Reputation: 2472
How to manually validate a SAMLResponse signature?
Given the following SAML response, how can I manually validate that the signature is valid? I assume I should rely on the IDP's certificate supplied in metadata and not the one in the response itself (although they should be the same).
Is there some way to do this with openssl or xmlsec1 commands?
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2a79da8e2cd2eda272fd5d2d474858f1919430a96" Version="2.0" IssueInstant="2016-08-25T00:24:45Z" Destination="http://10.88.111.163:8080/zport/dmd">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.ssocircle.com</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s22b55a88e8022a4d198715d5b3f21c3fbd699dac4" IssueInstant="2016-08-25T00:24:45Z" Version="2.0">
<saml:Issuer>https://idp.ssocircle.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#s22b55a88e8022a4d198715d5b3f21c3fbd699dac4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>abEMP7cxDW8LwnvcUzr2dHmQesk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
#SIGNATURE#
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
#CERTIFICATE#
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://idp.ssocircle.com" SPNameQualifier="instance">ben</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2016-08-25T00:34:45Z" Recipient="http://10.88.111.163:8080/zport/dmd"/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2016-08-25T00:14:45Z" NotOnOrAfter="2016-08-25T00:34:45Z">
<saml:AudienceRestriction>
<saml:Audience>instance</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-08-25T00:16:14Z" SessionIndex="s2e2b6d389c12dd386a118286d1228e159faee1901"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="EmailAddress"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ben</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
</samlp:Response>
Upvotes: 4
Views: 15732
Answers (2)
Reputation: 54078
Assuming the verification certificate is in a file called cert.pem and the (unmodified, verbatim) SAML response is in response.xml, xmlsec1 can be used to verify the signature on the response as follows:
xmlsec1 verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-cert-pem cert.pem response.xml
Upvotes: 6
Reputation: 1628
You can use this online tool to verify signature: https://www.samltool.com/validate_response.php
I don't know if openssl or xmlsec1 can validate SAMLResponse's signature, but I know all popular programming languages have libraries/products for doing that. Some examples are:
C#: OIOSAML https://digitaliser.dk/group/42063/resources
PHP: Simplesamlphp
Java: opensaml or whatever you can find using google.
Upvotes: 2
Related Questions
- Validate signed assertion embedded in SAMLResponse
- How to verify a SAML signature for HTTP-redirect binding
- Steps to generate Signature Value in SAML Response XML
- Asp.Net Core SAML Response Signature Validation
- Sign SAML Response with or without Assertion Signature?
- Validate SAML Response
- How to validate SAML assertion signatures
- Verify signature on SAML assertion
- How do you parse the Signature element from a SAML response using xmlcrypto?
- Validate java SAML signature from C#