[xmlsec] Difference between signature check for SAML and in the command line?

Yoann Gini yoann.gini at gmail.com
Sat Jul 2 23:22:01 UTC 2022


I'm currently evaluating available library to handle SAML signature (IDP side, having to sign, others will verify).

So far I'm doing basic testing with xmlsec command line in the following way:

xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml

Which seems to works. And which is validated xmlsec using the following command:

xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem signed.xml

However, when I use online tools to confirm the whole SAML things, I get a signature error. Both samltool.com <http://samltool.com/> and samltest.id <http://samltest.id/> fail to valid the signature.

The signed SAML Response is available here https://pastebin.com/MgQtpHRJ <https://pastebin.com/MgQtpHRJ>

The public key used for signing is:
-----END PUBLIC KEY-----

If you test with samltool, you will need
— IDP Entity ID: <>
— SP Entity ID: https://samltest.id/saml/sp <https://samltest.id/saml/sp>
— SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST <https://samltest.id/Shibboleth.sso/SAML2/POST>
— Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST <https://samltest.id/Shibboleth.sso/SAML2/POST>

My question is about difference between "normal" XML Signature and signature in the context of SAML.

Does someone on this list can tell me if there is some specificities in the signature of SAML that I've missed? 

Considering the sample content, if someone knowledgeable in SAML signed response has the time, is there an obvious mistake here?

Best regards,
Yoann Gini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220703/2580b94b/attachment.htm>

More information about the xmlsec mailing list