How to validate whether SAMLv2 response is from IdP?

Question

I am building an application that authenticates users with SAMLv2. After successful authentication by the Identity Provider, response is returned to browser which is then sent to target server.

Trimmed response looks like follows:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>H9ffPJ6/jq25p13BcziR0hNLkGg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>FegjeGwQO..J7hpJEQ==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate><!-- certificate data --></ds:X509Certificate> </ds:X509Data> <!-- more certificates --> </ds:KeyInfo> </ds:Signature>

I have sequence of X509 certificates <ds:DigestValue /> and <ds:SignatureValue />. What do those two fields contains and how should I validate whether response is returned by valid server?

Answer 1

The signatures are standard XML signatures. This validation can for example be done in java using OpenSAML. Here is a blogpost showing how.

The "validity" or trust of the IDP is something you have to determine in your pplication. If the signature validates then it means that the SAML message was sent from a the IDP with the corresponding private key. Then you must decide if you trust that IDP.