Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sign SAML Response with or without Assertion Signature?

Tags:

xml

signature

sign

response

saml

When signing a SAML Response that also has a signed Assertion, should I:

A) Generate the Response signature without the Assertion signature. Then inject the Assertion signature after both signatures have been generated.

B) Generate the Assertion signature and include it when generating the Response signature.

C) Something else?

like image 210
Panman Avatar asked Aug 05 '11 18:08

Panman

2 Answers

SAML is awful, every time I read answer they are almost correct, here is the correct algorithm distilled:

  1. SHA1 the canonical version of the Assertion.
  2. Generate a SignedInfo XML fragment with the SHA1 signature
  3. Sign the SignedInfo XML fragment, again the canonical form
  4. Take the SignedInfo, the Signature and the key info and create a Signature XML fragment
  5. Insert this SignatureXML into the Assertion ( should go right before the saml:subject)
  6. Now take the assertion(with the signature included) and insert it into the Response
  7. SHA1 this response
  8. Generate a SignedInfo XML fragment with the SHA1 signature
  9. Sign the SignedInfo XML fragment, again the canonical form
  10. Take the SignedInfo, the Signature and the key info and create a Signature XML fragment
  11. Insert this SignatureXML into the Response
  12. Add the XML version info to the response.

Thats it. SAML is completely awful. There are tons of little subtleties that make implementing SAML a nightmare(like calculating the canonical form of a subset of the XML(the assertion), also the XML version of XML documents is not included.

I finished my implementation, I hope never to revisit such pain again.

like image 103
daniel Avatar answered Oct 12 '22 15:10

daniel

I believe the correct answer is B). Sign the Assertion first then sign the Response that contains the signed Assertion data. However, if a single Issuer/Entity (STS/IDP/etc) is signing both there is no real reason to sign the Assertion is there? Just sign the Protocol Message/Response which should include the Assertion data. This will cut down on processing requirements at the SP. For Web SSO, I've only ever seen both portions signed when you have a different entity signing the Assertion vs the Response.

like image 28
Ian Avatar answered Oct 12 '22 16:10

Ian
Sign in to Comment

Related questions

angular 4 httpclient xml response
How to get elements by name in XML using LINQ
Golang: Parse both XML element value and attributes for groups
How do you read XML column in SQL Server 2008?
Java XML Parser for huge files
How do I convert a C# class to an XMLElement or XMLDocument
Modern alternative to Java XStream library?
Change XmlElement name for XML serialisation
How to preserve line breaks in xml <string> resources in Android?
How to select unique nodes
How to add a hyperlink into a Preference Screen (PreferenceActivity)
Getting attribute value of an XML Document using C#
How can I convert a DataTable to an XML file in C#?
Python Error : ImportError: No module named 'xml.etree'
How do you display a 2 digit NumberPicker in android?
How to 'select' from XML with namespaces?
How to count occurrences of a node in SQL XML?
What's a good way to serialize Delphi object tree to XML--using RTTI and not custom code?
Android Studio -Unable to inflate view tag without class attribute
Error: "Origin null is not allowed by Access-Control-Allow-Origin" when loading an XML file with JQuery's ajax method

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!