Failed to verify saml assertion by hash

Getting advice
1

Hi everyone, I am using Keycloak 23.0.6 and trying to config SAML SSO but getting issue when I compare hash of node Assertion and with value in node Digest. They are not matched!
Here is my SAML response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://localhost:8008/ssologin/saml/WbXW" ID="ID_f21ec8b2-207c-49be-8aa8-3e9ccd884c57" InResponseTo="my_sample_appd0129b9d9f4cc4a3280d8906db4369a9" IssueInstant="2024-02-19T08:03:36.475Z" Version="2.0"><saml:Issuer>http://localhost:8080/realms/myrealm</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_dca49321-fb23-4178-a83f-784b8677c885" IssueInstant="2024-02-19T08:03:36.475Z" Version="2.0"><saml:Issuer>http://localhost:8080/realms/myrealm</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><dsig:Reference URI="#ID_dca49321-fb23-4178-a83f-784b8677c885"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>zgltUedzVJnm4bAy9W1fMpklbs6mlz/9ieghh5GNXp4=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>Qltz8BB7vNl+Y/lu4HMZMvjiGku32RoftwHvkvod4EqU+fcbsX15f4VteVRNQTbAubcF0FHMqXKlXjreI2rugOr/WRSNECG40bobBYCMDnctzcpL6GeqKYu+w41OPE8ym6LyqTwaH4/3MQiBl01wJiZdr9B6SxBfSopn3nzVrXb6h6FLSkhCU3KnVnAyKsEZXQxxGlrewmTHay7sE9Anla2YSS8obnpiXLJCrwzIjXdjlSsd6p/lmh7etbtU1snbZWIXykKURitXRZtRUkBP8EnXURU6A13pP0hk7LssrVt4Xe2rI79VxOkCrspu+rJu2cNNwK/2u3XKY4RbF6Sw4Q==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIICnTCCAYUCBgGNsR+WHTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdteXJlYWxtMB4XDTI0MDIxNjA4NTIzM1oXDTM0MDIxNjA4NTQxM1owEjEQMA4GA1UEAwwHbXlyZWFsbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8fO+9coPm/pyO2v7inGYsfWlHZmi208KyvRQVsOBK0gE5plKW3Wo8bsALXSWj8IV7gFC66nW2VbG4JFr0nWzfYj0cbVsMF0BEzW+ozjF+eKc2O46CGbdLJkmbXLpVdHS+KxhnIaAf5nod5JFHFA0R/LeZvEmFlYky0xGzNdMbcj8JZXKjpjqDOwsm4FLQ/lMy98/KDl6v117FJQqGJAn5UfmwVFVhhMgiS3VBt4ISJoVXMbCYz9u74jRJFQgGzbq9VSH8kOz7K2TwnkNQxoLtMzV+mAXdt1F2Ih79i+HJlDHSTghs4A2UPLWD5tXbG9uWEAI000g81OQQurqhuP+ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAWI1yn8KG8ifYtwdmgkPl4n3IbMXWgp8HxceC5fNFQbvxrLnOGkR23Xi6VWYwNNJ7EOkKOyejON7VtSaSHzyesWIKzVV9Hr5p/SakMQc09dWIAjJxeWsgWNictjTK79j9qfm1zRsK+91dSjzFSQher2c2jXoqMa5TqSE+UJxDRJZW509ADCWtMnow+sDbOyHLojtehb/RMtsQ0jZEhAmaGubNq8g7ywlEat/fHTNceJmqgEo1amrnr5rO6WRhi1d8T6XU1sToBPjK5LgpvWhpxDYGq2p4sbwSm/HKwlVhtVel5Co6hUYbYFXaiWeAMPkWEnvk6zVq0hTB/VokbikkvA==</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin_test</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="my_sample_appd0129b9d9f4cc4a3280d8906db4369a9" NotOnOrAfter="2024-02-19T08:08:34.475Z" Recipient="http://localhost:8008/ssologin/saml/WbXW"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2024-02-19T08:03:34.475Z" NotOnOrAfter="2024-02-19T08:04:34.475Z"><saml:AudienceRestriction><saml:Audience>MYAPP</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2024-02-19T08:03:36.475Z" SessionIndex="d84c276a-dd57-46b3-8370-644046c15fbd::6c5a1456-164c-4a7c-8250-75cd0c3ffa38" SessionNotOnOrAfter="2024-02-19T18:03:36.475Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="surname" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="email" Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin@admin.com</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="givenName" Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default-roles-myrealm</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

Here is SAML Assertion value and its actual hash
SAML Assertion
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_dca49321-fb23-4178-a83f-784b8677c885" IssueInstant="2024-02-19T08:03:36.475Z" Version="2.0"><saml:Issuer>http://localhost:8080/realms/myrealm</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin_test</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="my_sample_appd0129b9d9f4cc4a3280d8906db4369a9" NotOnOrAfter="2024-02-19T08:08:34.475Z" Recipient="http://localhost:8008/ssologin/saml/WbXW"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2024-02-19T08:03:34.475Z" NotOnOrAfter="2024-02-19T08:04:34.475Z"><saml:AudienceRestriction><saml:Audience>MYAPP</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2024-02-19T08:03:36.475Z" SessionIndex="d84c276a-dd57-46b3-8370-644046c15fbd::6c5a1456-164c-4a7c-8250-75cd0c3ffa38" SessionNotOnOrAfter="2024-02-19T18:03:36.475Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="surname" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="email" Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin@admin.com</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="givenName" Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default-roles-myrealm</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

Actual_hash: d3ff2fa5060c3f2d1d50ee048dca5e281252023f37132675920c5b84906fe2df

Here is expected hash (get from DigestValue in SAML response): ce096d51e7735499e6e1b032f56d5f3299256ecea6973ffd89e82187918d5e9e

As you can see, they are different. Keycloak is using RSA-SHA256 to sign assertion.

Please help me, I cannot figure out why hashes are not matched as I expected. Did I do something wrong?