Menu
Suppose SP-init SSO is carried out, HTTP-Redirect Binding is used instead of HTTP-POST Binding and signed AuthnRequest is required. It means to include the SAMLRequest in the URL.
Q1. Do I need to include the signature in the URL or just embed in the SAMLRequest ?
The redirect url is
http://idp.example.com/SSOService.php?SAMLRequest={val1}&Signature={val2}&SigAlg={val3}
with my SAMLRequest (without signature)
<samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact" />
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:AuthnRequest>
or
http://idp.example.com/SSOService.php?SAMLRequest={val1}
with my SAMLRequest (embed with signature)
<samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact" />
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>v5h...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>M4...</SignatureValue>
</Signature>
</samlp:AuthnRequest>
Q2. Is it correct to do base64 and url encoded to the value of url parameters ?
Q3. X509 Certificate is included in my SP metadata, is it base64-encoded ?
I have a cert.pem file for the certificate, do I need to make it base64-encoded or just include the certificate directly.
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
SPMetadata.xml
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFnzCCA4egAwI...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
331
Cause. HTTPS is required by default to configure SAML. As the SAML protocol is browser based both the product and the Identity Provider must use HTTPS (rather than HTTP), to prevent man-in-the-middle attacks and capturing XML documents with SAML assertions.
There are two different types of bindings in SAML2; the request binding, which is used to send the authentication request and the response binding, which is used when returning the response message.
SAML AuthNRequest (SP -> IdP)An AuthnRequest is sent by the Service Provider to the Identity Provider in the SP-SSO initiated flow. There are 2 examples: An AuthnRequest with its Signature (HTTP-Redirect binding). An AuthNRequest with the signature embedded (HTTP-POST binding).
Receive signed SAML authentication responses If Auth0 is the SAML service provider, all SAML responses from your identity provider should be signed to indicate it hasn't been tampered with by an unauthorized third-party.
A1: when using the Redirect binding you put the signature in the URL query parameters
A2: all URL query parameters should be url-encoded, just the SAML Request should be compressed and base64-encoded in addition to that.
A3: use the PEM format since that is base64 encoded already but leave out the start and end delimiters (----BEGIN-- and ----END CERT...)
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
