dotnetdev_2009
Reputation: 791
SAML 2.0 Response and the KeyInfo element
All, I have a quick question on the SAML 2.0 response that I've been working with as part of my web SSO. We are the Identity provider and we send SAML token to our Service Provider (SP). SP wants us to sign the entire before sending that. We sent SP our public certificate already. Whose certificate details go under the <KeyInfo> element in the generated SAML 2.0 response? Is that the IDP's or the SP's? We don't have a public certificate from our SP yet.
<samlp2:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_71b134e9-1ab3-4680-90a4-3b95c8530a59" Version="2.0" IssueInstant="2017-09-21T17:29:21.6178748Z" Destination="https://sp.com" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_79b534eb-9771-4d22-9d61-d4dc5997be70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>RzEq/7vrq</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jQCx6BZyoW+okh+zxwrd</SignatureValue>
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=CA, DC=us, DC=local</X509IssuerName>
<X509SerialNumber>1248841732558767</X509SerialNumber>
</X509IssuerSerial>
<X509Certificate>MIIEpTCCA42gAwIBAgITOAAAARWJYtXzIdPzr</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp2:Status>
<samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp2:Status>
<saml2:Assertion Version="2.0" ID="_79b534eb-9771-4d22-9d61-d4dc5997be70" IssueInstant="2017-09-21T17:29:21.6208748Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://mycompany.com/</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">TestUser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
<saml2:AuthnStatement AuthnInstant="2017-09-21T17:29:21.6228748Z" SessionNotOnOrAfter="2017-09-21T17:34:21.6228748Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml20:AttributeStatement xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion">
<saml20:Attribute Name="MyCompany" NameFormat="www.sp.com">
<saml20:AttributeValue>test value</saml20:AttributeValue>
</saml20:Attribute>
</saml20:AttributeStatement>
</saml2:Assertion>
</samlp2:Response>
Upvotes: 1
Views: 1970
Answers (1)
Tomer Sela
Reputation: 491
The certificate in the Response should be the one of the IDP. This way the SP can be sure the IDP signed the response and it wasn't manipulated by the user agent (or anyone else).
Upvotes: 1
Related Questions
- difference in SAML metadata vs SAML request and response
- SAML Response: <ds:KeyInfo>
- Is Response signature required in SAML Web SSO profile?
- SSO - SAML request
- Authentication using SAML
- About signed saml request and response attached key
- SAML 2.0 password authentication
- How is the principal identified in the AuthnRequest for SAML 2.0 Web Browser SSO
- SAML Request-Response Handeling in WSO2 Identity Server
- SAML request and response in JAVA