DSA signature check in SAML 2.0 with PHP

Question

I've checked SO and googled around, but haven't found answers so far. I am using SAML 2.0 as a service provider, and embedded php-saml - used simplesamlphp first, but found a bit tough to embed.

The IdP-s response comes back with a signature

<signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1">

and looks like xmlseclibs is not supporting dsa signatures.

Question A: any suggestions what to use to verify the dsa signature?

Question B: just curious what libs other people are using for SAML. I've just spent about 20 mins on simplesamlphp and found that it is totally dependant on it's own URL structures and being a proper webserver endpoint instead of just a library.

Cheers

as an update, simplesamlphp is also using xmlseclibs, so no DSA support there either — Zsolt, Sep 05 '12 at 09:13

score 2 · Answer 1 · answered Sep 07 '12 at 19:30

2

Part of the historical reason for lacking DSA support in PHP libraries may be related to this:

https://bugs.php.net/bug.php?id=41033

answered Sep 07 '12 at 19:30

Andreas Åkre Solberg

1,705
12
11

That bug was noted as fixed in 2008 – icc97 Sep 15 '16 at 05:03

score 1 · Accepted Answer · answered Sep 04 '12 at 20:21

1

PingFederate (from Ping Identity) gives you DSA as an option (As IDP and SP). Although XML Signature mandates the DSAwithSHA1 signature algorithm, it is not required by SAML V2.0, but is RECOMMENDED.

While PF is not a code library (it's a complete on-premise SSO solution) it supports all the various identity protocols needed for cloud computing (SAML 1.0/1.1/2.0/WS-Federation) and can pretty easily hook into a PHP application via RESTful Web Services or PHP Libraries.

answered Sep 04 '12 at 20:21

Ian

4,227
18
19

maybe an invalid question, but if 'XML Signature mandates the DSAwithSHA1 signature algorithm', how come that the PHP xmlseclibs library that looks like being used widely is not implementing DSA encryption? Also, is there a free alternative to PF? – Zsolt Sep 05 '12 at 08:32
1

You'd have to ask the guys who wrote the open source PHP stuff on why they left it out. Probably because it's not required per SAML2 spec. Most commercial SAML solutions *should* support DSA & RSA keys. You might be able to find something "free" but it will not have the simplicity, protocol support or Technical Support options that PF does. Maybe check out PingOne if you just want an external service to call. Not free but very quick/easy/cheap to implement and includes free trial. – Ian Sep 05 '12 at 12:02

DSA signature check in SAML 2.0 with PHP

2 Answers2