[xmlsec] Difference between signature check for SAML and in the command line?

Aleksey Sanin aleksey at aleksey.com
Sun Jul 3 00:54:47 UTC 2022

BTW, did you submit the trusted IdP X509 certificate to the samltool?


You also probably want to put KeyInfo with X509 cert (or full certs chain) for the private key used for signing into the signature itself.


> On Jul 2, 2022, at 8:43 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> What error(s) do you get from these tools?
> Aleksey
>>> On Jul 2, 2022, at 7:22 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
>> Hello,
>> I'm currently evaluating available library to handle SAML signature (IDP side, having to sign, others will verify).
>> So far I'm doing basic testing with xmlsec command line in the following way:
>> xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml
>> Which seems to works. And which is validated xmlsec using the following command:
>> xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem signed.xml
>> However, when I use online tools to confirm the whole SAML things, I get a signature error. Both samltool.com and samltest.id fail to valid the signature.
>> The signed SAML Response is available here https://pastebin.com/MgQtpHRJ
>> The public key used for signing is:
>> -----BEGIN PUBLIC KEY-----
>> C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un
>> +a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR
>> JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO
>> QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV
>> zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD
>> -----END PUBLIC KEY-----
>> If you test with samltool, you will need
>> — IDP Entity ID:
>> — SP Entity ID: https://samltest.id/saml/sp
>> — SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST
>> — Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST
>> My question is about difference between "normal" XML Signature and signature in the context of SAML.
>> Does someone on this list can tell me if there is some specificities in the signature of SAML that I've missed? 
>> Considering the sample content, if someone knowledgeable in SAML signed response has the time, is there an obvious mistake here?
>> Best regards,
>> Yoann Gini
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20220702/7bb4ccc9/attachment.htm>

More information about the xmlsec mailing list