Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to created signed AuthNRequest?

Tags:

x509certificate

signing

saml

saml-2.0

I am interfacing with an IDP and have a basic AuthNRequest created as follows:

<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="IDTest1" 
  Version="2.0"
  IssueInstant="2013-03-04T09:21:59"
  AssertionConsumerServiceIndex="0"
  AttributeConsumingServiceIndex="0">
  <saml:Issuer>https://myapp.com/saml2/sp</saml:Issuer> 
 <samlp:NameIDPolicy
   AllowCreate="true"
   Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>

IDP wants me send the request as signed. My questions are:

  1. How do I set digest value?
  2. How do I set Signature value?
  3. For x509 certificate, I set the public key of my app. Correct?
  4. What is the data that is used to compute any of the values? Is it my original auth request without Signature element?
like image 480
gbhakta Avatar asked Mar 06 '13 18:03

gbhakta

People also ask

Should AuthnRequest be signed?

By default, the signature on AuthnRequests is ignored. Some use cases and features require AuthnRequest however to be signed.

Should SAML request be signed?

Receive signed SAML authentication responses If Auth0 is the SAML service provider, all SAML responses from your identity provider should be signed to indicate it hasn't been tampered with by an unauthorized third-party.

What is an AuthnRequest?

An AuthnRequest is sent by the Service Provider to the Identity Provider in the SP-SSO initiated flow. There are 2 examples: An AuthnRequest with its Signature (HTTP-Redirect binding). An AuthNRequest with the signature embedded (HTTP-POST binding).

What is SAML HTTP POST binding?

HTTP POST enables SAML protocol messages to be transmitted within an HTML form by using base64-encoded content. It enables SAML requestors and responders to communicate by using an HTTP user agent as an intermediary. The agent might be necessary if the communicating entities do not have a direct path of communication.

2 Answers

Your question is inadequate!

The AuthRequest you're sending seems to be REDIRECT request where you will not see Digest, Signature and Certificate since all these details will be in URL as a parameter.

Try using POST SSO request, where you will see Digest, Signature and Certificate in SAML request.

Some of the points:

Common

  • Both IdP and SP should share their Metadata, which will have their basic configuration like id, signing algorithm, hashing method, public key etc.
  • So, based on the contract between IdP you should hash and sign your request in your preferred programming language.

SP:

  • You should encrypt using your public key.
  • You should sign using your private key.
  • You should encode your request using Base64.

IdP:

  • They will identity using the public key in the request.
  • They will respond back with encrypted and signed XML.
  • You should decrypt and unsign the response.

Quick Links

  1. Official Doc about SAML 2.0

  2. SAML Online Tool by OneLogin

like image 184
Aravin Avatar answered Sep 30 '22 20:09

Aravin

Just to note that a lot of this is covered in the documentation:

SAML metadata.

To have the request signed you need to add something like this (normally found in the sp.xml):

<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false"
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

The signing key would look something like:

<KeyDescriptor use="signing">
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
            <ds:X509Certificate>
                MIIDWTC...CAkGgAwIBAgIEe+a+/uaSZCp5g2z+hRWRV+DyfQc9nO
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</KeyDescriptor>

where the MII... is the public key.

As per @Stefan, it's much easier to use a library.

like image 20
rbrayb Avatar answered Sep 30 '22 19:09

rbrayb
Sign in to Comment

Related questions

Debugging failing HTTPS WebRequest
is fingerprint of public cert unique?
Attributes reversed in certificate subject and issuer
How to create a self-signed x509 certificate with both private and public keys?
IE9, Automation server can't create object error while using CertEnroll.dll
How do I validate an android.net.http.SslCertificate with an X509TrustManager?
Private key is null when accessing via code, why?
Create x.509 certificate using bouncycastle with certificate path (cert chain)
org.apache.http.client.ClientProtocolException
System.Net.CertificatePolicy to ServerCertificateValidationCallback Accept all certificate policies
Signing certificate request with certificate authority
X509 serial number using java
Certificate Install Security Warning Workaround?
How do I verify an SSL certificate in python?
Trouble signing a JWT token with an x509 Certificate
How to install my server's self-signed certificate on an iPad
CRL and OCSP behavior of iOS / Security.Framework?
Java X509 Certificate parsing and validating
Generating X509 Certificate using Bouncy Castle Java
how to convert the Certificate String into X509 structure.?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!