Menu
My application (PHP) gets the SAML response back from OKTA which has the signature value and I also have OKTA's certificate which has the public key. My application does the following,
My Code,
$pubkeyid = openssl_pkey_get_details(openssl_pkey_get_public(file_get_contents("okta.cert")));
$pubkeyid = $pubkeyid["key"];
$signature = "<get it form SAML Response>";
$data = ???? (what should be provided)
$ok = openssl_verify($data, $signature, $pubkeyid,"sha1WithRSAEncryption");
I always get 0 when I assign the value of data to be the SAML Response sent to the application. Am I missing something ?
240
SAML signature verification is much more then calling openssl_verify() function. I would suggest using some library for that purpose, like https://github.com/lightSAML/lightSAML.
In that case, using LightSAML-Core, signature validation can be done like explained on their cookbook page http://www.lightsaml.com/LightSAML-Core/Cookbook/How-to-verify-signature-of-SAML-message/ in following steps
validate() method on response signature propertyNote that proper handling of the Response is still more then just validating the signature. Complete SAML Web browser SSO profile address additional verifications, which LightSAML also implements.
You might check LightSAML/SpBundle if you're using Symfony, since it implements full SAML SSO profile and integrates with Symfony's security making SAML SSO quite easy to implement.
If you're really into doing it yourself from scratch, you can check how xmlseclibs does it, for example in one of its maintained forks on https://github.com/robrichards/xmlseclibs.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
