Sign SAML Response with or without Assertion Signature?

xml response signature saml sign
20,489

Solution 1

SAML is awful, every time I read answer they are almost correct, here is the correct algorithm distilled:

  1. SHA1 the canonical version of the Assertion.
  2. Generate a SignedInfo XML fragment with the SHA1 signature
  3. Sign the SignedInfo XML fragment, again the canonical form
  4. Take the SignedInfo, the Signature and the key info and create a Signature XML fragment
  5. Insert this SignatureXML into the Assertion ( should go right before the saml:subject)
  6. Now take the assertion(with the signature included) and insert it into the Response
  7. SHA1 this response
  8. Generate a SignedInfo XML fragment with the SHA1 signature
  9. Sign the SignedInfo XML fragment, again the canonical form
  10. Take the SignedInfo, the Signature and the key info and create a Signature XML fragment
  11. Insert this SignatureXML into the Response
  12. Add the XML version info to the response.

Thats it. SAML is completely awful. There are tons of little subtleties that make implementing SAML a nightmare(like calculating the canonical form of a subset of the XML(the assertion), also the XML version of XML documents is not included.

I finished my implementation, I hope never to revisit such pain again.

Solution 2

I believe the correct answer is B). Sign the Assertion first then sign the Response that contains the signed Assertion data. However, if a single Issuer/Entity (STS/IDP/etc) is signing both there is no real reason to sign the Assertion is there? Just sign the Protocol Message/Response which should include the Assertion data. This will cut down on processing requirements at the SP. For Web SSO, I've only ever seen both portions signed when you have a different entity signing the Assertion vs the Response.

Solution 3

If you're signing both, then the assertion MUST be signed first, then the response, because the response signature will be based on the entire contents of the response (including the assertion signature). So signing the assertion second would invalidate the response signature.

Share:
20,489
Panman
Author by

Panman

Updated on September 06, 2020

Comments

  • Panman
    Panman almost 4 years

    When signing a SAML Response that also has a signed Assertion, should I:

    A) Generate the Response signature without the Assertion signature. Then inject the Assertion signature after both signatures have been generated.

    B) Generate the Assertion signature and include it when generating the Response signature.

    C) Something else?

  • Duncan Jones
    Duncan Jones almost 5 years
    Generate a SignedInfo XML fragment with the SHA1 signature > I assume this should be "the SHA1 hash"?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Change Layout-background on click programmatically
How to remove hyperlink underline in Email Signature
Walmart retrieve stock/quantity and local store by providing zip code and id
SHIBBOLETH SP - Shibboleth handler invoked at an unconfigured location - Shibboleth.sso/Session/
sending xml response when a url is hit in php
How to get response as XML Document with Apache Httpclient api?
JQuery - Storing ajax response into global variable
How to read XML files in flutter?
Unresolved class 'MainActivity'
Modifying an XML file with Dart