My application (PHP) gets the SAML response back from OKTA which has the signature value and I also have OKTA's certificate which has the public key. My application does the following, Gets the public key from the cert. Gets the signature value from the SAML sent to it. Now, it uses the function openssl_verify($data, $signature, $pubkeykey,"sha1WithRSAEncryption"); Since $data is the content used by OKTA to sign the saml response, I am not sure what $data has to set. My Code, $pubkeyid = openssl_pkey_get_details(openssl_pkey_get_public(file_get_contents("okta.cert"))); $pubkeyid = $pubkeyid["key"]; $signature = "<get it form SAML Response>"; $data = ???? (what should be provided) $ok = openssl_verify($data, $signature, $pubkeyid,"sha1WithRSAEncryption"); I always get 0 when I assign the value of data to be the SAML Response sent to the application. Am I missing something ?

Reputation: 153

OKTA SAML Signature verfication - PHP

My application (PHP) gets the SAML response back from OKTA which has the signature value and I also have OKTA's certificate which has the public key. My application does the following,

Gets the public key from the cert.
Gets the signature value from the SAML sent to it.
Now, it uses the function openssl_verify($data, $signature, $pubkeykey,"sha1WithRSAEncryption"); Since $data is the content used by OKTA to sign the saml response, I am not sure what $data has to set.

My Code,

$pubkeyid = openssl_pkey_get_details(openssl_pkey_get_public(file_get_contents("okta.cert")));
$pubkeyid = $pubkeyid["key"];
$signature = "<get it form SAML Response>";
$data = ???? (what should be provided) 
$ok = openssl_verify($data, $signature, $pubkeyid,"sha1WithRSAEncryption");

I always get 0 when I assign the value of data to be the SAML Response sent to the application. Am I missing something ?

Upvotes: 4

Answers (2)

user1920897

Reputation: 131

Yes, using the right tools are important. We are just starting down this road and have found the OKTA developer tools on the OKTA site: http://developer.okta.com/docs/sdk/core/api.html.

We are hoping their supplied libraries makes using their services much easier.

Upvotes: 2

Milos Tomic

Reputation: 361

SAML signature verification is much more then calling openssl_verify() function. I would suggest using some library for that purpose, like https://github.com/lightSAML/lightSAML.

In that case, using LightSAML-Core, signature validation can be done like explained on their cookbook page http://www.lightsaml.com/LightSAML-Core/Cookbook/How-to-verify-signature-of-SAML-message/ in following steps

deserialize XML to data model object - in your case the Response class
load public key of IDP from its certificate from their metadata
call validate() method on response signature property

Note that proper handling of the Response is still more then just validating the signature. Complete SAML Web browser SSO profile address additional verifications, which LightSAML also implements.

You might check LightSAML/SpBundle if you're using Symfony, since it implements full SAML SSO profile and integrates with Symfony's security making SAML SSO quite easy to implement.

If you're really into doing it yourself from scratch, you can check how xmlseclibs does it, for example in one of its maintained forks on https://github.com/robrichards/xmlseclibs.

Upvotes: 5

OKTA SAML Signature verfication - PHP

Answers (2)

Related Questions