[xmlsec] Difference between signature check for SAML and in the command line?
Aleksey Sanin
aleksey at aleksey.com
Sun Jul 3 00:54:47 UTC 2022
BTW, did you submit the trusted IdP X509 certificate to the samltool?
https://www.samltool.com/validate_response.php
You also probably want to put KeyInfo with X509 cert (or full certs chain) for the private key used for signing into the signature itself.
Best,
Aleksey
> On Jul 2, 2022, at 8:43 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> What error(s) do you get from these tools?
>
> Aleksey
>
>>> On Jul 2, 2022, at 7:22 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
>>>
>> Hello,
>>
>> I'm currently evaluating available library to handle SAML signature (IDP side, having to sign, others will verify).
>>
>> So far I'm doing basic testing with xmlsec command line in the following way:
>>
>> xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml
>>
>> Which seems to works. And which is validated xmlsec using the following command:
>>
>> xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem signed.xml
>>
>> However, when I use online tools to confirm the whole SAML things, I get a signature error. Both samltool.com and samltest.id fail to valid the signature.
>>
>> The signed SAML Response is available here https://pastebin.com/MgQtpHRJ
>>
>> The public key used for signing is:
>> -----BEGIN PUBLIC KEY-----
>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MHc5AwDkhMjlfXjxDmc
>> C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un
>> +a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR
>> JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO
>> QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV
>> zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD
>> BwIDAQAB
>> -----END PUBLIC KEY-----
>>
>> If you test with samltool, you will need
>> — IDP Entity ID: http://127.0.0.1:8080/saml/sso
>> — SP Entity ID: https://samltest.id/saml/sp
>> — SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST
>> — Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST
>>
>> My question is about difference between "normal" XML Signature and signature in the context of SAML.
>>
>> Does someone on this list can tell me if there is some specificities in the signature of SAML that I've missed?
>>
>> Considering the sample content, if someone knowledgeable in SAML signed response has the time, is there an obvious mistake here?
>>
>> Best regards,
>> Yoann Gini
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220702/7bb4ccc9/attachment.htm>
More information about the xmlsec
mailing list