How to validate a SAML signature value

39,041

Solution 1

Encryption and signing are two different animals. Triple DES is a symmetric key method (same key used for encryption and decryption). Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key. So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key.

For encryption, what is typical in SAML is to use XMLEncryption, which defines an XML format for including encryption key information and encrypted data in your SAML messages. Since exchange of a static symmetric key is problematic -- if it's intercepted, the interceptor can both encrypt and decrypt any messages -- what can be done instead is to use a dynamic symmetric key that gets generated anew for each message, encrypt the message using the key, then encrypt that key with the public key of a private/public encryption key pair and send it along with the message. The encrypted symmetric key can only be decrypted using the private half of the key pair used to encrypt it.

So the most significant difference here, from a key perspective, is that for signing, the customer holds the private key and must share the public key with you, while for encryption, you hold the private key and must share the public key with the customer.

Solution 2

If you want to validate the signature on the SAML Assertion or any of the Signable XML Objects, the OpenSAML WIKI has more information:

https://wiki.shibboleth.net/confluence/plugins/viewsource/viewpagesrc.action?pageId=3277047

You can look for 'Signature Verification Examples'.

This blog post also has an example as well:

https://blog.samlsecurity.com/2012/11/verifying-signatures-with-opensaml.html

To obtain a 'credential' for validation, see here: https://blog.samlsecurity.com/2011/03/getting-credentials-in-opensaml.html

For info on how to unmarshal XML into an Open SAML object, see here: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaCreateFromXML

Share:
39,041

Related videos on Youtube

king
Author by

king

Updated on August 18, 2021

Comments

  • king
    king over 2 years

    I have a customer who is sending a Security key. The encryption they are using is triple DES. Every Assertion they send has a signature value which needs to be validated to give them necessary privileges. Can you give me a sample code which does this?

  • Stefan Rasmusson
    Stefan Rasmusson almost 9 years
    I'm explaining all of this in detail in my new book, A Guide to OpenSAML, gumroad.com/l/a-guide-to-opensaml
  • GrandAdmiral
    GrandAdmiral over 7 years
    Unfortunately the links and the book don't seem to cover how to construct the credential (used by the SignatureValidator() function ) from the Signature inside the SAML.
  • asgs
    asgs over 3 years
    @StefanRasmusson the book is a little pricey (for non-US users) especially when it only covers from the SP point of view. just a thought I wanted to share

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related