Menu
I have a customer who is sending a Security key. The encryption they are using is triple DES. Every Assertion they send has a signature value which needs to be validated to give them necessary privileges. Can you give me a sample code which does this?
627
Typically an end-user will authenticate to an intermediary, who generates a SAML authentication assertion to prove that it has authenticated the user. The intermediary will usually sign the assertion as proof that only it could have signed the assertion, and also to guarantee the integrity of the assertion.
A <Signature> element indicates the SAML metadata XML has been signed. An <X509Certificate> under an <IDPSSODescriptor> or <SPSSODescriptor> is a certificate associated with the identity provider or service provider.
The SAML Response is sent by an Identity Provider and received by a Service Provider. In the validation process is checked who sent the message (IdP EntityId), who received the SAML Response (SP EntityId) and where (SP Attribute Consume Service Endpoint) and what is the final destination (Target URL, Destination).
Encryption and signing are two different animals. Triple DES is a symmetric key method (same key used for encryption and decryption). Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key. So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key.
For encryption, what is typical in SAML is to use XMLEncryption, which defines an XML format for including encryption key information and encrypted data in your SAML messages. Since exchange of a static symmetric key is problematic -- if it's intercepted, the interceptor can both encrypt and decrypt any messages -- what can be done instead is to use a dynamic symmetric key that gets generated anew for each message, encrypt the message using the key, then encrypt that key with the public key of a private/public encryption key pair and send it along with the message. The encrypted symmetric key can only be decrypted using the private half of the key pair used to encrypt it.
So the most significant difference here, from a key perspective, is that for signing, the customer holds the private key and must share the public key with you, while for encryption, you hold the private key and must share the public key with the customer.
189
If you want to validate the signature on the SAML Assertion or any of the Signable XML Objects, the OpenSAML WIKI has more information:
https://wiki.shibboleth.net/confluence/plugins/viewsource/viewpagesrc.action?pageId=3277047
You can look for 'Signature Verification Examples'.
This blog post also has an example as well:
https://blog.samlsecurity.com/2012/11/verifying-signatures-with-opensaml.html
To obtain a 'credential' for validation, see here: https://blog.samlsecurity.com/2011/03/getting-credentials-in-opensaml.html
For info on how to unmarshal XML into an Open SAML object, see here: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaCreateFromXML
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
