[xmlsec] Difference between signature check for SAML and in the command line?

Yoann Gini yoann.gini at gmail.com
Sat Jul 2 23:22:01 UTC 2022 

Hello,

I'm currently evaluating available library to handle SAML signature (IDP side, having to sign, others will verify).

So far I'm doing basic testing with xmlsec command line in the following way:

xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml

Which seems to works. And which is validated xmlsec using the following command:

xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem signed.xml

However, when I use online tools to confirm the whole SAML things, I get a signature error. Both samltool.com <http://samltool.com/> and samltest.id <http://samltest.id/> fail to valid the signature.

The signed SAML Response is available here https://pastebin.com/MgQtpHRJ <https://pastebin.com/MgQtpHRJ>

The public key used for signing is:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MHc5AwDkhMjlfXjxDmc
C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un
+a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR
JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO
QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV
zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD
BwIDAQAB
-----END PUBLIC KEY-----

If you test with samltool, you will need
— IDP Entity ID: http://127.0.0.1:8080/saml/sso <http://127.0.0.1:8080/saml/sso>
— SP Entity ID: https://samltest.id/saml/sp <https://samltest.id/saml/sp>
— SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST <https://samltest.id/Shibboleth.sso/SAML2/POST>
— Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST <https://samltest.id/Shibboleth.sso/SAML2/POST>

My question is about difference between "normal" XML Signature and signature in the context of SAML.

Does someone on this list can tell me if there is some specificities in the signature of SAML that I've missed? 

Considering the sample content, if someone knowledgeable in SAML signed response has the time, is there an obvious mistake here?

Best regards,
Yoann Gini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220703/2580b94b/attachment.htm>

More information about the xmlsec mailing list