1

I am working on a web application which should authenticate users via ADFS. WS-FED Passive was chosen as the simplest and fastest to implement.

The setup went smooth and the application seemed working: a user is first redirected to the the Identity Provider service, enters username/password and in case of success a SAML token is POSTed back to the web app.

Here where I get confused: a SAML token can be validated via the Signature and X509Certificate data which are contained in it.

However, what is the proper mechanism to verify that the token was POSTed by the Identity Provider service, not by a third-party which also posesses the certificate?

Zaur Nasibov
  • 22,280
  • 12
  • 56
  • 83
  • Possible duplicate of [SAML: Why is the certificate within the Signature?](http://stackoverflow.com/questions/1703301/saml-why-is-the-certificate-within-the-signature) – explunit Oct 27 '15 at 18:05
  • 1
    Only the public key is in the signature and nobody except the identity provider should have the private key. But whether that public key is one that you trust is a separate lookup you have to do. In SAML2-P there's a metadata standard where your SP can query the IDP up-front to get the list of certs that it will use. ADFS supports this metadata standard. – explunit Oct 27 '15 at 18:10

0 Answers0