250,145,148,145,106,148,73,103,101,99,148,149,
62,148,148,2,75,9,47,120,45,98,214,6,39,14,45,14,55>>
Key: {'RSAPublicKey',23801198360346180032294480920715767764472197020631570074480649915781538912816195975417363780765112968383673580578571989252090383113994304028563474394397459725649506248716739361908616836476913309708506822850917404774975668734124236432466647775976571217892167355716913557523437407297392112679627645666491794339857374054870860501484016751889383673483750306612278874647610454856410468740384624100471457481543991766630885386515400127553119191608234405247675208060619388776358270769904028886336830442777210583872889885286842313649680068015006466942721801737282566078347249842971299237584314259050491201295146063321006623569,
65537}