[xmlsec] Difference between signature check for SAML and in the command line?

Timothy Legge timlegge at gmail.com
Sun Jul 3 02:09:59 UTC 2022


The SamlResponse does not include a key type or  KeyInfo in the
document.  I tested against perl's XML::Sig and that was the result.
It is likely possible to validate if I had the public certificate in
PEM format (not the public key itself).

https://www.samltool.com/validate_response.php requires the public
certificate to validate against.


Timothy Legge
timlegge at gmail.com
timlegge at cpan.org

On Sat, Jul 2, 2022 at 8:23 PM Yoann Gini <yoann.gini at gmail.com> wrote:
> Hello,
> I'm currently evaluating available library to handle SAML signature (IDP side, having to sign, others will verify).
> So far I'm doing basic testing with xmlsec command line in the following way:
> xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml
> Which seems to works. And which is validated xmlsec using the following command:
> xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem signed.xml
> However, when I use online tools to confirm the whole SAML things, I get a signature error. Both samltool.com and samltest.id fail to valid the signature.
> The signed SAML Response is available here https://pastebin.com/MgQtpHRJ
> The public key used for signing is:
> -----BEGIN PUBLIC KEY-----
> C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un
> +a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR
> JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO
> QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV
> zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD
> -----END PUBLIC KEY-----
> If you test with samltool, you will need
> — IDP Entity ID:
> — SP Entity ID: https://samltest.id/saml/sp
> — SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST
> — Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST
> My question is about difference between "normal" XML Signature and signature in the context of SAML.
> Does someone on this list can tell me if there is some specificities in the signature of SAML that I've missed?
> Considering the sample content, if someone knowledgeable in SAML signed response has the time, is there an obvious mistake here?
> Best regards,
> Yoann Gini
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list